- Daily - CERT.at

Tageszusammenfassung - 10.05.2024
by Daily end-of-shift report 10 May '24

10 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-05-2024 18:00 − Freitag 10-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Datenschutzvorfall: Dell informiert über Abfluss von Kundendaten ∗∗∗ --------------------------------------------- Zu den abgeflossenen Informationen zählen laut Dell Namen, Adressdaten sowie weitere Daten über Bestellungen und darin enthaltene Dell-Hardware. --------------------------------------------- https://www.golem.de/news/datenschutzvorfall-dell-informiert-ueber-abfluss-… ∗∗∗ APT trends report Q1 2024 ∗∗∗ --------------------------------------------- The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity. --------------------------------------------- https://securelist.com/apt-trends-report-q1-2024/112473/ ∗∗∗ Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery ∗∗∗ --------------------------------------------- Two recently disclosed security flaws in Ivanti Connect Secure (ICS) devices are being exploited to deploy the infamous Mirai botnet. --------------------------------------------- https://thehackernews.com/2024/05/mirai-botnet-exploits-ivanti-connect.html ∗∗∗ GhostStripe attack haunts self-driving cars by making them ignore road signs ∗∗∗ --------------------------------------------- Six boffins mostly hailing from Singapore-based universities have proven it's possible to attack autonomous vehicles by exploiting the system's reliance on camera-based computer vision and cause it to not recognize road signs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/10/baidu_apollo… ∗∗∗ Back to the Hype: An Update on How Cybercriminals Are Using GenAI ∗∗∗ --------------------------------------------- Generative AI continues to be misused and abused by malicious individuals. In this article, we dive into new criminal LLMs, criminal services with ChatGPT-like capabilities, and deepfakes being offered on criminal sites. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-th… ∗∗∗ Zscaler Investigates Hacking Claims After Data Offered for Sale ∗∗∗ --------------------------------------------- Zscaler says its customer, production and corporate environments are not impacted after a notorious hacker offers to sell access. --------------------------------------------- https://www.securityweek.com/zscaler-investigates-hacking-claims-after-data… ∗∗∗ With nation-state threats in mind, nearly 70 software firms agree to Secure by Design pledge ∗∗∗ --------------------------------------------- The nation’s top cybersecurity agency said 68 of the world’s leading software manufacturers have signed on to a voluntary pledge to design products that have security built in from the beginning. --------------------------------------------- https://therecord.media/secure-by-design-companies-cisa-rsa ∗∗∗ In interview, LockbitSupp says authorities outed the wrong guy ∗∗∗ --------------------------------------------- The leader of the LockBit ransomware gang, who goes by the name LockbItSupp, told Click Here in an interview that international law enforcement has made a mistake. --------------------------------------------- https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit ∗∗∗ Krypto-Betrüger: Sechs Österreicher festgenommen ∗∗∗ --------------------------------------------- Weil sie einen Online-Handel mit angeblich neuer Kryptowährung aufgezogen und damit Investoren abgezockt haben, wurden nun sechs Österreicher verhaftet. --------------------------------------------- https://heise.de/-9714300 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ansible-core, avahi, bind, buildah, containernetworking-plugins, edk2, fence-agents, file, freeglut, freerdp, frr, git-lfs, gnutls, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, libjpeg-turbo, libnbd, LibRaw, libreswan, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, [...] --------------------------------------------- https://lwn.net/Articles/973071/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:4.0, container-tools:rhel8, git-lfs, glibc, libxml2, nodejs:18, and nodejs:20), Debian (dav1d and libpgjava), Fedora (kernel and pypy), Red Hat (glibc and nodejs:16), SUSE (ffmpeg, ffmpeg-4, ghostscript, go1.21, go1.22, less, python-python-jose, python-Werkzeug, and sssd), and Ubuntu (fossil, glib2.0, and libspreadsheet-parsexlsx-perl). --------------------------------------------- https://lwn.net/Articles/973206/ ∗∗∗ Admins müssen selbst handeln: PuTTY-Sicherheitslücke bedroht Citrix Hypervisor ∗∗∗ --------------------------------------------- Um XenCenter für Citrix Hypervisor abzusichern, müssen Admins händisch ein Sicherheitsupdate für das SSH-Tool PuTTY installieren. --------------------------------------------- https://heise.de/-9713898 ∗∗∗ Google Chrome: Exploit für Zero-Day-Lücke gesichtet ∗∗∗ --------------------------------------------- In Googles Webbrowser Chrome klafft eine Sicherheitslücke, für die ein Exploit existiert. Google reagiert mit einem Notfall-Update. --------------------------------------------- https://heise.de/-9714519 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-05 Reference Advisory: Junos OS and Junos OS Evolved: Multiple CVEs reported in OpenSSH ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Juno… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2024
by Daily end-of-shift report 08 May '24

08 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-05-2024 18:00 − Mittwoch 08-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Der Briefkasten daheim als Einfallstor für Internet-Betrugsmaschen? ∗∗∗ --------------------------------------------- Online-Betrug lauert nicht nur im Internet. Zu Anrufen und SMS, die oft in Online-Betrugsmaschen führen, gesellt sich nun auch der Postkasten des Eigenheims als Einfallstor für Kriminelle hinzu. Sie nutzen die Briefkästen ihrer Opfer beispielsweise, um Sendungen aus Bestellbetrug zu erhalten, Daten und in weiterer Folge Geld zu stehlen oder um betrügerische Handwerksdienste und dazugehörige Websites zu bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/der-briefkasten-daheim-als-einfallst… ∗∗∗ Massive webshop fraud ring steals credit cards from 850,000 people ∗∗∗ --------------------------------------------- A massive network of 75,000 fake online shops called BogusBazaar tricked over 850,000 people in the US and Europe into making purchases, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-webshop-fraud-ring-s… ∗∗∗ Detecting XFinity/Comcast DNS Spoofing, (Mon, May 6th) ∗∗∗ --------------------------------------------- DNS interception, even if well-meaning, does undermine some of the basic "internet trust issues". Even if it is used to block users from malicious sites, it needs to be properly declared to the user, and switches to turn it off will have to function. This could be a particular problem if queries to other DNS filtering services are intercepted. I have yet to test this for Comcast and, for example, OpenDNS. --------------------------------------------- https://isc.sans.edu/diary/rss/30898 ∗∗∗ Analyzing Synology Disks on Linux, (Wed, May 8th) ∗∗∗ --------------------------------------------- Synology NAS solutions are popular devices. They are also used in many organizations. [..] They offer multiple disk management options but rely on many open-source software (like most appliances). [..] Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools. In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. --------------------------------------------- https://isc.sans.edu/diary/rss/30904 ∗∗∗ Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version ∗∗∗ --------------------------------------------- A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar. --------------------------------------------- https://thehackernews.com/2024/05/hijack-loader-malware-employs-process.html ∗∗∗ New Spectre-Style Pathfinder Attack Targets Intel CPU, Leak Encryption Keys and Data ∗∗∗ --------------------------------------------- Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm. The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google. [..] Following responsible disclosure in November 2023, Intel, in an advisory released last month, said Pathfinder builds on Spectre v1 attacks and that previously deployed mitigations for Spectre v1 and traditional side-channels mitigate the reported exploits. There is no evidence that it impacts AMD CPUs. --------------------------------------------- https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html ∗∗∗ Ghidra nanoMIPS ISA module ∗∗∗ --------------------------------------------- Here we will demonstrate how to load a MediaTek baseband firmware into Ghidra for analysis with our nanoMIPS ISA module. --------------------------------------------- https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/ ∗∗∗ Vorsicht vor gefälschten Online-Banking-Seiten auf Bing, Google & Co ∗∗∗ --------------------------------------------- Kriminelle schalten Anzeigen in Suchmaschinen (vor allem BING) und locken so Opfer auf gefälschte Online-Banking-Seiten. Vorsicht: Wenn Sie hier Ihre Daten eingeben, können hohe Beträge von Ihrem Konto abgebucht werden! Vergewissern Sie sich immer, dass Sie auf der echten Login-Seite Ihrer Bank sind! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-online-banking-suchmasc… ∗∗∗ RemcosRAT Distributed Using Steganography ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed. --------------------------------------------- https://asec.ahnlab.com/en/65111/ ===================== = Vulnerabilities = ===================== ∗∗∗ F5: K000139404: Quarterly Security Notification (May 2024) ∗∗∗ --------------------------------------------- F5 has released 13 security advisories (7x high, 6x medium) and 3 security exposures. --------------------------------------------- https://my.f5.com/manage/s/article/K000139404 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0 and php7.3), Gentoo (Commons-BeanUtils, Epiphany, glibc, MariaDB, Node.js, NVIDIA Drivers, qtsvg, rsync, U-Boot tools, and ytnef), Oracle (kernel), Red Hat (git-lfs and kernel), SUSE (flatpak, less, python311, rpm, and sssd), and Ubuntu (libde265, libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oem-6.5, and nghttp2). --------------------------------------------- https://lwn.net/Articles/972861/ ∗∗∗ WordPress: Cross-Site-Scripting-Schwachstelle in älteren Cores; und WordPress 6.5.3 verfügbar ∗∗∗ --------------------------------------------- Ich hoffe, ihr seid auf der aktuellen WordPress-Version, denn in älteren WordPress-Versionen gibt es eine Cross-Site-Scripting-Schwachstelle [..] und wer LightSpeed Cache als Plugin nutzt, sollte dringend updaten. --------------------------------------------- https://www.borncity.com/blog/2024/05/07/wordpress-cross-site-scripting-sch… ∗∗∗ VMware Avi Load Balancer: Rechteausweitung zu root möglich ∗∗∗ --------------------------------------------- Im Load Balancer VMware Avi können Angreifer ihre Rechte erhöhen oder unbefugt auf Informationen zugreifen. Updates korrigieren das. --------------------------------------------- https://heise.de/-9711733 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2024
by Daily end-of-shift report 07 May '24

07 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 06-05-2024 18:00 − Dienstag 07-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Case Study: The Malicious Comment ∗∗∗ --------------------------------------------- How safe is your comments section? Discover how a seemingly innocent thank you comment on a product page concealed a malicious vulnerability, underscoring the necessity of robust security measures. --------------------------------------------- https://thehackernews.com/2024/05/new-case-study-malicious-comment.html ∗∗∗ Ransomware evolves from mere extortion to psychological attacks ∗∗∗ --------------------------------------------- RSAC Ransomware infections and extortion attacks have become "a psychological attack against the victim organization," as criminals use increasingly personal and aggressive tactics to force victims to pay up. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/07/ransomware_e… ∗∗∗ Betrug am Telefon: Kriminelle täuschen hohe Abbuchungen vor ∗∗∗ --------------------------------------------- Vorsicht, wenn Ihnen jemand am Telefon erklärt, dass es „versteckte Abbuchungen“ von Ihrem Bankkonto gibt. Hierbei handelt es sich um eine Betrugsmasche. Um glaubwürdig zu wirken, nennen die Kriminellen persönliche Daten von Ihnen. Diese wurden aber im Zuge einer Phishing-Falle gesammelt. Legen Sie auf! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-am-telefon-kriminelle-taeusch… ∗∗∗ Ein Kopf (Administrator) der LockBit-Gruppe enttarnt? ∗∗∗ --------------------------------------------- Der "Kopf" und gleichzeitig Administrator der Ransomware-Gruppe LockBit ist laut Mitteilung der Strafverfolger identifiziert. --------------------------------------------- https://www.borncity.com/blog/2024/05/07/ein-kopf-administrator-der-lockbit… ===================== = Vulnerabilities = ===================== ∗∗∗ TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak ∗∗∗ --------------------------------------------- Recently, we identified a novel network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol). --------------------------------------------- https://www.leviathansecurity.com/blog/tunnelvision ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Gentoo (libjpeg-turbo, xar, and Xpdf), Red Hat (bind, dhcp and glibc), and SUSE (bouncycastle, curl, flatpak, less, and xen). --------------------------------------------- https://lwn.net/Articles/972679/ ∗∗∗ Android-Patchday: Angreifer können Rechte im System ausweiten ∗∗∗ --------------------------------------------- Google schließt am Android-Patchday mehrere Lücken, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://heise.de/-9710075 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ PTC Codebeamer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-128-01 ∗∗∗ SUBNET Substation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-128-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2024
by Daily end-of-shift report 06 May '24

06 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-05-2024 18:00 − Montag 06-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vorsicht vor gefälschten RTR-Briefen ∗∗∗ --------------------------------------------- Kriminelle geben sich in einem Brief als Rundfunk und Telekom Regulierungs-GmbH (RTR) aus. Im Schreiben steht, dass für den Anschluss an Mobilfunknetze und die Wartung von Basisstationen ein Entgelt von € 8,90 zu bezahlen sei. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rtr-briefe… ∗∗∗ Microsoft: Sicherheit oberste Priorität in Produkten, Diensten und intern ∗∗∗ --------------------------------------------- In einem internen Memo und einem Blogpost stellt Microsoft Security bei allen Entwicklungen an erste Stelle. Das gilt für Produkte wie Services. [..] Charlie Bell zufolge will sich sein Unternehmen strikt an die Vorgaben des CSRB halten. --------------------------------------------- https://heise.de/-9708577 ∗∗∗ Breaking down Microsoft’s pivot to placing cybersecurity as a top priority ∗∗∗ --------------------------------------------- Recently, Microsoft had quite frankly a kicking from the US Department of Homeland Security over their security practices in a Cyber Safety Review Board report. I’ve tried to keep as quiet as possible about this one for various reasons (and I was not involved in the CSRB report, even anonymously) — although long time followers will know I’ve been often critical of Microsoft’s security posture. The CSRB report is well worth a read — they did a great job. [..] As always, the proof is in the pudding, not the vendor blog. I think these changes will take a few years to start to work through, and fully expect a few more clanger breaches in the mean time. And that’s annoying but okay, because hard work is hard. --------------------------------------------- https://doublepulsar.com/breaking-down-microsofts-pivot-to-placing-cybersec… ∗∗∗ Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution ∗∗∗ --------------------------------------------- More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet thats vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool. The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the latest version. --------------------------------------------- https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html ∗∗∗ Lockbits seized site comes alive to tease new police announcements ∗∗∗ --------------------------------------------- The NCA, FBI, and Europol have revived a seized LockBit ransomware data leak site to hint at new information being revealed by law enforcement this Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-a… ∗∗∗ Why Your VPN May Not Be As Secure As It Claims ∗∗∗ --------------------------------------------- Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a targets traffic off of the protection provided by their VPN without triggering any alerts to the user. --------------------------------------------- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it… ∗∗∗ Financial cyberthreats in 2023 ∗∗∗ --------------------------------------------- In this report, we share our insights into the 2023 trends and statistics on financial threats, such as phishing, PC and mobile banking malware. --------------------------------------------- https://securelist.com/financial-threat-report-2023/112526/ ∗∗∗ HijackLoader Updates ∗∗∗ --------------------------------------------- HijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. It uses a modular architecture, a feature that most loaders do not have – which we discussed in a previous HijackLoader blog. ThreatLabz researchers recently analyzed a new HijackLoader sample that has updated evasion techniques. --------------------------------------------- https://www.zscaler.com/blogs/security-research/hijackloader-updates ∗∗∗ New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw ∗∗∗ --------------------------------------------- By WaqasA new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_sparkThis is a post from HackRead.com Read the original post: New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw --------------------------------------------- https://www.hackread.com/goldoon-botnet-targeting-d-link-devices/ ∗∗∗ End-to-end encryption may be the bane of cops, but they cant close that Pandoras Box ∗∗∗ --------------------------------------------- Police can complain all they like about strong end-to-end encryption making their jobs harder, but it doesn't matter because the technology is here and won't go away. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/05/e2ee_police/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc, intel-microcode, less, libkf5ksieve, and ruby3.1), Fedora (chromium, gdcm, httpd, and stalld), Gentoo (Apache Commons BCEL, borgmatic, Dalli, firefox, HTMLDOC, ImageMagick, MediaInfo, MediaInfoLib, MIT krb5, MPlayer, mujs, Pillow, Python, PyPy3, QtWebEngine, Setuptools, strongSwan, and systemd), Oracle (grub2 and shim), Red Hat (git-lfs, kpatch-patch, unbound, and varnish), and SUSE (avahi, grafana and mybatis, java-11-openjdk, java-17-openjdk, skopeo, SUSE Manager Client Tools, SUSE Manager Salt Bundle, and SUSE Manager Server 4.3). --------------------------------------------- https://lwn.net/Articles/972571/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2024
by Daily end-of-shift report 03 May '24

03 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-05-2024 18:00 − Freitag 03-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft rolls out passkey auth for personal Microsoft accounts ∗∗∗ --------------------------------------------- Microsoft announced that Windows users can now log into their Microsoft consumer accounts using a passkey, allowing users to authenticate using password-less methods such as Windows Hello, FIDO2 security keys, biometric data (facial scans or fingerprints), or device PINs. [..] Microsoft had already added passkey support to Windows for logging into websites and applications, but with the additional support for Microsoft accounts, consumers can now easily log in without entering a password. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-passkey… ∗∗∗ Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796, (Thu, May 2nd) ∗∗∗ --------------------------------------------- Before diving into the vulnerability, a bit about the affected devices. LB-Link, the make of the devices affected by this vulnerability, produces various wireless equipment that is sometimes sold under different brands and labels. This will make it difficult to identify affected devices. These devices are often low-cost "no name" solutions or, in some cases, may even be embedded, which makes it even more difficult to find firmware updates. [..] And yes, the vulnerability evolves around the "user=admin" cookie and a command injection in the password parameter. This is too stupid to waste any more time on, but it is common enough to just give up and call it a day. --------------------------------------------- https://isc.sans.edu/diary/rss/30890 ∗∗∗ Mal.Metrica Redirects Users to Scam Sites ∗∗∗ --------------------------------------------- One of our analysts recently identified a new Mal.Metrica redirect scam on compromised websites, but one that requires a little bit of effort on the part of the victim. It’s another lesson for web users to be careful what they click on, and to be wary of anything suspicious that pops up in their browser — even if it’s coming from a website that they would otherwise trust. --------------------------------------------- https://blog.sucuri.net/2024/05/mal-metrica-redirects-users-to-scam-sites.h… ∗∗∗ Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications ∗∗∗ --------------------------------------------- Since January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C. This includes threat actors tracked as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig. --------------------------------------------- https://thehackernews.com/2024/05/hackers-increasingly-abusing-microsoft.ht… ∗∗∗ Europol op shutters 12 scam call centers and cuffs 21 suspected fraudsters ∗∗∗ --------------------------------------------- A Europol-led operation dubbed “Pandora” has shut down a dozen phone scam centers, and arrested 21 suspects. [..] Beginning in December 2023, German investigators deployed more than 100 officers to trace the scam calls back to the source - call centers run by crooks - and then monitored them. That effort resulted in the interception of more than 1.3 million "nefarious conversations." Baden-Württemberg State Criminal Police officers had to set up a call center of their own so that they could contact potential victims, warning more than 80 percent of them. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/03/operation_pa… ∗∗∗ These Dangerous Scammers Don’t Even Bother to Hide Their Crimes ∗∗∗ --------------------------------------------- “Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more. [..] While the Yahoo Boys have been active for years, all the experts spoken to for this piece say they should be treated more seriously by social media companies and law enforcement. --------------------------------------------- https://www.wired.com/story/yahoo-boys-scammers-facebook-telegram-tiktok-yo… ∗∗∗ Adding insult to injury: crypto recovery scams ∗∗∗ --------------------------------------------- Once your crypto has been stolen, it is extremely difficult to get back – be wary of fake promises to retrieve your funds and learn how to avoid becoming a victim twice over. --------------------------------------------- https://www.welivesecurity.com/en/scams/crypto-recovery-scams-insult-injury/ ∗∗∗ CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome ∗∗∗ --------------------------------------------- In this guest blog from Master of Pwn winner Manfred Paul, he details CVE-2024-2887 – a type confusion bug that occurs in both Google Chrome and Microsoft Edge (Chromium). He used this bug as a part of his winning exploit that led to code execution in the renderer of both browsers. This bug was quickly patched by both Google and Microsoft. Manfred has graciously provided this detailed write-up of the vulnerability and how he exploited it at the contest. --------------------------------------------- https://www.thezdi.com/blog/2024/5/2/cve-2024-2887-a-pwn2own-winning-bug-in… ∗∗∗ CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities ∗∗∗ --------------------------------------------- This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/02/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, grub2, httpd, kernel, libcoap, matrix-synapse, python-pip, and rust-pythonize), Red Hat (kernel and libxml2), SUSE (kernel), and Ubuntu (eglibc, glibc and php7.4, php8.1, php8.2). --------------------------------------------- https://lwn.net/Articles/972351/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2024
by Daily end-of-shift report 02 May '24

02 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-04-2024 18:00 − Donnerstag 02-05-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVD - Notizen zur Pressekonferenz ∗∗∗ --------------------------------------------- Ich wurde eingeladen, heute bei einer Pressekonferenz von Epicenter.works am Podium zu sitzen. Es ging um einen Fall, bei dem es im Zuge einer klassischen verantwortungsvollen Offenlegung einer Schwachstelle (Responsible Disclosure, bzw Coordinated Vulnerability Disclosure [CVD]) zu einer Anzeige gekommen ist. Nachzulesen ist der Fall auf der Epicenter Webseite. Ich will hier kurz meine Notizen / Speaking Notes zusammenfassen. --------------------------------------------- https://cert.at/de/blog/2024/4/cvd-policy ∗∗∗ CISA warnt: MS Smartscreen- und Gitlab-Sicherheitslücke werden angegriffen ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA hat Angriffe auf eine Lücke im Microsoft Smartscreen und auf eine Gitlab-Schwachstelle gesichtet. --------------------------------------------- https://heise.de/-9705715 ∗∗∗ Digitale Signatur: Datenleak bei Dropbox Sign ∗∗∗ --------------------------------------------- Unbekannte Angreifer konnten auf Kundendaten des digitalen Signaturservices Dropbox Sign zugreifen. Andere Dropbox-Produkte sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-9705355 ∗∗∗ Windows 10/11/Server 2022: Kein Fix für den Installationsfehler 0x80070643 beim WinRE-Update mehr ∗∗∗ --------------------------------------------- Seit Januar 2024 kämpfen Nutzer von Windows 10 und Windows 11 (sowie Windows Server 2022) mit dem Versuch Microsofts, ein Update der WinRE-Umgebung zu installieren. Im Januar 2024 ließen zahlreiche Nutzer im Umfeld des Patchday beim Versuch, das Update KB5034441 zu installieren, in den Installationsfehler 0x80070643. Trotz mehrerer Versuche zur Nachbesserung in den Folgemonaten ist es Microsoft nicht gelungen, den Installationsfehler zu beseitigen. Nun kommt das Eingeständnis, dass es keinen automatischen Fix für das Update gibt – es ist Handarbeit angesagt. --------------------------------------------- https://www.borncity.com/blog/2024/05/02/windows-10-11-kein-fix-fr-den-inst… ∗∗∗ “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps ∗∗∗ --------------------------------------------- Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts. We have shared our findings with Google’s Android Application Security Research team, as well as the developers of apps found vulnerable to this issue. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attac… ∗∗∗ Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474, (Tue, Apr 30th) ∗∗∗ --------------------------------------------- Yesterday, I talked about attacks against a relatively recent D-Link NAS vulnerability. Today, scanning my honeypot logs, I found an odd URL that I didn't recognize. The vulnerability is a bit older but turns out to be targeting yet another NAS. [..] Based on our logs, only one IP address exploits the vulnerability: %%ip: 89.190.156.248%%. --------------------------------------------- https://isc.sans.edu/diary/rss/30884 ∗∗∗ Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. [..] The ELF binary is embedded within a repackaged application that purports to be the UPtodown App Store app for Android (package name "com.uptodown"), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection. --------------------------------------------- https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html ∗∗∗ New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials ∗∗∗ --------------------------------------------- A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. [..] Cuttlefish has been active since at least July 27, 2023, with the latest campaign running from October 2023 through April 2024 and predominantly infecting 600 unique IP addresses associated with two Turkish telecom providers. --------------------------------------------- https://thehackernews.com/2024/05/new-cuttlefish-malware-hijacks-router.html ∗∗∗ Autodesk: Important Security Update for Autodesk Drive ∗∗∗ --------------------------------------------- In March, Autodesk was made aware of an incident where an external user published documents to Autodesk Drive containing links to a phishing web site. Our Cyber Threat Management & Response Team immediately responded to this incident, and the malicious files are no longer being hosted on Autodesk Drive. No customers have reported being impacted by this incident. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-autodesk-dr… ∗∗∗ Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware) ∗∗∗ --------------------------------------------- While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware. --------------------------------------------- https://asec.ahnlab.com/en/64921/ ∗∗∗ CISA and Partners Release Fact Sheet on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity ∗∗∗ --------------------------------------------- This fact sheet provides information and mitigations associated with cyber operations conducted by pro-Russia hacktivists who seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture Sectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates verfügbar ∗∗∗ --------------------------------------------- In ArubaOS, dem Betriebssystem vieler Geräte von HPE Aruba Networks, existieren mehrere kritische Sicherheitslücken. Diese ermöglichen unter anderem die Ausführung von beliebigem Code und Denial-of-Service (DoS) Angriffe. CVE-Nummern: CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, CVE-2024-33512, CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518 CVSSv3 Scores: bis zu 9.8 (kritisch) --------------------------------------------- https://cert.at/de/warnungen/2024/5/kritische-sicherheitslucken-in-arubaos-… ∗∗∗ CISCO Talos: Vulnerability Roundup ∗∗∗ --------------------------------------------- Peplink Smart Reader, Silicon Labs Gecko Platform, open-source library for DICOM files, Grassroots DICOM library and Foxit PDF Reader. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-may-1-2024/ ∗∗∗ Sonicwall: GMS ECM multiple vulnerabilities ∗∗∗ --------------------------------------------- CVE-2024-29010 - GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability. CVE-2024-29011 - GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0007 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/972186/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nghttp2 and qtbase-opensource-src), Mageia (cjson, freerdp, guava, krb5, libarchive, and mediawiki), Oracle (container-tools:4.0 and container-tools:ol8), Red Hat (bind, buildah, container-tools:3.0, container-tools:rhel8, expat, gnutls, golang, grafana, kernel, kernel-rt, libreswan, libvirt, linux-firmware, mod_http2, pcp, pcs, podman, python-jwcrypto, rhc-worker-script, shadow-utils, skopeo, sssd, tigervnc, unbound, and yajl), SUSE (kernel and python311), and Ubuntu (gerbv and node-json5). --------------------------------------------- https://lwn.net/Articles/972029/ ∗∗∗ Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover ∗∗∗ --------------------------------------------- Three vulnerabilities in the Judge0 open source service could allow attackers to escape the sandbox and obtain root privileges on the host. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-san… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ F5: K000139430 : Linux kernel vulnerability CVE-2024-1086 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139430 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ ZDI-24-419: (Pwn2Own) Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-419/ ∗∗∗ ZDI-24-418: (Pwn2Own) Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-418/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CyberPower PowerPanel ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2024
by Daily end-of-shift report 30 Apr '24

30 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-04-2024 18:00 − Dienstag 30-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gefälschte SMS im Namen von Bundeskanzleramt ∗∗∗ --------------------------------------------- Vorsicht: Kriminelle geben sich als Bundeskanzleramt Österreich aus. In der SMS wird behauptet, dass eine Nachricht auf Sie wartet. Klicken Sie auf keinen Fall auf den Link, Sie werden auf eine gefälschte Webseite weitergeleitet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-sms-im-namen-von-bundesk… ∗∗∗ FBI warns of fake verification schemes targeting dating app users ∗∗∗ --------------------------------------------- The FBI is warning of fake verification schemes promoted by fraudsters on online dating platforms that lead to costly recurring subscription charges. [..] It starts with fraudsters approaching victims on a dating app or site and developing a romantic rapport. This lays the ground for requesting to take the conversation outside the platform onto a supposedly safer communications tool. At this stage, the fraudster sends a link to the victim that will take them to a seemingly legitimate verification platform where the victim will have to verify they're not a sexual offender. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-verificati… ∗∗∗ Millions of Malicious Imageless Containers Planted on Docker Hub Over 5 Years ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks. [..] Of the 4.79 million imageless Docker Hub repositories uncovered, 3.2 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns. --------------------------------------------- https://thehackernews.com/2024/04/millions-of-malicious-imageless.html ∗∗∗ The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen ∗∗∗ --------------------------------------------- McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-le… ∗∗∗ Chrome 124 macht TLS-Handshake kaputt ∗∗∗ --------------------------------------------- Google hat kürzlich seinen Google Chrome-Browser in der Version 124 veröffentlicht. Neben Schwachstellen haben die Entwickler auch etwas an der TLS-Verschlüsselung (X25519Kyber768-Schlüsselkapselung für TLS) geändert. Inzwischen gibt es aber Rückmeldungen von Nutzern, die sich darüber beklagen, dass diese Änderung das TLS-Handshake zu Webservern kaputt machen kann. Das betrifft auch auf Chromium basierende Browser wie den Edge 124. --------------------------------------------- https://www.borncity.com/blog/2024/04/30/chrome-124-macht-tls-handshake-kap… ∗∗∗ Google Play blockiert mehr als 2 Millionen Trojaner-Apps – Tendenz steigend ∗∗∗ --------------------------------------------- Dank strengerer Sicherheitschecks sperrte Google 2023 knapp 2,3 Millionen böse Apps aus. Trotz gesteigerter Bemühungen schlüpfen aber immer noch welche durch. --------------------------------------------- https://heise.de/-9703405 ∗∗∗ CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure ∗∗∗ --------------------------------------------- New CISA guidelines categorize AI risks into three significant types and pushes a four-part mitigation strategy. [..] The guidelines calls on management to act decisively on identified AI risks to enhance safety and security, ensuring that risk management controls are implemented and maintained to optimize the benefits of AI systems while minimizing adverse effects. --------------------------------------------- https://www.securityweek.com/cisa-rolls-out-new-guidelines-to-mitigate-ai-r… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (org-mode), Oracle (shim and tigervnc), Red Hat (ansible-core, avahi, buildah, container-tools:4.0, containernetworking-plugins, edk2, exfatprogs, fence-agents, file, freeglut, freerdp, frr, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, kernel, libjpeg-turbo, libnbd, LibRaw, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, mutt, openssl and openssl-fips-provider, osbuild and osbuild-composer, pam, pcp, pcs, perl, pmix, podman, python-jinja2, python3.11, python3.11-cryptography, python3.11-urllib3, qemu-kvm, qt5-qtbase, runc, skopeo, squashfs-tools, systemd, tcpdump, tigervnc, toolbox, traceroute, webkit2gtk3, wpa_supplicant, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), SUSE (docker, ffmpeg, ffmpeg-4, frr, and kernel), and Ubuntu (anope, freerdp3, and php7.0, php7.2, php7.4, php8.1). --------------------------------------------- https://lwn.net/Articles/971740/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ ChromeOS: Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2024/04/long-term-support-channel-upda… ∗∗∗ [R1] Nessus Network Monitor 6.4.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-07 ∗∗∗ Delta Electronics CNCSoft-G2 DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/icsa-24-121-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2024
by Daily end-of-shift report 29 Apr '24

29 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-04-2024 18:00 − Montag 29-04-2024 18:01 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Winrar: Gefälschte Ausgaben unter Linux möglich und MotW-Probleme in Windows ∗∗∗ --------------------------------------------- Die Version 7.00 der Archiv-Software Winrar schließt auch Sicherheitslücken. Unter Linux lassen sich Ausgaben fälschen, in Windows MotW-Markierungen. [..] Winrar 7.00 wurde schon vor einigen Wochen veröffentlicht. --------------------------------------------- https://heise.de/-9701474 ∗∗∗ Okta warns of "unprecedented" credential stuffing attacks on customers ∗∗∗ --------------------------------------------- Okta warns of an "unprecedented" spike in credential stuffing attacks targeting its identity and access management solutions, with some customer accounts breached in the attacks. [..] Okta also provides in its advisory a list of more generic recommendations that can help mitigate the risk of account takover. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-… ∗∗∗ D-Link NAS Device Backdoor Abused, (Mon, Apr 29th) ∗∗∗ --------------------------------------------- End of March, NetworkSecurityFish disclosed a vulnerability in various D-Link NAS devices. The vulnerability allows access to the device using the user "messagebus" without credentials. [..] Initial exploit attempts were detected as soon as April 8th. The vulnerability is particularly dangerous as some affected devices are no longer supported by DLink, and no patch is expected to be released. --------------------------------------------- https://isc.sans.edu/diary/rss/30878 ∗∗∗ New R Programming Vulnerability Exposes Projects to Supply Chain Attacks ∗∗∗ --------------------------------------------- A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced. [..] The security defect has been addressed in version 4.4.0 released on April 24, 2024, following responsible disclosure. --------------------------------------------- https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.h… ∗∗∗ Discord dismantles Spy.pet site that snooped on millions of users ∗∗∗ --------------------------------------------- The site, which has been slurping up public data on Discord users since November of last year, was outed to the world last week after it was discovered the platform contained messages belonging to nearly 620 million users from more than 14,000 Discord servers. Any and all of the data was available for a price – Spy.pet offered to help law enforcement, people spying on their friends, or even those training AI models. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/04/29/infosec_in_b… ∗∗∗ Google-Bewertungen entfernen lassen? Vorsicht vor entferno.at ∗∗∗ --------------------------------------------- entferno.at verspricht, Google-Rezensionen entfernen zu lassen – angeblich mit einer Erfolgsquote von 95 Prozent. Wer auf dieses Angebot eingeht, wird aber enttäuscht, denn trotz Bezahlung wurden in aktuellen Fällen keine Bewertungen gelöscht und auf schriftliche und telefonische Anfragen wurde nicht mehr reagiert. Das Geld ist weg! --------------------------------------------- https://www.watchlist-internet.at/news/google-bewertungen-entfernen-lassen-… ∗∗∗ From IcedID to Dagon Locker Ransomware in 29 Days ∗∗∗ --------------------------------------------- In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. [..] This case had a TTR (time to ransomware) of 29 days. --------------------------------------------- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware… ∗∗∗ Britische Regierung verbietet Geräte mit schwachen Passwörtern ∗∗∗ --------------------------------------------- Unternehmen sind gesetzlich verpflichtet, ihre Geräte vor Cyberkriminellen zu schützen. Smartphones mit unsicheren Passwörtern müssen künftig gemeldet werden. --------------------------------------------- https://heise.de/-9702215 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, go-toolset:rhel8, golang, java-11-openjdk, java-21-openjdk, libreswan, thunderbird, and tigervnc), Debian (chromium, emacs, frr, mediawiki, ruby-rack, trafficserver, and zabbix), Fedora (chromium, grub2, python-idna, and python-reportlab), Mageia (chromium-browser-stable, firefox, opencryptoki, and thunderbird), Red Hat (container-tools:4.0, container-tools:rhel8, git-lfs, and shim), SUSE (frr, java-11-openjdk, java-1_8_0-openjdk, kernel, pdns-recursor, and shim), and Ubuntu (apache2, cpio, curl, glibc, gnutls28, less, libvirt, and pillow). --------------------------------------------- https://lwn.net/Articles/971487/ ∗∗∗ Qnap schließt NAS-Sicherheitslücken aus Hacker-Wettbewerb Pwn2Own ∗∗∗ --------------------------------------------- NAS-Modelle von Qnap sind verwundbar. Nun hat der Hersteller Sicherheitsupdates für das Betriebssystem und Apps veröffentlicht. --------------------------------------------- https://heise.de/-9701977 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2024
by Daily end-of-shift report 26 Apr '24

26 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-04-2024 18:00 − Freitag 26-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ NIS2 – Richtlinie: Ein zweiter Blick auf den Text ∗∗∗ --------------------------------------------- Beim Schreiben unserer Stellungnahmen zum Entwurf des NISG 2024 habe ich mir die Paragrafen, die uns betreffen, genauer angesehen. Diesmal nicht mit dem Blickwinkel „macht das Sinn“, sondern mit Fokus auf die Formulierungen. Das erinnert mich ein bisschen an die Zeit, als ich bei der Erstellung von RFCs mitgearbeitet habe und da auch bei Reviews jedes Wort genau auf mögliche Fehldeutungen abgeklopft habe. Ich hatte beim Lesen drei Dokumente offen: den Gesetzesentwurf, die Richtlinie in der deutschen Version und auch die englische Fassung. Und viele der schlechten Formulierungen waren keine Erfindungen aus Wien, sondern wurden schon in Brüssel erfunden. Ich will das hier dokumentieren. --------------------------------------------- https://cert.at/de/blog/2024/4/nis2-formulierungen ∗∗∗ Researchers sinkhole PlugX malware server with 2.5 million unique IPs ∗∗∗ --------------------------------------------- Researchers have sinkholed a command and control server for a variant of the PlugX malware and observed in six months more than 2.5 million connections from unique IP addresses. [..] Sekoia has formulated two strategies to clean computers reaching their sinkhole and called for national cybersecurity teams and law enforcement agencies to join the disinfection effort. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-sinkhole-plugx-m… ∗∗∗ Per Brute Force: Schwachstelle beim GLS-Tracking legt Empfängeradressen offen ∗∗∗ --------------------------------------------- Durch einen fehlenden Brute-Force-Schutz ist es möglich gewesen, einer API von GLS genaue Adressdaten der Empfänger von GLS-Paketen zu entlocken. --------------------------------------------- https://www.golem.de/news/per-brute-force-schwachstelle-beim-gls-tracking-l… ∗∗∗ Per GPU geknackt: So sicher sind 8-Zeichen-Passwörter 2024 ∗∗∗ --------------------------------------------- Ein gutes Passwort sollte mindestens 8 Zeichen lang sein, lautet oftmals die Empfehlung. Neue Untersuchungen zeigen jedoch: Die Zeit ist reif für mehr. [..] Ein neuer Bericht des Cybersecurity-Unternehmens Hive Systems zeigt jedoch, dass sich 8-Zeichen-Passwörter je nach verwendetem Hashing-Algorithmus und verfügbarer GPU-Leistung inzwischen in einer überschaubaren Zeit knacken lassen. --------------------------------------------- https://www.golem.de/news/per-gpu-geknackt-so-sicher-sind-8-zeichen-passwoe… ∗∗∗ Fake-Rechnungen von firmenradar.com im Umlauf! ∗∗∗ --------------------------------------------- Unternehmen wenden sich derzeit an uns, weil sie Rechnungen erhalten und nicht wissen, wofür sie zahlen sollen. Die Rechnungen stammen von firmenradar.com, verlangt werden 899 Euro für einen „Platin-Eintrag“. Zahlen Sie nichts! Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/fake-rechnungen-von-firmenradarcom-i… ∗∗∗ “Junk gun” ransomware: the cheap new threat to small businesses ∗∗∗ --------------------------------------------- A wave of cheap, crude, amateurish ransomware has been spotted on the dark web - and although it may not make as many headlines as LockBit, Rhysida, and BlackSuit, it still presents a serious threat to organizations. [..] "Junk gun" ransomware is appealing to a criminal who wants to operate independently but lacks technical skills. [..] A low entry barrier means potentially more ransomware attackers. --------------------------------------------- https://www.tripwire.com/state-of-security/junk-gun-ransomware-cheap-new-th… ∗∗∗ C-DATA Web Management System RCE Attack ∗∗∗ --------------------------------------------- FortiGuard Labs observed a critical level of attack attempts in the wild targeting a 2-year-old vulnerability found on C-DATA Web Management System. [..] The vulnerability CVE-2022-4257 allows a remote attacker to execute arbitrary commands on the target system. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/c-data-rce-attack ∗∗∗ Chinesische Tastatur-Apps haben Schwachstelle und verraten, was Nutzer tippen ∗∗∗ --------------------------------------------- Bereits im August 2023 stellten die Forscher des Citizen Lab fest, dass die beliebte Tastatur-App Sogou bei der Übertragung von Tastenanschlagsdaten an ihren Cloud-Server für bessere Tippvorhersagen keine Transport Layer Security (TLS) nutzte. Ohne TLS können Tastatureingaben jedoch von Dritten mitgeschnitten werden. Obwohl Sogou das Problem nach Bekanntwerden im letzten Jahr behoben hat, sind viele vorinstallierte Sogou-Tastaturen nicht auf dem neuesten Stand und können weiterhin abgehört werden. --------------------------------------------- https://heise.de/-9699644 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix). --------------------------------------------- https://lwn.net/Articles/971289/ ∗∗∗ QNAP Security Advisories 2024-04-26 ∗∗∗ --------------------------------------------- QNAP released 6 new security Advisories. --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mattermost security updates 9.7.2 / 9.6.2 / 9.5.4 (ESR) / 8.1.13 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-7-2-9-6-2-9-5-4-e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2024
by Daily end-of-shift report 25 Apr '24

25 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-04-2024 18:00 − Donnerstag 25-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Brokewell malware takes over Android devices, steals data ∗∗∗ --------------------------------------------- Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-… ∗∗∗ Does it matter if iptables isnt running on my honeypot?, (Thu, Apr 25th) ∗∗∗ --------------------------------------------- I've been working on comparing data from different DShield honeypots to understand differences when the honeypots reside on different networks. --------------------------------------------- https://isc.sans.edu/diary/rss/30862 ∗∗∗ Sifting through the spines: identifying (potential) Cactus ransomware victims ∗∗∗ --------------------------------------------- This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. --------------------------------------------- https://research.nccgroup.com/2024/04/25/sifting-through-the-spines-identif… ∗∗∗ ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices ∗∗∗ --------------------------------------------- ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. --------------------------------------------- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaig… ∗∗∗ Talos IR trends: BEC attacks surge, while weaknesses in MFA persist ∗∗∗ --------------------------------------------- Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. --------------------------------------------- https://blog.talosintelligence.com/talos-ir-quarterly-trends-q1-2024/ ∗∗∗ Threat Bulletin – New variant of IDAT Loader ∗∗∗ --------------------------------------------- Morphisec has successfully identified and prevented a new variant of IDAT loader. --------------------------------------------- https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant ∗∗∗ Ransomware Roundup - KageNoHitobito and DoNex ∗∗∗ --------------------------------------------- The KageNoHitobito and DoNex are recent ransomware that are financially motivated, demanding payment from victims to decrypt files. --------------------------------------------- https://feeds.fortinet.com/~/882489596/0/fortinet/blogs~Ransomware-Roundup-… ===================== = Vulnerabilities = ===================== ∗∗∗ Maximum severity Flowmon bug has a public exploit, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released for a top-severity security vulnerability in Progress Flowmon, a tool for monitoring network performance and visibility. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug… ∗∗∗ WP Automatic WordPress plugin hit by millions of SQL injection attacks ∗∗∗ --------------------------------------------- Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugi… ∗∗∗ Über Zero-Day-Schwachstellen: Cisco-Firewalls werden seit Monaten attackiert ∗∗∗ --------------------------------------------- Eine zuvor unbekannte Hackergruppe nutzt mindestens seit November 2023 zwei Zero-Day-Schwachstellen in Cisco-Firewalls aus, um Netzwerke zu infiltrieren. --------------------------------------------- https://www.golem.de/news/ueber-zero-day-schwachstellen-cisco-firewalls-wer… ∗∗∗ Unter Windows: Schwachstelle in Virtualbox verleiht Angreifern Systemrechte ∗∗∗ --------------------------------------------- Zwei Forscher haben unabhängig voneinander eine Schwachstelle in Oracles Virtualbox entdeckt. Angreifer können damit auf Windows-Hosts ihre Rechte ausweiten. --------------------------------------------- https://www.golem.de/news/unter-windows-schwachstelle-in-virtualbox-verleih… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird). --------------------------------------------- https://lwn.net/Articles/971140/ ∗∗∗ Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking ∗∗∗ --------------------------------------------- The Brocade SANnav management application is affected by multiple vulnerabilities, including a publicly available root password. --------------------------------------------- https://www.securityweek.com/vulnerabilities-expose-brocade-san-appliances-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Security Advisories 2024-04-25 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/publicationListing.x ∗∗∗ Multiple Vulnerabilities in Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-01 ∗∗∗ Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04 ∗∗∗ Hitachi Energy MACH SCM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-02 ∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0005 ∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR Agent (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0005 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2024
by Daily end-of-shift report 24 Apr '24

24 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-04-2024 18:00 − Mittwoch 24-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft pulls fix for Outlook bug behind ICS security alerts ∗∗∗ --------------------------------------------- Microsoft reversed the fix for an Outlook bug causing erroneous security warnings after installing December 2023 security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-fix-for-out… ∗∗∗ Assessing the Y, and How, of the XZ Utils incident ∗∗∗ --------------------------------------------- In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/ ∗∗∗ Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an ongoing attack campaign thats leveraging phishing emails to deliver malware called SSLoad. --------------------------------------------- https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html ∗∗∗ Decrypting FortiOS 7.0.x ∗∗∗ --------------------------------------------- Decrypting Fortinet’s FortiGate FortiOS firmware is a topic that has been thoroughly covered, in part because of the many variants and permutations of FortiOS firmware, all differing based on hardware architecture and versioning. --------------------------------------------- https://www.labs.greynoise.io/grimoire/2024-04-23-decrypting-fortios/ ∗∗∗ New Password Cracking Analysis Targets Bcrypt ∗∗∗ --------------------------------------------- Hive Systems conducts another study on cracking passwords via brute-force attacks, but it’s no longer targeting MD5. --------------------------------------------- https://www.securityweek.com/new-password-cracking-analysis-targets-bcrypt/ ∗∗∗ Musiker:innen aufgepasst: Spam-Mails versprechen wertvolles Piano ∗∗∗ --------------------------------------------- Musiker:innen und insbesondere Pianist:innen müssen sich aktuell vor betrügerischen E-Mails in Acht nehmen, in denen ihnen ein teures Piano versprochen wird. Kriminelle geben sich als Witwe aus und suchen nach Abnehmer:innen für teure Instrumente wie beispielsweise wie das Yamaha Baby Grand Piano ihres verstorbenen Ehemanns. --------------------------------------------- https://www.watchlist-internet.at/news/musikerinnen-aufgepasst-spam-mails-v… ∗∗∗ Windows-Frage: Wo speichert Bitlocker den Recovery-Key? ∗∗∗ --------------------------------------------- Bitlocker, das "unbekannte Wesen" möchte ich mal den Blog-Beitrag umschreiben. Es geht um die Frage, wo die Windows-Funktion Bitlocker eigentlich den Recovery-Key, der immer mal wieder gebraucht wird, überhaupt speichert. --------------------------------------------- https://www.borncity.com/blog/2024/04/24/windows-frage-wo-speichert-bitlock… ∗∗∗ Exchange Server April 2024 Hotfix-Updates (24. April 2024) ∗∗∗ --------------------------------------------- Microsoft hat zum 24. April Hotfix-Updates (HU) für Exchange Server 2016 und 2019 veröffentlicht. Diese Hotfix-Updates bieten Unterstützung für neue Funktionen und sollen Probleme, die durch das März 2024 Security Update (SU) hervorgerufen wurden, beheben. --------------------------------------------- https://www.borncity.com/blog/2024/04/24/exchange-server-april-2024-hotfix-… ∗∗∗ Distribution of Infostealer Made With Electron ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron. --------------------------------------------- https://asec.ahnlab.com/en/64445/ ===================== = Vulnerabilities = ===================== ∗∗∗ Grafana backend sql injection affected all version ∗∗∗ --------------------------------------------- To exploit this sql injection vulnerability, someone must use a valid account login to the grafana web backend, then send malicious POST request to /api/ds/query “rawSql” entry. --------------------------------------------- https://fdlucifer.github.io/2024/04/22/grafana-sql-injection/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (abseil-cpp, chromium, filezilla, libfilezilla, and xorg-x11-server-Xwayland), Oracle (firefox, gnutls, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreswan, mod_http2, owO: thunderbird, and thunderbird), Red Hat (container-tools:rhel8, gnutls, grub2, kernel, kernel-rt, less, linux-firmware, opencryptoki, pcs, postgresql-jdbc, and thunderbird), Slackware (ruby), SUSE (kubernetes1.23, kubernetes1.24, [...] --------------------------------------------- https://lwn.net/Articles/971004/ ∗∗∗ Google Patches Critical Chrome Vulnerability ∗∗∗ --------------------------------------------- Google patches CVE-2024-4058, a critical Chrome vulnerability for which researchers earned a $16,000 reward. --------------------------------------------- https://www.securityweek.com/google-patches-critical-chrome-vulnerability/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Connection Hijacking Vulnerability in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-chvishhr-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2024
by Daily end-of-shift report 23 Apr '24

23 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-04-2024 18:00 − Dienstag 23-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials ∗∗∗ --------------------------------------------- Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-b… ∗∗∗ Struts "devmode": Still a problem ten years later?, (Tue, Apr 23rd) ∗∗∗ --------------------------------------------- Like many similar frameworks and languages, Struts 2 has a "developer mode" (devmode) offering additional features to aid debugging. Error messages will be more verbose, and the devmode includes an OGNL console. OGNL, the Object-Graph Navigation Language, can interact with Java, but in the end, executing OGNL results in arbitrary code execution. --------------------------------------------- https://isc.sans.edu/diary/rss/30866 ∗∗∗ An Analysis of the DHEat DoS Against SSH in Cloud Environments ∗∗∗ --------------------------------------------- The DHEat attack remains viable against most SSH installations, as default settings are inadequate at deflecting it. Very little bandwidth is needed to cause a dramatic effect on targets, including those with a high degree of resources. --------------------------------------------- https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-a… ∗∗∗ Neu auf Vinted? Scannen Sie keinen QR-Code! ∗∗∗ --------------------------------------------- Vorsicht! Kriminelle kontaktieren gezielt neue Vinted-Nutzer:innen. Sie geben vor, den Artikel kaufen zu wollen und schicken einen QR-Code. Der QR-Code führt jedoch zu einer gefälschten Zahlungsseite von Vinted. Dort erfragen die Kriminellen Ihre Bankdaten und versuchen Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/neu-auf-vinted-scannen-sie-keinen-qr… ∗∗∗ Suspected CoralRaider continues to expand victimology using three information stealers ∗∗∗ --------------------------------------------- Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. --------------------------------------------- https://blog.talosintelligence.com/suspected-coralraider-continues-to-expan… ∗∗∗ GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining ∗∗∗ --------------------------------------------- Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. --------------------------------------------- https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-fo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid). --------------------------------------------- https://lwn.net/Articles/970889/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Welotec: Clickjacking Vulnerability in WebUI ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-023/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2024
by Daily end-of-shift report 22 Apr '24

22 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-04-2024 18:00 − Montag 22-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Double Agents and User Agents: Navigating the Realm of Malicious Python Packages ∗∗∗ --------------------------------------------- Have you ever encountered the term double agent? Recently, weve had the opportunity to revisit this concept in Austria. Setting aside real-world affairs for prosecutors and journalists, let’s explore what this term means in the digital world as I continue my journey tracking malicious Python packages. --------------------------------------------- https://cert.at/en/blog/2024/4/double-agents-and-user-agents-navigating-the… ∗∗∗ Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack ∗∗∗ --------------------------------------------- Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-discloses-more.html ∗∗∗ Research Shows How Attackers Can Abuse EDR Security Products ∗∗∗ --------------------------------------------- Vulnerabilities in Palo Alto Networks Cortex XDR allowed a security researcher to turn it into a malicious offensive tool. --------------------------------------------- https://www.securityweek.com/research-shows-how-attackers-can-abuse-edr-sec… ∗∗∗ HelloKitty ransomware rebrands, releases CD Projekt and Cisco data ∗∗∗ --------------------------------------------- The Cisco entry on the data leak site contains a list of NTLM (NT LAN Manager) hashes (encrypted account passwords) supposedly extracted during a security breach. Cisco previously admitted in 2022 that it had been hacked by the Yanluowang ransomware group, an incident allegedly limited to the theft of non-sensitive data from a single compromised account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-rebran… ∗∗∗ GitLab affected by GitHub-style CDN flaw allowing malware hosting ∗∗∗ --------------------------------------------- BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. It turns out, GitLab is also affected by this issue and could be abused in a similar fashion. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-st… ∗∗∗ Sicherheitslücke aufgedeckt: Forscher knackt Cisco-Appliance und zockt Doom ∗∗∗ --------------------------------------------- Mit einem eigens entwickelten Exploit-Toolkit hat er sich auf dem BMC einer Cisco ESA C195 einen Root-Zugriff verschafft. [..] Um auf der C195 Doom auszuführen, reicht CVE-2024-20356 allein allerdings nicht aus. Thacker nahm zuerst diverse Modifikationen am Bios der Cisco ESA vor und verschaffte sich erst danach mit Ciscown über das Netzwerk einen Root-Zugriff auf den BMC. [..] Eine Liste der Systeme, die in der Standardkonfiguration anfällig sind, ist im Sicherheitshinweis von Cisco zu finden – ebenso wie die jeweiligen Systemversionen, die einen Patch beinhalten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-aufgedeckt-forscher-knackt-cisc… ∗∗∗ ToddyCat is making holes in your infrastructure ∗∗∗ --------------------------------------------- We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts. --------------------------------------------- https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112… ∗∗∗ Vorsicht vor Jobangeboten per WhatsApp, SMS oder Telegram ∗∗∗ --------------------------------------------- Die Betrugsmasche beginnt direkt auf Ihrem Smartphone: Sie bekommen auf WhatsApp, Telegram oder einen anderen Messenger eine Nachricht von einer Jobvermittlung. Ihnen wird ein Nebenjob mit flexibler Zeiteinteilung angeboten. Ihre Aufgabe ist es, Hotels, Online-Shops oder andere Dienstleistungen zu bewerten oder zu testen. Angeblich kann man damit zwischen 300 und 1000 Euro pro Tag verdienen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-whatsa… ∗∗∗ NATO-Cyberübung "Locked Shields": Phishing verhindern, Container verteidigen ∗∗∗ --------------------------------------------- Das Cybersicherheitszentrum der NATO bittet zur Großübung. Sie simuliert, wie kritische Infrastruktur vor digitalen Angriffen geschützt werden kann. --------------------------------------------- https://heise.de/-9691854 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Forminator plugin flaw impacts over 300k WordPress sites ∗∗∗ --------------------------------------------- On Thursday, Japan's CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-forminator-plugin-f… ∗∗∗ Siemens: SSA-750274 V1.0: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW ∗∗∗ --------------------------------------------- Palo Alto Networks has published information on CVE-2024-3400 in PAN-OS. This advisory addresses Siemens Industrial products affected by this vulnerability. --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-750274.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox and java-1.8.0-openjdk), Debian (chromium, flatpak, guix, openjdk-11, openjdk-17, thunderbird, and tomcat9), Fedora (chromium, firefox, glibc, nghttp2, nodejs18, python-aiohttp, python-django3, python-pip, and uxplay), Mageia (putty & filezilla), Red Hat (Firefox, firefox, java-1.8.0-openjdk, java-21-openjdk, nodejs:18, shim, and thunderbird), Slackware (freerdp), SUSE (apache-commons-configuration2, nodejs14, perl-CryptX, putty, shim, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, lxd, percona-xtrabackup, and pillow). --------------------------------------------- https://lwn.net/Articles/970793/ ∗∗∗ Jetzt patchen! Attacken auf Dateiübertragungsserver CrushFTP beobachtet ∗∗∗ --------------------------------------------- Der Anbieter der Dateiübertragungsserversoftware CrushFTP warnt vor einer Sicherheitslücke, die Angreifer Sicherheitsforschern zufolge bereits ausnutzen. Dagegen gerüstete Versionen stehen zum Download bereit. Aus einer Sicherheitswarnung geht hervor, dass die Ausgaben 10.7.1 und 11.1.0 gegen die Angriffe gerüstet sind. --------------------------------------------- https://heise.de/-9693009 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2024
by Daily end-of-shift report 19 Apr '24

19 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-04-2024 18:02 − Freitag 19-04-2024 18:02 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google ad impersonates Whales Market to push wallet drainer malware ∗∗∗ --------------------------------------------- A legitimate-looking Google Search advertisement for the crypto trading platform Whales Market redirects visitors to a wallet-draining phishing site that steals all of your assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ad-impersonates-whale… ∗∗∗ Fake cheat lures gamers into spreading infostealer malware ∗∗∗ --------------------------------------------- A new info-stealing malware linked to Redline poses as a game cheat called Cheat Lab, promising downloaders a free copy if they convince their friends to install it too. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-cheat-lures-gamers-into… ∗∗∗ SAP Applications Increasingly in Attacker Crosshairs, Report Shows ∗∗∗ --------------------------------------------- Malicious hackers are targeting SAP applications at an alarming pace, according to warnings from Onapsis and Flashpoint. --------------------------------------------- https://www.securityweek.com/sap-applications-increasingly-in-attacker-cros… ∗∗∗ Erneut Phishing-Mails im Namen der ÖGK im Umlauf! ∗∗∗ --------------------------------------------- Derzeit erreichen uns wieder zahlreiche Meldungen über betrügerische Nachrichten, die im Namen der Österreichischen Gesundheitskasse ÖGK versendet werden. Darin wird Ihnen vorgegaukelt, dass Sie eine Rückerstattung von 150,95 Euro erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/erneut-phishing-mails-im-namen-der-o… ∗∗∗ #StopRansomware: Akira Ransomware ∗∗∗ --------------------------------------------- The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a ∗∗∗ "iMessage abschalten": Warnung vor angeblichem Exploit verunsichert Nutzer ∗∗∗ --------------------------------------------- Ein bekanntes Krypto-Wallet warnt iOS-Nutzer vor einem "hochriskanten Zero-Day-Exploit für iMessage". Der angebliche Exploit könnte aber ein Scam sein. --------------------------------------------- https://heise.de/-9690778 ∗∗∗ DDoS-Plattform von internationalen Strafverfolgern abgeschaltet ∗∗∗ --------------------------------------------- Internationale Strafverfolger haben eine DDoS-as-a-service-Plattform abgeschaltet und die Domain beschlagnahmt. --------------------------------------------- https://heise.de/-9691053 ∗∗∗ Ionos-Phishing: Masche mit neuen EU-Richtlinien soll Opfer überzeugen ∗∗∗ --------------------------------------------- Das Phishingradar warnt vor einer Phishing-Masche, bei der Ionos-Kunden angeblich zu neuen EU-Richtlinien zustimmen müssen. --------------------------------------------- https://heise.de/-9691259 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark). --------------------------------------------- https://lwn.net/Articles/970508/ ∗∗∗ FIDO2-Sticks: Lücke in Yubikey-Verwaltungssoftware erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Um die FIDO2-Sticks von Yubikey zu verwalten, stellt der Hersteller eine Software bereit. Eine Lücke darin ermöglicht die Ausweitung der Rechte. --------------------------------------------- https://heise.de/-9690597 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2024
by Daily end-of-shift report 18 Apr '24

18 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-04-2024 18:00 − Donnerstag 18-04-2024 18:02 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Stellungnahme von CERT.at zum NISG 2024 ∗∗∗ --------------------------------------------- Die EU hat noch Ende 2022 die NIS2-Richtlinie angenommen, was den EU Mitgliedstaaten eine Frist bis Herbst 2024 einräumt, diese in nationales Recht zu gießen. Jetzt liegt ein Entwurf für dieses Gesetz vor und wir haben uns genau angesehen, wie die Punkte umgesetzt sind, die uns als nationales CSIRT betreffen. Dabei sind uns einige Stellen aufgefallen, wo wir klares und einfaches Verbesserungspotential sehen. --------------------------------------------- https://cert.at/de/blog/2024/4/nisg2024-stellungnahme ∗∗∗ Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks ∗∗∗ --------------------------------------------- Microsoft, which first spotted the attacks, says the five flaws have been actively exploited since early April to hijack Internet-exposed OpenMedata workloads left unpatched. [..] The security vulnerabilities exploited in these attacks (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) were patched one month ago, on March 15, in OpenMedata versions 1.2.4 and 1.3.1. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-openmetadata-… ∗∗∗ Cybercriminals pose as LastPass staff to hack password vaults ∗∗∗ --------------------------------------------- The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-lastp… ∗∗∗ Mit CVE-Beschreibung: GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen ∗∗∗ --------------------------------------------- Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann. --------------------------------------------- https://www.golem.de/news/mit-cve-beschreibung-gpt-4-kann-eigenstaendig-bek… ∗∗∗ Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor ∗∗∗ --------------------------------------------- A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell."The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh said. --------------------------------------------- https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html ∗∗∗ Redline Stealer: A Novel Approach ∗∗∗ --------------------------------------------- A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior. [..] In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-nove… ∗∗∗ Analysis of Pupy RAT Used in Attacks Against Linux Systems ∗∗∗ --------------------------------------------- Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. --------------------------------------------- https://asec.ahnlab.com/en/64258/ ∗∗∗ Kapeka: Neuartige Malware aus Russland? ∗∗∗ --------------------------------------------- Berichte über eine neuartige "Kapeka"-Malware tauchen allerorten auf. Die ist jedoch gar nicht neu und seit fast einem Jahr nicht mehr aktiv. [..] Die Entdeckung der Malware als "großen Schlag gegen Russland" zu werten, wie sich ein WithSecure-Sprecher gegenüber der Presseagentur dpa zitieren ließ, wirkt jedoch wie ein PR-Manöver. Schließlich wurde Kapeka auch ohne Intervention von Schadsoftware-Jägern seit Mitte vergangenen Jahres nicht mehr in freier Wildbahn gesichtet. --------------------------------------------- https://heise.de/-9688970 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/970324/ ∗∗∗ Update für Solarwinds FTP-Server Serv-U schließt Lücke mit hohem Risiko ∗∗∗ --------------------------------------------- Im Solarwinds Serv-U-FTP-Server klafft eine als hohes Risiko eingestufte Sicherheitslücke. Der Hersteller dichtet sie mit einem Update ab. --------------------------------------------- https://heise.de/-9689092 ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco IMC können bevorstehen ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Cisco Integrated Management Controller und IOS erschienen. Exploitcode ist in Umlauf. --------------------------------------------- https://heise.de/-9689086 ∗∗∗ Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software SNMP Extended Named Access Control List Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Integrated Management Controller CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unitronics Vision Series PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2024
by Daily end-of-shift report 17 Apr '24

17 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-04-2024 18:00 − Mittwoch 17-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ SoumniBot: the new Android banker’s unique techniques ∗∗∗ --------------------------------------------- We review the new mobile Trojan banker SoumniBot, which exploits bugs in the Android manifest parser to dodge analysis and detection. --------------------------------------------- https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112… ∗∗∗ Malicious PDF File Used As Delivery Mechanism, (Wed, Apr 17th) ∗∗∗ --------------------------------------------- Billions of PDF files are exchanged daily and many people trust them because they think the file is "read-only" and contains just "a bunch of data". In the past, badly crafted PDF files could trigger nasty vulnerabilities in PDF viewers. --------------------------------------------- https://isc.sans.edu/diary/rss/30848 ∗∗∗ Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware ∗∗∗ --------------------------------------------- Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. --------------------------------------------- https://thehackernews.com/2024/04/critical-atlassian-flaw-exploited-to.html ∗∗∗ Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new campaign thats exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-fortinet-flaw-deploy.html ∗∗∗ Neue Phishing-Masche: Gefälschte Postbriefe ∗∗∗ --------------------------------------------- Die Polizei warnt vor vermehrten Phishing-Fällen in der Steiermark. In Postkästen hinterlegten unbekannte Täter gefälschte Postbenachrichtigungen mit angeführten QR-Codes. Damit sollen Opfer auf eine gefälschte Website gelockt und persönliche Daten abgesaugt werden. --------------------------------------------- https://steiermark.orf.at/stories/3253261/ ∗∗∗ Vorsicht vor unseriösen Ticketangeboten für die UEFA EURO 2024 in Deutschland! ∗∗∗ --------------------------------------------- Fußball-Fans aufgepasst: Wenn Sie jetzt noch auf der Suche nach Eintrittskarten in die Europameisterschaftsstadien für die EM 2024 sind, müssen Sie sich vor betrügerischen und unseriösen Angeboten in Acht nehmen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-ticketangebote-euro2024/ ∗∗∗ OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal ∗∗∗ --------------------------------------------- The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. --------------------------------------------- https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confident… ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti warns of critical flaws in its Avalanche MDM solution ∗∗∗ --------------------------------------------- Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-fla… ∗∗∗ VU#253266: Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models ∗∗∗ --------------------------------------------- Lambda Layers in third party TensorFlow-based Keras models allow attackers to inject arbitrary code into versions built prior to Keras 2.13 that may then unsafely run with the same permissions as the running application. --------------------------------------------- https://kb.cert.org/vuls/id/253266 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot). --------------------------------------------- https://lwn.net/Articles/970169/ ∗∗∗ Oracle Critical Patch Update Advisory - April 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2024.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Huawei Security Bulletins ∗∗∗ --------------------------------------------- https://securitybulletin.huawei.com/enterprise/en/security-advisory -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2024
by Daily end-of-shift report 16 Apr '24

16 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-04-2024 18:00 − Dienstag 16-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- At watchTowr, we no longer publish Proof of Concepts. Why prove something is vulnerable when we can just believe its so? Iinstead, weve decided to do something better - thats right! Were proud to release another detection artefact generator tool, this time in the form of an HTTP request: --------------------------------------------- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-c… ∗∗∗ Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th) ∗∗∗ --------------------------------------------- One of our readers, Mark, observed attacks attempting to exploit the vulnerability from two IP addresses: 173.255.223.159: An Akamai/Linode IP address. We do not have any reports from this IP address. Shodan suggests that the system may have recently hosted a WordPress site. 146.70.192.174: A system in Singapore that has been actively scanning various ports in March and April. --------------------------------------------- https://isc.sans.edu/diary/rss/30838 ∗∗∗ New SteganoAmor attacks use steganography to target 320 orgs globally ∗∗∗ --------------------------------------------- A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [..] The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-… ∗∗∗ AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs ∗∗∗ --------------------------------------------- New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. [..] Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager. --------------------------------------------- https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html ∗∗∗ Vorsicht vor falschen Bankanrufen ∗∗∗ --------------------------------------------- Sie erhalten einen Anruf – angeblich von einer Bank. Die Person am Telefon behauptet, Sie hätten einen Kreditantrag eingereicht. Wenn Sie widersprechen, erklärt die Person am Telefon, dass dann wohl Kriminelle in Ihrem Namen den Kreditantrag gestellt hätten. Legen Sie auf! Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-bankanrufen/ ∗∗∗ Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials ∗∗∗ --------------------------------------------- Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. [..] We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here. --------------------------------------------- https://blog.talosintelligence.com/large-scale-brute-force-activity-targeti… ∗∗∗ Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen ∗∗∗ --------------------------------------------- Die Privileged-Access-Management-Lösung (PAM) Secret Server von Delinea ist verwundbar. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-9686457 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwere Sicherheitslücke in PuTTY - CVE-2024-31497 ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen haben in PuTTY, einer verbreiteten quelloffenen Software zur Herstellung von Verbindungen über Secure Shell (SSH), eine schwere Sicherheitslücke gefunden. Die Ausnutzung von CVE-2024-31497 erlaubt es Angreifer:innen unter bestimmten Umständen, den privaten Schlüssel eines kryptographischen Schlüsselpaares wiederherzustellen. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/schwere-sicherheitslucke-in-putty-cve-2… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/970036/ ∗∗∗ Proscend Communications M330-W and M330-W5 vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23835228/ ∗∗∗ B&R: 2024-04-15: Cyber Security Advisory - Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P002_xPCs_vulnerable_to_LogoFai… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 125 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/ ∗∗∗ Libreswan: IKEv1 default AH/ESP responder can crash and restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt ∗∗∗ Measuresoft ScadaPro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-01 ∗∗∗ Electrolink FM/DAB/TV Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02 ∗∗∗ Rockwell Automation ControlLogix and GuardLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-03 ∗∗∗ RoboDK RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2024
by Daily end-of-shift report 15 Apr '24

15 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-04-2024 18:00 − Montag 15-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report. --------------------------------------------- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthent… ∗∗∗ Cisco Duo warns third-party data breach exposed SMS MFA logs ∗∗∗ --------------------------------------------- Cisco Duos security team warns that hackers stole some customers VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-… ∗∗∗ Angriff via WebGPU: Sensible Nutzerdaten lassen sich per Javascript auslesen ∗∗∗ --------------------------------------------- Einem Forscherteam der TU Graz ist es gelungen, durch drei verschiedene Seitenkanalangriffe über die in modernen Webbrowsern integrierte Grafikschnittstelle WebGPU sicherheitsrelevante Nutzerdaten wie Tastatureingaben oder Verschlüsselungsschlüssel auszuspähen. Durch die Forschungsarbeit will das Team vor allem auf die Risiken aufmerksam machen, die mit der Implementierung von WebGPU einhergehen können. --------------------------------------------- https://www.golem.de/news/angriff-via-webgpu-sensible-nutzerdaten-lassen-si… ∗∗∗ Using the LockBit builder to generate targeted ransomware ∗∗∗ --------------------------------------------- Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder. --------------------------------------------- https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/ ∗∗∗ Delinea Secret Server customers should apply latest patches ∗∗∗ --------------------------------------------- Customers of Delinea's Secret Server are being urged to upgrade their installations "immediately" after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access. [..] Delinea sent us a statement post publication: "We confirm there was a vulnerability in Secret Server. Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable. We have provided a remediation guide for our on-premise customers to fix the vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/04/15/delinea_secr… ∗∗∗ Unpacking the Blackjack Groups Fuxnet Malware ∗∗∗ --------------------------------------------- Blackjack claims its initial compromise of Moscollector began in June 2023, and since then the group said it has worked slowly in an attempt to cripple the industrial sensors and monitoring infrastructure managed by the company. [..] Screenshots released by the attackers indicate that the impacted sensors are manufactured by a company named AO SBK, a Russian company that manufactures a variety of sensor types, ranging from gas measurement sensors to environmental monitoring equipment. --------------------------------------------- https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-m… ∗∗∗ Falsche Google-Anrufe zu Ihrem Google-Business-Eintrag ∗∗∗ --------------------------------------------- Vorsicht, wenn Anrufer:innen vorgeben, von Google zu sein. Vermehrt geben sich Kriminelle als Google aus und behaupten, dass die Testphase Ihres Google-Business-Profils abgelaufen und der Eintrag nun kostenpflichtig sei. Legen Sie gleich auf! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-google-anrufe-zu-ihrem-googl… ∗∗∗ “Totally Unexpected” Package Malware Using Modified Notepad++ Plug-in (WikiLoader) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file. --------------------------------------------- https://asec.ahnlab.com/en/64106/ ∗∗∗ Lancom-Setup-Assistent leert Root-Passwort ∗∗∗ --------------------------------------------- Wer Lancom-Router mit dem Windows-Setup-Assistenten konfiguriert, läuft Gefahr, das Root-Passwort durch ein leeres zu ersetzen. --------------------------------------------- https://heise.de/-9682694 ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability ∗∗∗ --------------------------------------------- Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-releases-urgent.html ∗∗∗ Sicherheitsupdates: Schwachstellen in PHP gefährden Websites ∗∗∗ --------------------------------------------- Die PHP-Entwickler haben mehrere Schwachstellen geschlossen. Eine Sicherheitslücke gilt als kritisch. --------------------------------------------- https://heise.de/-9684558 ∗∗∗ Telegram Desktop: Tippfehler im Quellcode mündet in RCE-Schwachstelle ∗∗∗ --------------------------------------------- Ein Tippfehler im Code der Windows-App von Telegram ermöglicht die Ausführung von Schadcode auf fremden Systemen. Es reicht ein Klick auf ein vermeintliches Video. [..] Der Tippfehler im Telegram-Quellcode bezieht sich aber nicht auf .exe, sondern auf die Dateiendung .pyzw, die ausführbaren Python-Zip-Archiven zugeordnet wird. Diese war im Code noch bis zum 11. April als .pywz hinterlegt, so dass die oben genannte Sicherheitswarnung bei einem Klick auf eine .pyzw-Datei gar nicht erst erschien. [..] Zwar hat Telegram den Fehler im Quellcode inzwischen behoben, ein entsprechendes Update für die Windows-App wurde bisher aber offenbar nicht verteilt. --------------------------------------------- https://www.golem.de/news/telegram-desktop-tippfehler-im-quellcode-muendet-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard). --------------------------------------------- https://lwn.net/Articles/969873/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Xen: XSA-456 ∗∗∗ --------------------------------------------- https://xenbits.xenproject.org/people/gdunlap/xsa-draft/advisory-456.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2024
by Daily end-of-shift report 12 Apr '24

12 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-04-2024 18:00 − Freitag 12-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Anweisung von oben: US-Behörden müssen nach Cyberangriff auf Microsoft aufräumen ∗∗∗ --------------------------------------------- Die Angreifer haben offenbar auch E-Mails abgegriffen, die zwischen Microsoft und US-Behörden ausgetauscht wurden. Letztere müssen nun handeln. --------------------------------------------- https://www.golem.de/news/anweisung-von-oben-us-behoerden-muessen-nach-cybe… ∗∗∗ Sicherheit: Apple warnt iPhone-Nutzer großflächig vor Spyware-Attacke ∗∗∗ --------------------------------------------- Apple hat iPhone-Besitzer in 92 Ländern vor Auftrags-Spyware-Angriffen gewarnt. Betroffene sollten die Warnung ernst nehmen und sich Hilfe suchen. --------------------------------------------- https://www.golem.de/news/sicherheit-apple-warnt-iphone-nutzer-grossflaechi… ∗∗∗ XZ backdoor story – Initial analysis ∗∗∗ --------------------------------------------- Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-1/112354/ ∗∗∗ Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a credit card skimmer thats concealed within a fake Meta Pixel tracker script in an attempt to evade detection. --------------------------------------------- https://thehackernews.com/2024/04/sneaky-credit-card-skimmer-disguised-as.h… ∗∗∗ Betrügerische Casino-Apps werden massiv über Facebook und Instagram beworben! ∗∗∗ --------------------------------------------- Mit zahlreichen Werbeanzeigen versuchen Kriminelle, ihre Opfer zum Download verschiedener Casino-Apps zu bewegen. Meist werden unglaubliche Gewinne versprochen, dazu kommen Freispiele und Boni von mehreren tausend Euro. In manchen Werbeanzeigen werden sogar Deepfake-Videos eingesetzt. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-casino-apps-werden-ma… ∗∗∗ IBM QRadar - When The Attacker Controls Your Security Stack (CVE-2022-26377) ∗∗∗ --------------------------------------------- Today, in this iteration of 'watchTowr Labs takes aim at yet another piece of software' we wonder why the industry panics about backdoors in libraries that have taken 2 years to be unsuccessfully introduced - while security vendors like IBM can't even update libraries used in their flagship security products that subsequently allow for trivial exploitation. [..] For those unfamiliar with defensive security products, QRadar is the mastermind application that can sit on-premise or in the cloud via IBM's SaaS offering. Quite simply, it's IBM's Security Information and Event Management (SIEM) product - and is the heart of many enterprise's security software stack. --------------------------------------------- https://labs.watchtowr.com/ibm-qradar-when-the-attacker-controls-your-secur… ∗∗∗ Krypto-Scams: Coinbase warnt EU-Kunden vor iPhone-Sideloading ∗∗∗ --------------------------------------------- Die Kryptobörse weist europäische Kunden an, die App nur aus Apples App Store zu beziehen. Auch dort wurden zuletzt aber Fake-Wallets gesichtet. --------------------------------------------- https://heise.de/-9683728 ∗∗∗ Intellexa: Spyware des Predator-Herstellers kommt über Online-Werbung ∗∗∗ --------------------------------------------- Der Malware-Dealer Intellexa stellt Spähsoftware vor, die Handys rein über Werbebanner infiziert. [..] Die neue Malware heißt Aladdin und installiert sich ohne Klick des Opfers (Zero-Click-Exploits). [..] Das Gesamtpaket kostet vier Millionen Euro, inklusive einjähriger Garantie und 24-Stunden-Support. Telefonnummern aus den USA, Griechenland und Israel sollen nicht angegriffen werden dürfen, was offenbar auf verhängte Sanktionen zurückgeht. --------------------------------------------- https://heise.de/-9682500 ∗∗∗ Sicherheitslücken: Angreifer können Juniper-Netzwerkgeräte lahmlegen ∗∗∗ --------------------------------------------- Wichtige Patches schließen mehrere Schwachstellen in Junos OS, die Firewalls, Router und Switches verwundbar machen. --------------------------------------------- https://heise.de/-9682955 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Palo Alto PAN-OS (Global Protect) ∗∗∗ --------------------------------------------- n Palo Altos PAN-OS GlobalProtect-Funktion wurde eine kritische Sicherheitslücke identifiziert, welche das Einschleusen von Kommandos erlaubt. Zur Ausnutzung der Schwachstelle muss ein Gateway konfiguriert, und die sogenannte "Device Telemetry" aktiviert sein (zweiteres ist den betroffenen Versionen standardmäßig gegeben). Da noch keine Updates verfügbar sind, kann die Schwachstelle lediglich durch Konfigurationsänderungen mitigiert werden - beachten Sie den Abschnitt "Abhilfe". [..] CVE-2024-3400 --------------------------------------------- https://cert.at/de/warnungen/2024/4/palo-alto-cve-2024-3400 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-expl… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss). --------------------------------------------- https://lwn.net/Articles/969590/ ∗∗∗ Linux-Kernel: Neuer Exploit verschafft Root-Rechte ∗∗∗ --------------------------------------------- Ob die Lücke in den jüngsten Kernelversionen behoben ist, ist selbst Sicherheitsexperten unklar. Auch um die Urheberschaft gibt es Streit. --------------------------------------------- https://heise.de/-9682586 ∗∗∗ B&R: 2024-04-10: Cyber Security Advisory - B&R APROL Several vulnerabilities in the Docker Engine ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P006_Several_vulnerabilities_in… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2024
by Daily end-of-shift report 11 Apr '24

11 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-04-2024 18:00 − Donnerstag 11-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Spectre v2 attack impacts Linux systems on Intel CPUs ∗∗∗ --------------------------------------------- Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. [..] The hardware vendor has indicated that future processors will include mitigations for BHI and potentially other speculative execution vulnerabilities. For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-spectre-v2-attack-impact… ∗∗∗ CISA says Sisense hack impacts critical infrastructure orgs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating the recent breach of data analytics company Sisense, an incident that also impacted critical infrastructure organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-sisense-hack-impac… ∗∗∗ DragonForce Ransomware - What You Need To Know ∗∗∗ --------------------------------------------- A relatively new strain of ransomware called DragonForce has making the headlines after a series of high-profile attacks. Like many other ransomware groups, DragonForce attempts to extort money from its victims in two ways - locking companies out of their computers and data through encryption, and exfiltrating data from compromised systems with the threat of releasing it to others via the dark web. So far, so normal. How did DragonForce come to prominence? --------------------------------------------- https://www.tripwire.com/state-of-security/dragonforce-ransomware-what-you-… ∗∗∗ CISA Releases Malware Next-Gen Analysis System for Public Use ∗∗∗ --------------------------------------------- CISAs Malware Next-Gen system is now available for any organization to submit malware samples and other suspicious artifacts for analysis. --------------------------------------------- https://www.securityweek.com/cisa-releases-malware-next-gen-analysis-system… ∗∗∗ Metasploit Meterpreter Installed via Redis Server ∗∗∗ --------------------------------------------- Redis is an abbreviation of Remote Dictionary Server, which is an open-source in-memory data structure storage that is also used as a database. It is presumed that the threat actors abused inappropriate settings or ran commands through vulnerability attacks. --------------------------------------------- https://asec.ahnlab.com/en/64034/ ∗∗∗ Control Web Panel - Fingerprinting Open-Source Software using a Consolidation Algorithm approach ∗∗∗ --------------------------------------------- This blog post details one of these very unique cases: `CVE-2022-44877`, an unauthenticated Command Injection issue, flagged by CISA as a Known Exploited Vulnerability (CISA KEV), affecting Control Web Panel, an open-source control panel for servers and VPS management. Initially, the team could not find a way to straightforwardly fingerprint the software’s version, nor another way to detect it without intrusive exploitation - thus we used a novelty technique: an algorithm that retrieves the web application’s static web content files and consolidates them to pin-point the software’s version. --------------------------------------------- https://www.bitsight.com/blog/control-web-panel-fingerprinting-open-source-… ===================== = Vulnerabilities = ===================== ∗∗∗ Node.js Security Advisories Apr 10, 2024 ∗∗∗ --------------------------------------------- Node v21.7.3 (Current), Node v20.12.2 (LTS), Node v18.20.2 (LTS): CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows. --------------------------------------------- https://nodejs.org/en/blog/release/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux). --------------------------------------------- https://lwn.net/Articles/969468/ ∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2023-46842, CVE-2024-2201 and CVE-2024-31142 ∗∗∗ --------------------------------------------- Two issues have been identified that affect XenServer and Citrix Hypervisor; each issue may allow malicious unprivileged code in a guest VM to infer the contents of memory belonging to its own or other VMs on the same host. --------------------------------------------- https://support.citrix.com/article/CTX633151/xenserver-and-citrix-hyperviso… ∗∗∗ Google Chrome: Sandbox-Ausbruch durch bestimmte Gesten möglich ∗∗∗ --------------------------------------------- Mit etwas Verspätung haben Googles Entwickler das wöchentliche Update für den Chrome-Webbrowser veröffentlicht. Insgesamt drei Sicherheitslücken stopfen die Programmierer darin. Alle tragen die Risikoeinstufung "hoch". --------------------------------------------- https://heise.de/-9681413 ∗∗∗ WLAN-Access-Points von TP-Link 15 Minuten nach Reboot attackierbar ∗∗∗ --------------------------------------------- Angreifer können die WLAN-Access-Points von TP-Link AC1350 Wireless und N300 Wireless N Ceiling Mount attackieren und unter anderem auf Werksweinstellungen zurücksetzen. [..] Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9681863 ∗∗∗ Palo Alto Security Advisories ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2024
by Daily end-of-shift report 10 Apr '24

10 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-04-2024 18:00 − Mittwoch 10-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Verzögerte Aussendung der CERT.at-Tagesberichte ∗∗∗ --------------------------------------------- Aufgrund einer Fehlkonfiguration unserer Firewall kam es gestern, am 09.04.2024, zu einer teilweise verzögerten Aussendung unserer Tagesberichte. Wir bitten um Entschuldigung für entstandene Unannehmlichkeiten. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/verzogerte-aussendung-der-certat-tagesb… ∗∗∗ VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows ∗∗∗ --------------------------------------------- Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. --------------------------------------------- https://kb.cert.org/vuls/id/123335 ∗∗∗ Wie sich NIS 2 auf Mitarbeiter in Unternehmen auswirken wird ∗∗∗ --------------------------------------------- ÖGB Datenschutzexperte Sebastian Klocker im Interview über Schulungsmaßnahmen, Zutrittskontrollen und Überwachung. --------------------------------------------- https://futurezone.at/netzpolitik/nis-2-cybersicherheit-richtlinie-eu-geset… ∗∗∗ Datenpanne bei Microsoft: Passwörter und Quellcode lagen wohl offen im Netz ∗∗∗ --------------------------------------------- Microsoft hatte offenbar einen Azure-Storage-Server falsch konfiguriert. Angeblich sind allerhand sensible Daten des Konzerns für jedermann abrufbar gewesen. --------------------------------------------- https://www.golem.de/news/datenpanne-bei-microsoft-passwoerter-und-quellcod… ∗∗∗ Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024. --------------------------------------------- https://thehackernews.com/2024/04/raspberry-robin-returns-new-malware.html ∗∗∗ Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla ∗∗∗ --------------------------------------------- Threat actors once again target system administrators via their favorite tools. Learn more about their TTPs and use the IOCs provide to investigate. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/active-nitrog… ∗∗∗ Muddled Libra’s Evolution to the Cloud ∗∗∗ --------------------------------------------- Muddled Libra now actively targets CSP environments and SaaS applications. Using the MITRE ATT&CK framework, we outline observed TTPs from incident response. --------------------------------------------- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/ ∗∗∗ Datendiebstahl unter macOS: Zwei neue Kampagnen aufgedeckt ∗∗∗ --------------------------------------------- Den Cyberkriminellen geht es um vertrauliche Nutzerdaten wie Passwörter. Unter anderem kommen gefälschte Werbeanzeigen zum Einsatz, um einen Infostealer einzuschleusen. --------------------------------------------- https://www.zdnet.de/88415282/datendiebstahl-unter-macos-zwei-neue-kampagne… ∗∗∗ New Technique to Trick Developers Detected in an Open Source Supply Chain Attack ∗∗∗ --------------------------------------------- In a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub’s search functionality, and using meticulously crafted repositories to distribute malware. --------------------------------------------- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical BatBadBut Rust Vulnerability Exposes Windows Systems to Attacks ∗∗∗ --------------------------------------------- A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. --------------------------------------------- https://thehackernews.com/2024/04/critical-batbadbut-rust-vulnerability.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, [...] --------------------------------------------- https://lwn.net/Articles/969314/ ∗∗∗ Patchday: Angreifer umgehen erneut Sicherheitsfunktion und attackieren Windows ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Bitlocker, Office und Windows Defender veröffentlicht. Zwei Lücken nutzen Angreifer bereits aus. --------------------------------------------- https://heise.de/-9679989 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-455 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-455.html ∗∗∗ Pepperl+Fuchs: ICE2- * and ICE3- * are affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-017/ ∗∗∗ PC System Recovery Bootloader Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500613-PC-SYSTEM-RECOVERY-BOOT… ∗∗∗ AMI MegaRAC Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500612-AMI-MEGARAC-VULNERABILI… ∗∗∗ System Management Module (SMM v1 and v2) and Fan Power Controller (FPC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/SYSTEM-MANAGEMENT-MODULE-SMM-V1-… ∗∗∗ AMD Radeon Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500615 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/09/adobe-releases-security-… ∗∗∗ Sunhillo SureLine Command Injection Attack ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/sunhillo-sureline-attack -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2024
by Daily end-of-shift report 09 Apr '24

09 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-04-2024 18:00 − Dienstag 09-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New SharePoint flaws help hackers evade detection when stealing files ∗∗∗ --------------------------------------------- Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. [..] Varonis disclosed these bugs in November 2023, and Microsoft added the flaws to a patch backlog for future fixing. However, the issues were rated as moderate severity, so they won't receive immediate fixes. Therefore, SharePoint admins should be aware of these risks and learn to identify and mitigate them until patches become available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-sharepoint-flaws-help-ha… ∗∗∗ Researchers Discover LG Smart TV Vulnerabilities Allowing Root Access ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. [..] The issues were fixed by LG as part of updates released on March 22, 2024. [..] "Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet," Bitdefender said. --------------------------------------------- https://thehackernews.com/2024/04/researchers-discover-lg-smart-tv.html ∗∗∗ Vorsicht vor falschen Nachrichten vom Finanzamt ∗∗∗ --------------------------------------------- Sie erwarten eine Nachricht vom Finanzamt? Wir raten zur Vorsicht: Derzeit sind zahlreiche gefälschte SMS- und E-Mail-Benachrichtigungen von FinanzOnline bzw. vom Finanzamt im Umlauf. Klicken Sie nicht voreilig auf Links und fragen Sie im Zweifelsfall bei der jeweiligen Behörde nach! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-nachrichten-vo… ∗∗∗ It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise ∗∗∗ --------------------------------------------- We describe the characteristics of malware-initiated scanning attacks. These attacks differ from direct scanning and are increasing according to our data. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/ ∗∗∗ Notepad++: Entwickler warnt vor Parasiten-Webseite und bittet um Mithilfe ∗∗∗ --------------------------------------------- Die unautorisierte Webseite bezeichnet sich als "Fan-Projekt", der Notepad++-Entwickler fürchtet jedoch schädliche Auswirkungen. Die Community soll helfen. --------------------------------------------- https://heise.de/-9678725 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2024-04-09 ∗∗∗ --------------------------------------------- Fortinet has released 12 security advisories: FortiOS, FortiManager, FortiClientLinux, FortiClientMac, FortiProxy, FortiMai, FortiSandbox, FortiNAC-F (1x critical, 4x high, 7x medium) --------------------------------------------- https://www.fortiguard.com/psirt?product=FortiOS-6K7K%2CFortiOS&product=For… ∗∗∗ Fortinet: SMTP Smuggling ∗∗∗ --------------------------------------------- FortiMail may be susceptible to smuggling attacks if some measures are not put in place. We therefore recommend to adhere to the following indications in order to mitigate the potential risk associated to the smuggling attacks [..] --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-009 ∗∗∗ OpenSSL 3.3 Series Release Notes ∗∗∗ --------------------------------------------- Fixed unbounded memory growth with session handling in TLSv1.3 ([CVE-2024-2511]) --------------------------------------------- https://www.openssl.org/news/openssl-3.3-notes.html ∗∗∗ Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224) ∗∗∗ --------------------------------------------- Ollama is an open-source system for running and managing large language models (LLMs). [..] Ollama fixed this issue in release v0.1.29. --------------------------------------------- https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebi… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/969141/ ∗∗∗ ICS Patch Tuesday: Siemens Addresses Palo Alto Networks Product Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric release their ICS Patch Tuesday advisories for April 2024, informing customers about dozens of vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-palo-alto-… ∗∗∗ SSA-885980 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-885980.html ∗∗∗ SSA-822518 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW before V11.0.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-822518.html ∗∗∗ SSA-730482 V1.0: Denial of Service Vulnerability in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-730482.html ∗∗∗ SSA-556635 V1.0: Multiple Vulnerabilities in Telecontrol Server Basic before V3.1.2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-556635.html ∗∗∗ SSA-455250 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-455250.html ∗∗∗ SSA-265688 V1.0: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-265688.html ∗∗∗ SSA-222019 V1.0: X_T File Parsing Vulnerabilities in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-222019.html ∗∗∗ SSA-128433 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-128433.html ∗∗∗ Xen: XSA-454 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-454.html ∗∗∗ Welotec: Two vulnerabilities in TK500v1 router series ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-009/ ∗∗∗ SUBNET PowerSYSTEM Server and Substation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-100-01 ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Ninja Forms" ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50361500/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SAP-Patchday: Zehn Sicherheitsmitteilungen im April ∗∗∗ --------------------------------------------- https://heise.de/-9678796 ∗∗∗ HP Poly CCX IP-Telefone erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- https://heise.de/-9679027 ∗∗∗ Robot Operating System: Zahlreiche Schwachstellen gefunden und geschlossen ∗∗∗ --------------------------------------------- https://heise.de/-9679260 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2024
by Daily end-of-shift report 08 Apr '24

08 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-04-2024 18:00 − Montag 08-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Rund 16.500 VPN-Instanzen von Ivanti potenziell angreifbar ∗∗∗ --------------------------------------------- Scans zeigen, dass weltweit tausende VPN-Instanzen von Ivanti des Typs Connect Secure und Policy Secure Gateway verwundbar sind. [..] Eigenen Angaben zufolge sind Sicherheitsforscher von Shadowserver weltweit auf rund 16.500 VPN-Instanzen gestoßen, die mit hoher Wahrscheinlichkeit für Attacken empfänglich sind (CVE-2024-21894 „hoch“, CVE-2024-22053 „hoch“). Sind Angriffe erfolgreich, kann Schadcode auf Appliances gelangen. Im Anschluss gelten Systeme in der Regel als vollständig kompromittiert. --------------------------------------------- https://heise.de/-9677551 ∗∗∗ Over 92,000 exposed D-Link NAS devices have a backdoor account ∗∗∗ --------------------------------------------- A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-n… ∗∗∗ Fake Facebook MidJourney AI page promoted malware to 1.2 million people ∗∗∗ --------------------------------------------- Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAIs SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-… ∗∗∗ Tastatursteuerung: Amazon untersucht Sicherheitslücke in Fire-TV-Funktion ∗∗∗ --------------------------------------------- Amazon hat eine Komfort-Funktion für Fire-TV-Geräte aufgrund möglicher Sicherheitsbedenken von Green Line Analytics vorübergehend zurückgezogen. --------------------------------------------- https://www.golem.de/news/tastatursteuerung-amazon-untersucht-sicherheitslu… ∗∗∗ Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites ∗∗∗ --------------------------------------------- Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites. The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way for arbitrary code execution. It was addressed by the company as part of security updates released on February 13, 2024. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-magento-bug-to-steal.html ∗∗∗ Automating Pikabot’s String Deobfuscation ∗∗∗ --------------------------------------------- Pikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis. --------------------------------------------- https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string… ∗∗∗ Confidential VMs Hacked via New Ahoi Attacks ∗∗∗ --------------------------------------------- New Ahoi attacks Heckler and WeSee target AMD SEV-SNP and Intel TDX with malicious interrupts to hack confidential VMs. --------------------------------------------- https://www.securityweek.com/confidential-vms-hacked-via-new-ahoi-attacks/ ∗∗∗ Vorsicht vor kostenlosen Diensten zur Anpassung und Veränderung von Dateien ∗∗∗ --------------------------------------------- Sie möchten Dateien konvertieren, verkleinern oder Dokumente zusammenfügen? Im Internet gibt es dafür zahlreiche vermeintlich kostenlose Dienste. Wir raten davon ab, denn hinter vielen Angeboten steckt eine Abofalle. Zudem ist oft unklar, was mit Ihren Dokumenten geschieht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kostenlosen-diensten-zu… ∗∗∗ IBIS-Hotel: Check-In-Terminal gibt Zugangsdaten fremder Zimmer aus ∗∗∗ --------------------------------------------- Nächster Sicherheitsunfall bei Hotels: Bei den Check-In-Terminals der IBIS-Hotels war es durch Eingabe einer speziellen nicht alphanumerischen Buchungsnummer möglich, die Tastencodes von fast die Hälfte der Zimmer abzurufen. Dritte hätten in die Zimmer eindringen und Wertsachen stehlen können. --------------------------------------------- https://www.borncity.com/blog/2024/04/06/ibis-hotel-check-in-terminal-gibt-… ∗∗∗ ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins ∗∗∗ --------------------------------------------- FortiGuard Labs uncovered a threat actor using ScrubCrypt to spread VenomRAT along with multiple RATs. --------------------------------------------- https://feeds.fortinet.com/~/875486669/0/fortinet/blogs~ScrubCrypt-Deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen). --------------------------------------------- https://lwn.net/Articles/968999/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2024
by Daily end-of-shift report 05 Apr '24

05 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-04-2024 18:00 − Freitag 05-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake AI law firms are sending fake DMCA threats to generate fake SEO gains ∗∗∗ --------------------------------------------- If you run a personal or hobby website, getting a copyright notice from a law firm about an image on your site can trigger some fast-acting panic. Ernie Smith, the prolific, ever-curious writer behind the newsletter Tedium, received a "DMCA Copyright Infringement Notice" in late March from "Commonwealth Legal," representing the "Intellectual Property division" of Tech4Gods. --------------------------------------------- https://arstechnica.com/?p=2014933 ∗∗∗ Continuation Flood: DoS-Angriffstechnik legt HTTP/2-Server ohne Botnetz lahm ∗∗∗ --------------------------------------------- Für einen erfolgreichen Angriff ist in einigen Fällen nur eine einzige TCP-Verbindung erforderlich. Es kommt zu einer Überlastung von Systemressourcen. --------------------------------------------- https://www.golem.de/news/continuation-flood-dos-angriffstechnik-legt-http-… ∗∗∗ AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks ∗∗∗ --------------------------------------------- New research has found that artificial intelligence (AI)-as-a-service providers such as Hugging Face are susceptible to two critical risks that could allow threat actors to escalate privileges, gain cross-tenant access to other customers models, and even take over the continuous integration and continuous deployment (CI/CD) pipelines. [..] To mitigate the issue, it's recommended to enable IMDSv2 with Hop Limit so as to prevent pods from accessing the Instance Metadata Service (IMDS) and obtaining the role of a Node within the cluster. --------------------------------------------- https://thehackernews.com/2024/04/ai-as-service-providers-vulnerable-to.html ∗∗∗ Bing ad for NordVPN leads to SecTopRAT ∗∗∗ --------------------------------------------- Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-n… ∗∗∗ Neue Dreiecksbetrugsmasche: Kriminelle bestellen in Ihrem Namen ∗∗∗ --------------------------------------------- Sie kaufen online ein, bezahlen und erhalten die gewünschte Ware. Doch nach einigen Wochen erreicht Sie plötzlich eine Mahnung, ein Inkassoschreiben oder sogar eine Betrugsanzeige. Der Grund: Eine nicht bezahlte Rechnung von einem Onlineshop, bei dem Sie gar nichts bestellt haben. In diesem Fall wurden Sie und der Onlineshop betrogen. Wir zeigen Ihnen wie diese neue Masche funktioniert und wie Sie sich schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/neue-dreiecksbetrugsmasche-kriminell… ∗∗∗ The Illusion of Privacy: Geolocation Risks in Modern Dating Apps ∗∗∗ --------------------------------------------- Key takeaways Introduction Dating apps traditionally utilize location data, offering the opportunity to connect with people nearby, and enhancing the chances of real-life meetings. Some apps can also display the distance of the user to other users. This feature is quite useful for coordinating meetups, indicating whether a potential match is just a short distance away or a kilometer apart. However, openly sharing your distance with other users can create serious security issues. The risks become apparent when you consider the potential misuse by a curious individual armed with advanced knowledge of techniques like trilateration. --------------------------------------------- https://research.checkpoint.com/2024/the-illusion-of-privacy-geolocation-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/968561/ ∗∗∗ Lexmark: Hochriskante Lücken erlauben Codeschmuggel auf Drucker ∗∗∗ --------------------------------------------- Lexmark warnt vor Sicherheitslücken in diversen Drucker-Firmwares. Angreifer können Schadcode einschleusen. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9675861 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2024
by Daily end-of-shift report 04 Apr '24

04 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-04-2024 18:00 − Donnerstag 04-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SurveyLama data breach exposes info of 4.4 million users ∗∗∗ --------------------------------------------- In early February, HIBP's creator, Troy Hunt, received information about a data breach impacting the service, which involved various data types, including: Dates of birth. Email addresses. IP addresses, Full Names, Passwords, Phone numbers, Physical addresses [..] The data set contains information about 4,426,879 accounts and was added to HIBP yesterday, so impacted users should have already received an email notification. --------------------------------------------- https://www.bleepingcomputer.com/news/security/surveylama-data-breach-expos… ∗∗∗ New HTTP/2 DoS attack can crash web servers with a single connection ∗∗∗ --------------------------------------------- Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-cr… ∗∗∗ Angriff mit neuer Ransomware: SEXi-Hacker verschlüsseln ESXi-Server ∗∗∗ --------------------------------------------- Die neue SEXi-Ransomware ist kürzlich in einem Rechenzentrum von Powerhost zum Einsatz gekommen. Betroffene Kundensysteme sind wohl teilweise nicht wiederherstellbar. [..] Bei der Bezeichnung scheint es sich um ein Wortspiel zu handeln, denn die Angreifer haben es damit offenkundig auf VMware ESXi-Server abgesehen. --------------------------------------------- https://www.golem.de/news/angriff-mit-neuer-ransomware-sexi-hacker-verschlu… ∗∗∗ Windows NTLM Credentials-Schwachstelle CVE-2024-21320: Fix durch 0patch ∗∗∗ --------------------------------------------- In Windows gibt es eine Schwachstelle (CVE-2024-21320), die NTLM-Anmeldeinformationen über Windows-Themen offen legt. Microsoft hat zwar im Januar 2024 die Schwachstelle CVE-2024-21320 mit einem Patch versehen. Dieser Patch stellt eine Richtlinie bereit, um das Abrufen der NTLM-Anmeldeinformationen zu verhindern, wenn Theme-Dateien auf Netzlaufwerken liegen. ACROS Security hat nun einen Micropatch für den 0patch-Agenten veröffentlicht, der die Schwachstelle generell (ohne Registrierungseingriff) schließt. --------------------------------------------- https://www.borncity.com/blog/2024/04/04/windows-ntlm-credentials-schwachst… ∗∗∗ Latrodectus: This Spider Bytes Like Ice ∗∗∗ --------------------------------------------- We share Proofpoint’s assessment that Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID.. This research highlights the value of collaborative work between commercial threat intelligence companies, piecing together distinct viewpoints to provide a more complete picture of malicious activities. --------------------------------------------- https://www.team-cymru.com/post/latrodectus-this-spider-bytes-like-ice ∗∗∗ Byakugan – The Malware Behind a Phishing Attack ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered the Byakugan malware behind a recent malware campaign distributed by malicious PDF files [..] In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published. Therefore, this report will only provide a brief analysis of the overlap between that attack and this and focus primarily on the details of the infostealer. --------------------------------------------- https://www.fortinet.com/blog/threat-research/byakugan-malware-behind-a-phi… ∗∗∗ Politische Parteien vor der EU-Wahl häufiger Ziel von Cyberangriffen ∗∗∗ --------------------------------------------- Cyberangreifer konzentrieren sich derzeit offenbar stark auf politische Akteure und Parteien. Gefahr bestehe besonders durch sogenannte Hack-and-Leak-Angriffe. --------------------------------------------- https://heise.de/-9674511 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks ∗∗∗ --------------------------------------------- IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-fixes-vpn-gateway-vul… ∗∗∗ Cisco Security Advisories 2024-04-03 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x High, 11x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-29745 Android Pixel Information Disclosure Vulnerability, CVE-2024-29748 Android Pixel Privilege Escalation Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/04/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Hitachi Energy Asset Suite 9 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-01 ∗∗∗ Schweitzer Engineering Laboratories SEL ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2024
by Daily end-of-shift report 03 Apr '24

03 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-04-2024 18:00 − Mittwoch 03-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NIS2-Begutachtungsverfahren gestartet ∗∗∗ --------------------------------------------- Die Regierung hat am 3. April 2024 das Cybersicherheitsgesetz zur europäischen NIS2-Verordnung in Begutachtung geschickt. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=7567384169746C75366D413D ∗∗∗ Kritik nach Cyberangriff: Microsoft hat seine Kronjuwelen nicht im Griff ∗∗∗ --------------------------------------------- Ein im Sommer 2023 festgestellter Cyberangriff auf Microsofts Server hatte für einige Kunden verheerende Folgen. Eine US-Kommission erhebt nun schwere Vorwürfe gegen den Konzern. --------------------------------------------- https://www.golem.de/news/us-kommission-aeussert-kritik-hackerangriff-auf-m… ∗∗∗ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind ∗∗∗ --------------------------------------------- As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. [..] The Jia Tan persona has vanished since the backdoor was discovered [..] In fact, the only real footprints Jia Tan appears to have left behind were their contributions to the open source development community, where they were a prolific contributor: Disturbingly, Jia Tan’s first code change was to the “libarchive” compression library, another very widely used open source component. [..] In total, Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024 [..] Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. --------------------------------------------- https://www.wired.com/story/jia-tan-xz-backdoor/ ∗∗∗ XZ Utils Backdoor Attack Brings Another Similar Incident to Light ∗∗∗ --------------------------------------------- In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident. --------------------------------------------- https://www.securityweek.com/xz-utils-backdoor-attack-brings-another-simila… ∗∗∗ Distinctive Campaign Evolution of Pikabot Malware ∗∗∗ --------------------------------------------- PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. [..] During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-e… ∗∗∗ Hohe Handyrechnung durch ungewolltes Abo? ∗∗∗ --------------------------------------------- Per E-Mail oder SMS werden Sie plötzlich von Ihrem Mobilfunkanbieter darüber informiert, dass Sie ein Abo abgeschlossen haben. Sie sind sich aber sicher, dass Sie keinem Vertrag zugestimmt haben und wissen auch nicht, wie es dazu gekommen ist? Wir zeigen Ihnen, was Sie gegen unseriöse Abbuchungen von Ihrer Handyrechnung tun können und wie Sie sich vor Abofallen schützen. --------------------------------------------- https://www.watchlist-internet.at/news/hohe-handyrechnung-durch-ungewolltes… ∗∗∗ Another Path to Exploiting CVE-2024-1212 in Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- Rhino Labs discovered a pre-authentication command injection vulnerability in the Progress Kemp LoadMaster. [..] This was a really cool find by Rhino Labs. Here I add one additional exploitation path and some additional ways to test for this vulnerability. --------------------------------------------- https://medium.com/tenable-techblog/another-path-to-exploiting-cve-2024-121… ∗∗∗ Unveiling the Fallout: Operation Cronos Impact on LockBit Following Landmark Disruption ∗∗∗ --------------------------------------------- Our new article provides key highlights and takeaways from Operation Cronos disruption of LockBits operations, as well as telemetry details on how LockBit actors operated post-disruption. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti). --------------------------------------------- https://lwn.net/Articles/968218/ ∗∗∗ Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites ∗∗∗ --------------------------------------------- A critical SQL injection vulnerability in the LayerSlider WordPress plugin allows attackers to extract sensitive information. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-layerslider-pl… ∗∗∗ CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED) ∗∗∗ --------------------------------------------- Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users. --------------------------------------------- https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-ar… ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Neben Google haben auch Samsung und weitere Hersteller wichtige Sicherheitsupdates für Androidgeräte veröffentlicht. --------------------------------------------- https://heise.de/-9673480 ∗∗∗ Codeschmuggellücke in VMware SD-WAN Edge und Orchestrator ∗∗∗ --------------------------------------------- Drei Sicherheitslücken in VMwares SD-WAN Edge und Orchestrator ermöglichen Angreifern unter anderem, Schadcode einzuschleusen. --------------------------------------------- https://heise.de/-9673416 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 124 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-17/ ∗∗∗ Unify: Credentials disclosure vulnerability in Unify OpenScape Desk Phones CP ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2404-01.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2024
by Daily end-of-shift report 02 Apr '24

02 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-03-2024 18:00 − Dienstag 02-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Staatlich gesponserte "Entwicklung" quelloffener Software ∗∗∗ --------------------------------------------- Wer auf der Suche nach einer kurzen Zusammenfassung der Geschehnisse rund um die (höchstwahrscheinliche) Backdoor in xz, CVE-2024-3094, ist, möge einen Blick auf diese durch den Sicherheitsforscher Thomas Roccia erstellte Grafik werfen. Darin sind die wichtigsten Details zusammengefasst, die in den folgenden Absätze wesentlich ausführlicher beleuchtet werden. Alternativ hätte dieser Blogpost auch einen deutlich knackigeren Titel haben können - "CVE-2024-3094", um jene geht es in diesem Beitrag nämlich. --------------------------------------------- https://cert.at/de/blog/2024/4/staatlich-gesponserte-entwicklung-quelloffen… ∗∗∗ The amazingly scary xz sshd backdoor, (Mon, Apr 1st) ∗∗∗ --------------------------------------------- The whole story around this is both fascinating and scary – and I’m sure will be told around numerous time, so in this diary I will put some technical things about the backdoor that I reversed for quite some time (and I have a feeling I could spend 2 more weeks on this). [..] Let’s take a look at couple of fascinating things in this backdoor. --------------------------------------------- https://isc.sans.edu/diary/rss/30802 ∗∗∗ On Cybersecurity Alert Levels ∗∗∗ --------------------------------------------- Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems. My answer was negative on both questions, and I think it might be useful if I explain my rationale here. --------------------------------------------- https://cert.at/en/blog/2024/4/on-cybersecurity-alert-levels ∗∗∗ Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed! ∗∗∗ --------------------------------------------- Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone. --------------------------------------------- https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed… ∗∗∗ From OneNote to RansomNote: An Ice Cold Intrusion ∗∗∗ --------------------------------------------- In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there were no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware. --------------------------------------------- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold… ∗∗∗ Adversaries are leveraging remote access tools now more than ever — here’s how to stop them ∗∗∗ --------------------------------------------- While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. --------------------------------------------- https://blog.talosintelligence.com/adversaries-are-leveraging-remote-access… ∗∗∗ Earth Freybug Uses UNAPIMON for Unhooking Critical APIs ∗∗∗ --------------------------------------------- This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html ===================== = Vulnerabilities = ===================== ∗∗∗ Update #1: Kritische Sicherheitslücke/Hintertüre in xz-utils (CVE-2024-3094) ∗∗∗ --------------------------------------------- In den Versionen 5.6.0 und 5.6.1 der weit verbreiteten Bibliothek xz-utils wurde eine Hintertür entdeckt. xz-utils wird häufig zur Komprimierung von Softwarepaketen, Kernel-Images und initramfs-Images verwendet. Die Lücke ermöglicht es nicht authentifizierten Angreifer:innen, die sshd-Authentifizierung auf verwundbaren Systemen zu umgehen und unauthorisierten Zugriff auf das gesamte System zu erlangen. Aktuell liegen uns keine Informationen über eine aktive Ausnutzung vor. --------------------------------------------- https://cert.at/de/warnungen/2024/3/kritische-sicherheitslucke-in-fedora-41… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton). --------------------------------------------- https://lwn.net/Articles/967851/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite). --------------------------------------------- https://lwn.net/Articles/967959/ ∗∗∗ Security Flaw in WP-Members Plugin Leads to Script Injection ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability in the WP-Members Membership plugin could allow attackers to inject scripts into user profile pages. --------------------------------------------- https://www.securityweek.com/security-flaw-in-wp-members-plugin-leads-to-sc… ∗∗∗ Bitdefender hat hochriskante Sicherheitslücke abgedichtet ∗∗∗ --------------------------------------------- Durch eine Sicherheitslücke konnten Angreifer auf Rechnern mit Bitdefender-Virenschutz ihre Rechte ausweiten. Die Lücke wurde geschlossen. --------------------------------------------- https://heise.de/-9672841 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000139092 : DNS vulnerability CVE-2023-50387 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139092 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2024
by Daily end-of-shift report 29 Mar '24

29 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-03-2024 18:00 − Freitag 29-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Doctor Web’s January 2024 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics collected by the Dr.Web for Android anti-virus, in January 2024, users were most likely to encounter Android.HiddenAds trojan applications; these were detected on protected devices 54.45% more often than in December 2023. At the same time, the activity of another adware trojan family, Android.MobiDash, remained virtually unchanged, increasing by only 0.90%. --------------------------------------------- https://news.drweb.com/show/review/?lng=en&i=14833 ∗∗∗ Quick Forensics Analysis of Apache logs, (Fri, Mar 29th) ∗∗∗ --------------------------------------------- Sometimes, you’ve to quickly investigate a webserver logs for potential malicious activity. If you're lucky, logs are already indexed in real-time in a log management solution and you can automatically launch some hunting queries. If that's not the case, you can download all logs on a local system or a cloud instance and index them manually. But it's not always the easiest/fastest way due to the amount of data to process. These days, I'm always trying to process data as close as possible of their location/source and only download the investigation results. --------------------------------------------- https://isc.sans.edu/diary/rss/30792 ∗∗∗ New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking ∗∗∗ --------------------------------------------- Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a users password or alter the clipboard on certain Linux distributions. The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. --------------------------------------------- https://thehackernews.com/2024/03/new-linux-bug-could-lead-to-user.html ∗∗∗ Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds ∗∗∗ --------------------------------------------- Security vulnerabilities discovered in Dormakabas Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms. [..] They were reported to the Zurich-based company in September 2022. [..] Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988. --------------------------------------------- https://thehackernews.com/2024/03/dormakaba-locks-used-in-millions-of.html ∗∗∗ Pentagon Outlines Cybersecurity Strategy for Defense Industrial Base ∗∗∗ --------------------------------------------- US Defense Department releases defense industrial base cybersecurity strategy with a focus on four key goals. [..] The cybersecurity strategy published this week covers fiscal years 2024 through 2027 and its primary mission is to ensure the generation, reliability and preservation of warfighting capabilities by protecting operational capabilities, sensitive information, and product integrity. --------------------------------------------- https://www.securityweek.com/pentagon-outlines-cybersecurity-strategy-for-d… ∗∗∗ E-Mail über „fragwürdige Transaktion“ führt zu Schadsoftware ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle wahllos E-Mails an Unternehmen mit dem Betreff „Questionable Transaction on Credit Card - Need Explanation“. Die Kriminellen bitten darum, auf die E-Mail zu antworten, um zu erklären, woher die „fragwürdige Transaktion“ auf der Kreditkarte kommt. Wer antwortet, erhält prompt eine neue E-Mail. Diesmal wird ein Kontoauszug als Beweis mitgeschickt. Das behaupten zumindest die Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-ueber-fragwuerdige-transaktio… ∗∗∗ Stories from the SOC Part 1: IDAT Loader to BruteRatel ∗∗∗ --------------------------------------------- In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. [..] In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-ida… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15). --------------------------------------------- https://lwn.net/Articles/967134/ ∗∗∗ 26 Security Issues Patched in TeamCity ∗∗∗ --------------------------------------------- TeamCity 2024.03, released on March 27, patches 26 ‘security problems’, according to JetBrains. The company highlighted that it’s not sharing the details of security-related issues “to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity”. --------------------------------------------- https://www.securityweek.com/26-security-issues-patched-in-teamcity/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000139084 : DNS vulnerability CVE-2023-50868 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139084 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2024
by Daily end-of-shift report 28 Mar '24

28 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-03-2024 18:00 − Donnerstag 28-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Darcula phishing service targets iPhone users via iMessage ∗∗∗ --------------------------------------------- A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service… ∗∗∗ Cisco warns of password-spraying attacks targeting VPN services ∗∗∗ --------------------------------------------- Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spra… ∗∗∗ DinodasRAT Linux implant targeting entities worldwide ∗∗∗ --------------------------------------------- In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022. --------------------------------------------- https://securelist.com/dinodasrat-linux-implant/112284/ ∗∗∗ From JavaScript to AsyncRAT, (Thu, Mar 28th) ∗∗∗ --------------------------------------------- It has been a while since I found an interesting piece of JavaScript. This one was pretty well obfuscated. It was called “_Rechnung_01941085434_PDF.js” (Invoice in German) with a low VT score. --------------------------------------------- https://isc.sans.edu/diary/rss/30788 ∗∗∗ Android Malware Vultur Expands Its Wingspan ∗∗∗ --------------------------------------------- The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. [..] In this blog we provide a comprehensive analysis of Vultur, beginning with an overview of its infection chain. --------------------------------------------- https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its… ∗∗∗ Netz-digitalisierung.com eröffnet Konten in Ihrem Namen! ∗∗∗ --------------------------------------------- Verlockende Nebenjob-Angebote als App-Tester:in oder Studienteilnehmer:in über die Seite netz-digitalisierung.com führen zu Identitätsdiebstahl! Die Kriminellen eröffnen Konten in Ihrem Namen und verwenden diese möglicherweise für kriminelle Zwecke. --------------------------------------------- https://www.watchlist-internet.at/news/jobbetrug-netz-digitalisierungcom/ ∗∗∗ Pre-Ransomware Aktivität: Schadakteure nutzen CitrixBleed (CVE-2023-4966) noch immer und verstärkt für Initialzugriff ∗∗∗ --------------------------------------------- Aktuell sind uns einige Ransomware-Vorfälle in Österreich bekannt, bei denen mit sehr hoher Wahrscheinlichkeit CitrixBleed (CVE-2023-4966) als primärer Angriffsvektor für den initialen Zugriff auf die Organisationsnetzwerke benutzt wurde. Ein Patch steht seit geraumer Zeit zur Verfügung. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/pre-ransomware-aktivitat-schadakteure-n… ∗∗∗ Schon wieder zu viel Schadcode: Keine neuen Projekte für Python-Registry PyPI ∗∗∗ --------------------------------------------- Ein Ansturm von Paketen mit Schadcode hat die Betreiber des Python Package Index dazu veranlasst, die Aufnahme neuer Projekte und User zu stoppen. --------------------------------------------- https://heise.de/-9670240 ===================== = Vulnerabilities = ===================== ∗∗∗ Nvidias newborn ChatRTX bot patched for security bugs ∗∗∗ --------------------------------------------- ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. [..] CVE‑2024‑0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/03/28/nvidia_chatr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux). --------------------------------------------- https://lwn.net/Articles/966961/ ∗∗∗ Splunk Patches Vulnerabilities in Enterprise Product ∗∗∗ --------------------------------------------- Splunk patches high-severity vulnerabilities in Enterprise, including an authentication token exposure issue. --------------------------------------------- https://www.securityweek.com/splunk-patches-vulnerabilities-in-enterprise-p… ∗∗∗ Neue SugarCRM-Versionen schließen kritische Lücken ∗∗∗ --------------------------------------------- Insgesamt 18, teils kritische Lücken schließen die neuen Versionen SugarCRM 13.03. und 12.05. --------------------------------------------- https://heise.de/-9670436 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Synology-SA-24:05 Synology Surveillance Station Client ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_05 ∗∗∗ Synology-SA-24:04 Surveillance Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2024
by Daily end-of-shift report 27 Mar '24

27 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-03-2024 18:00 − Mittwoch 27-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ransomware as a Service and the Strange Economics of the Dark Web ∗∗∗ --------------------------------------------- Ransomware is quickly changing in 2024, with massive disruptions and large gangs shutting down. Learn from Flare how affiliate competition is changing in 2024, and what might come next. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-as-a-service-and-… ∗∗∗ CISA tags Microsoft SharePoint RCE bug as actively exploited ∗∗∗ --------------------------------------------- CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-tags-microsoft-sharepoi… ∗∗∗ Row breaks out over true severity of two DNSSEC flaws ∗∗∗ --------------------------------------------- Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/03/26/software_ris… ∗∗∗ Gefälschte Booking.com-Kontaktnummern locken in die Falle! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen Telefonnummern in Acht, wenn Sie nach Booking.com Kontaktinfos googeln. Kriminelle erstellen Fake-Websites mit Booking-Logo und blenden Telefonnummern ein. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-bookingcom-kontaktnummer… ∗∗∗ Advanced Nmap Scanning Techniques ∗∗∗ --------------------------------------------- Beyond its fundamental port scanning capabilities, Nmap offers a suite of advanced techniques designed to uncover vulnerabilities, bypass security measures, and gather valuable insights about target systems. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/advanced-nmap-scann… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Ray framework flaw to breach servers, hijack resources ∗∗∗ --------------------------------------------- A new hacking campaign dubbed "ShadowRay" targets an unpatched vulnerability in Ray, a popular open-source AI framework, to hijack computing power and leak sensitive data from thousands of companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-ray-framewor… ∗∗∗ Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions ∗∗∗ --------------------------------------------- A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users systems and carry out malicious actions. --------------------------------------------- https://thehackernews.com/2024/03/microsoft-edge-bug-could-have-allowed.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow). --------------------------------------------- https://lwn.net/Articles/966835/ ∗∗∗ Exposing a New BOLA Vulnerability in Grafana ∗∗∗ --------------------------------------------- Unit 42 researchers discovered CVE-2024-1313, a broken object level authorization (BOLA) vulnerability in open-source data visualization platform Grafana. --------------------------------------------- https://unit42.paloaltonetworks.com/new-bola-vulnerability-grafana/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Security Advisories 2024-03-27 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Splunk Security Advisories ∗∗∗ --------------------------------------------- https://advisory.splunk.com/advisories ∗∗∗ Google Chrome: Kritische Schwachstelle bedroht Browser-Nutzer ∗∗∗ --------------------------------------------- https://heise.de/-9668035 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2024
by Daily end-of-shift report 26 Mar '24

26 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 25-03-2024 18:00 − Dienstag 26-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Free VPN apps on Google Play turned Android phones into proxies ∗∗∗ --------------------------------------------- Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-vpn-apps-on-google-play… ∗∗∗ New tool: linux-pkgs.sh, (Sun, Mar 24th) ∗∗∗ --------------------------------------------- During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do? --------------------------------------------- https://isc.sans.edu/diary/rss/30774 ∗∗∗ Agent Teslas New Ride: The Rise of a Novel Loader ∗∗∗ --------------------------------------------- This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-tesla… ∗∗∗ The Darkside of TheMoon ∗∗∗ --------------------------------------------- The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. [..] While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours. --------------------------------------------- https://blog.lumen.com/the-darkside-of-themoon/ ∗∗∗ Recent ‘MFA Bombing’ Attacks Targeting Apple Users ∗∗∗ --------------------------------------------- Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apples password reset feature. In this scenario, a targets Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Dont Allow" to each prompt. [..] But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line). --------------------------------------------- https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-ap… ∗∗∗ Suspicious NuGet Package Harvesting Information From Industrial Systems ∗∗∗ --------------------------------------------- A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon. --------------------------------------------- https://www.securityweek.com/suspicious-nuget-package-harvesting-informatio… ∗∗∗ Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script ∗∗∗ --------------------------------------------- This blog entry discusses the Agenda ransomware groups use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/966678/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23252, CVE-2024-23254,CVE-2024-23263, CVE-2024-23280,CVE-2024-23284, CVE-2023-42950,CVE-2023-42956, CVE-2023-42843. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0002.html ∗∗∗ macOS 14.4.1 mit jeder Menge Bugfixes – Sicherheitshintergründe zu iOS 17.4.1 ∗∗∗ --------------------------------------------- Apple hat am Montagabend ein weiteres Update für macOS 14 veröffentlicht. Es behebt diverse Fehler. Parallel gibt es Infos zu iOS 17.4.1 und dessen Fixes. --------------------------------------------- https://heise.de/-9666170 ∗∗∗ Loadbalancer: Sicherheitslücken in Loadmaster von Progress/Kemp ∗∗∗ --------------------------------------------- In der Loadbalancer-Software Loadmaster von Progress/Kemp klaffen Sicherheitslücken, durch die Angreifer etwa Befehle einschleusen können. --------------------------------------------- https://heise.de/-9666253 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Siemens: SSB-201698 V1.0: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-201698.html ∗∗∗ Rockwell Automation FactoryTalk View ME ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04 ∗∗∗ Rockwell Automation PowerFlex 527 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02 ∗∗∗ Rockwell Automation Arena Simulation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03 ∗∗∗ Automation-Direct C-MORE EA9 HMI ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2024
by Daily end-of-shift report 25 Mar '24

25 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-03-2024 18:00 − Montag 25-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New ZenHammer memory attack impacts AMD Zen CPUs ∗∗∗ --------------------------------------------- Academic researchers developed ZenHammer, the first variant of the Rowhammer DRAM attack that works on CPUs based on recent AMD Zen microarchitecture that map physical addresses on DDR4 and DDR5 memory chips. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zenhammer-memory-attack-… ∗∗∗ New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts ∗∗∗ --------------------------------------------- Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named Tycoon 2FA to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. [..] In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-k… ∗∗∗ Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others ∗∗∗ --------------------------------------------- Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site. [..] The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. --------------------------------------------- https://thehackernews.com/2024/03/hackers-hijack-github-accounts-in.html ∗∗∗ New Go loader pushes Rhadamanthys stealer ∗∗∗ --------------------------------------------- A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader… ∗∗∗ Phishing mit gefälschten Rechnungen von Anwaltskanzleien ∗∗∗ --------------------------------------------- Laut BlueVoyant geben sich die Angreifer als Anwaltskanzleien aus und missbrauchen das Vertrauen, das ihre Opfer "seriösen" Juristen entgegenbringen. [..] Die NaurLegal-Kampagne täuscht Legitimität vor, indem sie PDF-Dateien mit seriös anmutenden Dateinamen wie „Rechnung_[Nummer]_von_[Name der Anwaltskanzlei].pdf“ erstellt und versendet. [..] Die Infrastruktur der NaurLegal-Kampagne umfasst Domänen, die mit WikiLoader verknüpft sind und deren Folgeaktivitäten auf eine Zuordnung zu dieser Malware-Familie schließen lassen. WikiLoader ist bekannt für ausgefeilte Verschleierungstechniken, wie z. B. die Überprüfung von Wikipedia-Antworten auf bestimmte Zeichenfolgen, um Sandbox-Umgebungen zu umgehen. --------------------------------------------- https://www.zdnet.de/88414996/phishing-mit-gefaelschten-rechnungen-von-anwa… ∗∗∗ CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/25/cisa-and-fbi-release-sec… ∗∗∗ APT29 Uses WINELOADER to Target German Political Parties ∗∗∗ --------------------------------------------- In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. --------------------------------------------- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf). --------------------------------------------- https://lwn.net/Articles/966611/ ∗∗∗ Firefox: Notfall-Update schließt kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler haben zwei kritische Sicherheitslücken mit dem Update auf Firefox 124.0.1 und Firefox ESR 115.9.1 geschlossen. --------------------------------------------- https://heise.de/-9664148 ∗∗∗ Sicherheitslücken in Microsofts WiX-Installer-Toolset gestopft ∗∗∗ --------------------------------------------- Das quelloffene WiX-Installer-Toolset von Microsoft hat zwei Sicherheitslücken. Die dichten aktualisierte Versionen ab. --------------------------------------------- https://heise.de/-9664602 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ MISP 2.4.188 released major performance improvements and many bugs fixed. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/03/25/MISP.2.4.188.released.html/ ∗∗∗ MISP 2.4.187 released with security fixes, new features and bugs fixes. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/03/24/MISP.2.4.187.released.html/ ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.1.1, 6.2.0 and 6.2.1: SC-202403.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-06 ∗∗∗ F5: K000138990 : BIND vulnerability CVE-2023-4408 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138990 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2024
by Daily end-of-shift report 22 Mar '24

22 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-03-2024 18:00 − Freitag 22-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Vancouver 2024, contestants demoed 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux and other devices and software to win $732,500 and a Tesla Model 3 car. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-tesla-and-ubuntu-… ∗∗∗ Darknet marketplace Nemesis Market seized by German police ∗∗∗ --------------------------------------------- The German police have seized infrastructure for the darknet Nemesis Market cybercrime marketplace in Germany and Lithuania, disrupting the sites operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darknet-marketplace-nemesis-… ∗∗∗ Mit gefälschten Keycards: Hacker können weltweit Millionen von Hoteltüren öffnen ∗∗∗ --------------------------------------------- Mehr als drei Millionen Türen in Hotels und Mehrfamilienhäusern sind anfällig für Angriffe mit gefälschten RFID-Schlüsselkarten. Teure Spezialausrüstung braucht es dafür nicht. --------------------------------------------- https://www.golem.de/news/mit-gefaelschten-keycards-hacker-koennen-weltweit… ∗∗∗ Whois "geofeed" Data, (Thu, Mar 21st) ∗∗∗ --------------------------------------------- Attributing a particular IP address to a specific location is hard and often fails miserably. --------------------------------------------- https://isc.sans.edu/diary/rss/30766 ∗∗∗ Unterstützungsmail im Namen von Marlene Engelhorn ist Fake! ∗∗∗ --------------------------------------------- Derzeit kursieren zahlreiche E-Mails im Namen der österreichischen Millionärin Marlene Engelhorn: Angeblich will sie mit einem Teil ihres Erbes „aufstrebende Unternehmer und lokale Projekte“ unterstützen. Achtung: Hinter dieser E-Mail stecken Kriminelle. Antworten Sie daher auf keinen Fall. --------------------------------------------- https://www.watchlist-internet.at/news/fake-marlene-engelhorn/ ∗∗∗ Large-Scale StrelaStealer Campaign in Early 2024 ∗∗∗ --------------------------------------------- We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. --------------------------------------------- https://unit42.paloaltonetworks.com/strelastealer-campaign/ ∗∗∗ “Pig butchering” is an evolution of a social engineering tactic we’ve seen for years ∗∗∗ --------------------------------------------- In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/ ∗∗∗ Sicherheit contra Offenheit – ein Kommentar zu Secure Boot ∗∗∗ --------------------------------------------- Secure Boot ist kompliziert, frickelig und wird von Microsoft dominiert. Stattdessen brauchen wir offene sichere Systeme, meint Christof Windeck. --------------------------------------------- https://heise.de/-9659071 ===================== = Vulnerabilities = ===================== ∗∗∗ KDE advises extreme caution after theme wipes Linux users files ∗∗∗ --------------------------------------------- On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktops appearance. --------------------------------------------- https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-aft… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0). --------------------------------------------- https://lwn.net/Articles/966415/ ∗∗∗ Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect ∗∗∗ --------------------------------------------- During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. --------------------------------------------- https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-s… ∗∗∗ Microsoft schließt Sicherheitslücke in Xbox-Gaming-Dienst – nach Hickhack ∗∗∗ --------------------------------------------- Microsoft hat ein Sicherheitsleck im Xbox Gaming Service abgedichtet. Dem ging jedoch eine Diskussion voraus. --------------------------------------------- https://heise.de/-9662746 ∗∗∗ Kritische Sicherheitslücke in FortiClientEMS wird angegriffen ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in FortiClientEMS wird inzwischen aktiv angegriffen. Zudem ist ein Proof-of-Concept-Exploit öffentlich geworden. --------------------------------------------- https://heise.de/-9662866 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2024
by Daily end-of-shift report 21 Mar '24

21 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-03-2024 18:00 − Donnerstag 21-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatchable vulnerability in Apple chip leaks secret encryption keys ∗∗∗ --------------------------------------------- A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. --------------------------------------------- https://arstechnica.com/?p=2011812 ∗∗∗ Spa Grand Prix email account hacked to phish banking info from fans ∗∗∗ --------------------------------------------- Hackers hijacked the official contact email for the Belgian Grand Prix event and used it to lure fans to a fake website promising a €50 gift voucher. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spa-grand-prix-email-account… ∗∗∗ Evasive Sign1 malware campaign infects 39,000 WordPress sites ∗∗∗ --------------------------------------------- A previously unknown malware campaign called Sign1 has infected over 39,000 websites over the past six months, causing visitors to see unwanted redirects and popup ads. [..] While Sucuri's client was breached through a brute force attack, Sucuri has not shared how the other detected sites were compromised. However, based on previous WordPress attacks, it probably involves a combination of brute force attacks and exploiting plugin vulnerabilities to gain access to the site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evasive-sign1-malware-campai… ∗∗∗ AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st thats used to target Laravel applications and steal sensitive data. [..] Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks." --------------------------------------------- https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html ∗∗∗ Vulnerability Allowed One-Click Takeover of AWS Service Accounts ∗∗∗ --------------------------------------------- The vulnerability, named FlowFixation by Tenable, has been patched by AWS and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future. --------------------------------------------- https://www.securityweek.com/vulnerability-allowed-one-click-takeover-of-aw… ∗∗∗ Betrügerische Europol-SMS führt zu Schadsoftware ∗∗∗ --------------------------------------------- In der massenhaft verschickten, betrügerischen SMS wird behauptet, dass Sie als Beteiligter in einem EUROPOL-Fall geführt werden. Um Einspruch zu erheben, sollen Sie eine App installieren. Vorsicht – Sie installieren Schadsoftware auf Ihrem Gerät und geben Kriminellen Zugang zu Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/fake-europol-sms/ ∗∗∗ Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention ∗∗∗ --------------------------------------------- Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. FalseFont is the latest tool in Curious Serpens’ arsenal. The examples we analyzed show how the threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor. --------------------------------------------- https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/ ∗∗∗ Rescoms rides waves of AceCryptor spam ∗∗∗ --------------------------------------------- Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryp… ∗∗∗ Warning Against Infostealer Disguised as Installer ∗∗∗ --------------------------------------------- The StealC malware disguised as an installer is being distributed en masse. It was identified as being downloaded via Discord, GitHub, Dropbox, etc. Considering the cases of distribution using similar routes, it is expected to redirect victims multiple times from a malicious webpage disguised as a download page for a certain program to the download URL. StealC is an Infostealer that extorts a variety of key information such as system, browser, cryptocurrency wallet, Discord, Telegram, and mail client data. --------------------------------------------- https://asec.ahnlab.com/en/63308/ ∗∗∗ New details on TinyTurla’s post-compromise activity reveal full kill chain ∗∗∗ --------------------------------------------- We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-full-kill-chain/ ∗∗∗ The Updated APT Playbook: Tales from the Kimsuky threat actor group ∗∗∗ --------------------------------------------- In this blog we will detail new techniques that we have observed used by this actor group over the recent months. We believe that sharing these evolving techniques gives defenders the latest insights into measures required to protect their assets. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-… ∗∗∗ CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques ∗∗∗ --------------------------------------------- Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/21/cisa-fbi-and-ms-isac-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 11, 2024 to March 17, 2024) ∗∗∗ --------------------------------------------- Last week, there were 159 vulnerabilities disclosed in 123 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi). --------------------------------------------- https://lwn.net/Articles/966246/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-081-01 ∗∗∗ F5: K000138966 : Intel Xeon CPU vulnerability CVE-2023-23908 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2024
by Daily end-of-shift report 20 Mar '24

20 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-03-2024 18:00 − Mittwoch 20-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Misconfigured Firebase instances leaked 19 million plaintext passwords ∗∗∗ --------------------------------------------- Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development. --------------------------------------------- https://www.bleepingcomputer.com/news/security/misconfigured-firebase-insta… ∗∗∗ Android malware, Android malware and more Android malware ∗∗∗ --------------------------------------------- In this report, we share our latest Android malware findings: the Tambir spyware, Dwphon downloader and Gigabud banking Trojan. --------------------------------------------- https://securelist.com/crimeware-report-android-malware/112121/ ∗∗∗ Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th) ∗∗∗ --------------------------------------------- Late last week, an exploit surfaced on GitHub for CVE-2024-21762. This vulnerability affects Fortinet's FortiOS. A patch was released on February 8th. Owners of affected devices had over a month to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/30762 ∗∗∗ Phishing im Namen der Österreichischen Gesundheitskasse ÖGK ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen E-Mails in Acht, die Sie im Namen der Österreichischen Gesundheitskasse ÖGK erhalten. Aktuell spielt man Ihnen vor, dass es eine ausstehende Rückerstattung für Sie gibt. Folgen Sie hier keinen Links und geben Sie keine Daten bekannt. Man versucht Ihnen Geld und Daten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-gesundheitskasse-oegk/ ∗∗∗ Gotta Hack ‘Em All: Pokémon passwords reset after attack ∗∗∗ --------------------------------------------- Are you using the same passwords in multiple places online? Well, stop. Stop right now. And make sure that youve told your friends and family to stop being reckless too. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/gotta-hack-em-all-pokemon-p… ∗∗∗ A prescription for privacy protection: Exercise caution when using a mobile health app ∗∗∗ --------------------------------------------- Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data. --------------------------------------------- https://www.welivesecurity.com/en/privacy/prescription-privacy-protection-e… ∗∗∗ Loop DoS: Verschiedene Netzwerkdienste leiden unter Protokoll-Endlosschleife ∗∗∗ --------------------------------------------- Unter den Diensten, die Sicherheitsforscher als Gefahr identifiziert haben, sind auch solche aus der Frühzeit des Internets. Nun sind Netzwerk-Admins gefragt. --------------------------------------------- https://heise.de/-9660179 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, [...] --------------------------------------------- https://lwn.net/Articles/966053/ ∗∗∗ Netgear wireless router open to code execution after buffer overflow vulnerability ∗∗∗ --------------------------------------------- There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-march-20-2024/ ∗∗∗ Atlassian: Patch-Reigen im März für Bamboo, Bitbucket, Confluence und Jira ∗∗∗ --------------------------------------------- Atlassian behandelt 25 Sicherheitslücken in Bamboo, Bitbucket, Confluence und Jira. Eine davon gilt als kritisch. --------------------------------------------- https://heise.de/-9660075 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Command Injection in Bosch Network Synchronizer ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-152190-bt.html ∗∗∗ Security Update for Ivanti Neurons for ITSM ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-neurons-for-itsm ∗∗∗ Security Update for Ivanti Standalone Sentry ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-standalone-sentry ∗∗∗ Webbrowser Chrome: Google dichtet mehrere Sicherheitslecks ab ∗∗∗ --------------------------------------------- https://heise.de/-9659978 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2024
by Daily end-of-shift report 19 Mar '24

19 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 18-03-2024 18:00 − Dienstag 19-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New AcidPour data wiper targets Linux x86 network devices ∗∗∗ --------------------------------------------- A new destructive malware named AcidPour was spotted in the wild, featuring data-wiper functionality and targeting Linux x86 IoT and networking devices. [..] AcidPour shares many similarities with AcidRain, such as targeting specific directories and device paths common in embedded Linux distributions, but their codebase overlaps by an estimated 30%. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targ… ∗∗∗ Turnier verschoben: Mögliche RCE-Schwachstelle bedroht Apex-Legends-Spieler ∗∗∗ --------------------------------------------- Der weitverbreitete Free-to-play-Shooter Apex Legends steht derzeit im Verdacht, unter einer Sicherheitslücke zu leiden, die es Angreifern ermöglicht, aus der Ferne die Kontrolle über die Computer der Spieler zu übernehmen. Ob die Schwachstelle das Spiel selbst oder dessen Anti-Cheat-Software betrifft, ist wohl noch unklar. --------------------------------------------- https://www.golem.de/news/turnier-verschoben-moegliche-rce-schwachstelle-be… ∗∗∗ ARM MTE: Androids Hardwareschutz gegen Speicherlücken umgehbar ∗∗∗ --------------------------------------------- Mit dem Memory-Tagging moderner ARM-CPUs soll das Potenzial bestimmter Sicherheitslücken verkleinert werden. Die Idee hat deutliche Grenzen. Das Security-Forschungsteam des Code-Hosters Github hat die Ausnutzung einer Speicherlücke beschrieben, bei der der dafür eigentlich vorgesehene Schutz, das Memory-Tagging, offenbar gar keine Rolle spielt. Den Beteiligten ist es demnach gelungen, eine Sicherheitslücke in ARMs GPU-Treiber, die vollen Kernelzugriff und das Erlangen von Root-Rechten ermöglicht, auch auf einem aktuellen Pixel 8 auszunutzen, auf dem die sogenannten Memory Tagging Extension (MTE) aktiviert ist. --------------------------------------------- https://www.golem.de/news/arm-mte-androids-hardwareschutz-gegen-speicherlue… ∗∗∗ Threat landscape for industrial automation systems. H2 2023 ∗∗∗ --------------------------------------------- Kaspersky ICS CERT shares industrial threat statistics for H2 2023: most commonly detected malicious objects, threat sources, threat landscape by industry and region. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ Attacker Hunting Firewalls, (Tue, Mar 19th) ∗∗∗ --------------------------------------------- The competition for freshly deployed vulnerable devices, or devices not patched for the latest greatest vulnerability, is immense. Your success in the ransomware or access broker ecosystem depends on having a consistently updated list of potential victims. As a result, certain IP addresses routinely scan the internet for specific types of vulnerabilities. One such example is 77.90.185.152. This IP address has been scanning for a different vulnerability each day. --------------------------------------------- https://isc.sans.edu/diary/rss/30758 ∗∗∗ New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics ∗∗∗ --------------------------------------------- A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. [..] A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. [..] The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). --------------------------------------------- https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html ∗∗∗ Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor ∗∗∗ --------------------------------------------- This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006. --------------------------------------------- https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loade… ∗∗∗ Claroty-Report: Zahlreiche Schwachstellen in medizinischen Netzwerken und Geräten ∗∗∗ --------------------------------------------- Sicherheitsanbieter Claroty hat sein Team82, eine Forschungseinheit von Claroty, auf das Thema Sicherheit im Medizinbereich, bezogen auf Geräte und Netzwerke, angesetzt, um die Auswirkungen der zunehmenden Vernetzung medizinischer Geräte zu untersuchen. Ziel des Berichts ist es, die umfassende Konnektivität kritischer medizinischer Geräte – von bildgebenden Systemen bis hin zu Infusionspumpen – aufzuzeigen und die damit verbundenen Risiken zu beleuchten. [..] Das erschreckende Ergebnis: Im Rahmen der Untersuchungen von Team82 tauchen häufig Schwachstellen und Implementierungsfehler auf. --------------------------------------------- https://www.borncity.com/blog/2024/03/19/claroty-report-zahlreiche-schwachs… ∗∗∗ Jenkins Args4j CVE-2024-23897: Files Exposed, Code at Risk ∗∗∗ --------------------------------------------- Jenkins, a popular open-source automation server, was discovered to be affected by a file read vulnerability, CVE-2024-23897. [..] Given its high severity we would like to emphasize the need for swift measures to secure Jenkins installations. [..] Jenkins patched CVE-2024-23897 in versions 2.442 and LTS 2.426.3 by disabling the problematic command parser feature. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-23897.html ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- LoadMaster is a load balancer and application delivery controller. Exploiting this vulnerability enables command execution on the LoadMaster if you have access to the administrator web user interface. Once command execution is obtained, it is possible to escalate privileges to root from the default admin “bal” user by abusing sudo entries, granting full control of the device. A proof of concept exploit is available in our CVE GitHub repository. --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim). --------------------------------------------- https://lwn.net/Articles/965958/ ∗∗∗ RaspberryMatic: Kritische Lücke erlaubt Codeschmuggel ∗∗∗ --------------------------------------------- Im freien HomeMatic-Server RaspberryMatic klafft eine Codeschmuggel-Lücke. Sie gilt als kritisch. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9658709 ∗∗∗ Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Mozilla dichtet zahlreiche Sicherheitslücken im Webbrowser Firefox und Mailer Thunderbird ab. --------------------------------------------- https://heise.de/-9659433 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Franklin Fueling System EVO 550/5000 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2024
by Daily end-of-shift report 18 Mar '24

18 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-03-2024 18:00 − Montag 18-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New acoustic attack determines keystrokes from typing patterns ∗∗∗ --------------------------------------------- Researchers have demonstrated a new acoustic side-channel attack on keyboards that can deduce user input based on their typing patterns, even in poor conditions, such as environments with noise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acoustic-attack-determin… ∗∗∗ Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft. --------------------------------------------- https://thehackernews.com/2024/03/hackers-using-sneaky-html-smuggling-to.ht… ∗∗∗ Opening Pandora’s box - Supply Chain Insider Threats in Open Source projects ∗∗∗ --------------------------------------------- Granting repository "Write" access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, using a responsible disclosure for the AWS Karpenter project to demonstrate why strict safeguards are essential. --------------------------------------------- https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-thre… ∗∗∗ Saisonale Betrugsmaschen: Vorsicht bei der Urlaubsbuchung! ∗∗∗ --------------------------------------------- Passend zur Jahreszeit, in der besonders viele Urlaubsbuchungen vorgenommen werden, veröffentlichen Kriminelle betrügerische Urlaubsbuchungsplattformen wie fincas-und-villen.com. Lassen Sie sich nicht von den günstigen Preisen und schönen Bildern blenden: Hier verlieren Sie Ihr Geld und enden im schlimmsten Fall ohne Unterkunft am Urlaubsziel. --------------------------------------------- https://www.watchlist-internet.at/news/saisonale-betrugsmaschen-urlaubsbuch… ∗∗∗ Wie OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? ∗∗∗ --------------------------------------------- Es ist eine Frage, die sich wohl jeder Sicherheitsverantwortliche stellt, wenn es um die Cloud und den Zugriff auf Dienste mittels OAuth geht. Die Fragestellung: Wie lassen sich OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? Und wie kann man das mit Microsoft-Technologie erledigen. --------------------------------------------- https://www.borncity.com/blog/2024/03/17/wie-oauth-anwendungen-ber-tenant-g… ∗∗∗ Top things that you might not be doing (yet) in Entra Conditional Access – Advanced Edition ∗∗∗ --------------------------------------------- In this second part, we’ll go over more advanced security controls within Conditional Access that, in my experience, are frequently overlooked in environments during security assessments. --------------------------------------------- https://blog.nviso.eu/2024/03/18/top-things-that-you-might-not-be-doing-yet… ∗∗∗ Ethereum’s CREATE2: A Double-Edged Sword in Blockchain Security ∗∗∗ --------------------------------------------- Ethereum’s CREATE2 function is being exploited by attackers to compromise the security of digital wallets, bypassing traditional security measures and facilitating unauthorized access to funds. --------------------------------------------- https://research.checkpoint.com/2024/ethereums-create2-a-double-edged-sword… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Aiohttp bug to find vulnerable networks ∗∗∗ --------------------------------------------- The ransomware actor ShadowSyndicate was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-aiohttp-bug-… ∗∗∗ Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762 ∗∗∗ --------------------------------------------- In this post we detail the steps we took to identify the patched vulnerability and produce a working exploit. --------------------------------------------- https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-r… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, spip, and unadf), Fedora (chromium, iwd, opensc, openvswitch, python3.6, shim, shim-unsigned-aarch64, and shim-unsigned-x64), Mageia (batik, imagemagick, irssi, jackson-databind, jupyter-notebook, ncurses, and yajl), Oracle (.NET 7.0, .NET 8.0, and dnsmasq), Red Hat (postgresql:10), SUSE (chromium, kernel, openvswitch, python-rpyc, and tiff), and Ubuntu (openjdk-8). --------------------------------------------- https://lwn.net/Articles/965829/ ∗∗∗ PoC Published for Critical Fortra Code Execution Vulnerability ∗∗∗ --------------------------------------------- A critical directory traversal vulnerability in Fortra FileCatalyst Workflow could lead to remote code execution. --------------------------------------------- https://www.securityweek.com/poc-published-for-critical-fortra-code-executi… ∗∗∗ Kritische Sicherheitslücke CVE-2024-21762 in Fortinet FortiOS wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- In unserer Warnung vom 09. Februar 2024 haben wir bereits über die Sicherheitslücken CVE-2024-21762 und CVE-2024-23113 berichtet und in Folge Besitzer:innen über die für die IP-Adressen hinterlegten Abuse-Kontakten informiert. CVE-2024-21762 wird seit kurzem nun aktiv ausgenutzt. Unauthentifizierte Angreifer:innen können auf betroffenen Geräten beliebigen Code ausführen. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/kritische-sicherheitslucke-cve-2024-217… ∗∗∗ Spring Framework: Updates beheben neue, alte Sicherheitslücke ∗∗∗ --------------------------------------------- Nutzen Spring-basierte Anwendungen eine URL-Parsing-Funktion des Frameworks, öffnen sie sich für verschiedene Attacken. Nicht zum ersten Mal. --------------------------------------------- https://heise.de/-9657496 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2024
by Daily end-of-shift report 15 Mar '24

15 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-03-2024 18:00 − Freitag 15-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SIM swappers hijacking phone numbers in eSIM attacks ∗∗∗ --------------------------------------------- SIM swappers have adapted their attacks to steal a targets phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone… ∗∗∗ StopCrypt: Most widely distributed ransomware now evades detection ∗∗∗ --------------------------------------------- A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stopcrypt-most-widely-distri… ∗∗∗ 5Ghoul Revisited: Three Months Later, (Fri, Mar 15th) ∗∗∗ --------------------------------------------- About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability. --------------------------------------------- https://isc.sans.edu/diary/rss/30746 ∗∗∗ Third-Party ChatGPT Plugins Could Lead to Account Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data. According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub. --------------------------------------------- https://thehackernews.com/2024/03/third-party-chatgpt-plugins-could-lead.ht… ∗∗∗ Vorsicht vor Abo-Falle auf produktretter.at! ∗∗∗ --------------------------------------------- Einmal registrieren und schon erhalten Sie hochwertige und voll funktionsfähige Produkte, die andere retourniert haben. Es fallen lediglich Versandkosten von maximal 2,99 Euro an. Klingt zu schön, um wahr zu sein? Ist es auch. Denn Seiten wie produktretter.at, produkttest-anmeldung.com oder retourenheld.io locken in eine Abo-Falle. Die versprochenen Produkte kommen nie an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-abo-falle-auf-produktre… ∗∗∗ Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled ∗∗∗ --------------------------------------------- We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/ ∗∗∗ How to share sensitive files securely online ∗∗∗ --------------------------------------------- Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe. --------------------------------------------- https://www.welivesecurity.com/en/how-to/share-sensitive-files-securely-onl… ∗∗∗ The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions ∗∗∗ --------------------------------------------- Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later. --------------------------------------------- https://blog.talosintelligence.com/ransomware-affiliate-model/ ∗∗∗ Zwei Backdoors in Ivanti-Appliances analysiert ∗∗∗ --------------------------------------------- Anfang 2024 wurden die Pulse Secure Appliances von Ivanti durch die damals gemeldeten Schwachstellen CVE-2023-46805 und CVE-2024-21887 weiträumig ausgenutzt. Zwei Exemplare dieser Backdoors haben Sicherheitsforscher jetzt ausführlich beschrieben. --------------------------------------------- https://heise.de/-9656137 ∗∗∗ Sicherheitsforscher genervt: Lücken-Datenbank NVD seit Wochen unvollständig ∗∗∗ --------------------------------------------- Die von der US-Regierung betriebene Datenbank reichert im CVE-System gemeldete Sicherheitslücken mit wichtigen Metadaten an. Das blieb seit Februar aus. [..] Von über 2.200 seit 15. Februar veröffentlichten Sicherheitslücken mit CVE-ID sind lediglich 59 mit Metadaten versehen, 2.152 liegen brach. [..] Darüber, wie sie die Tausenden offenen Sicherheitslücken abarbeiten will und vor allem, wann sie ihre Arbeit wieder aufnimmt, schweigt sich die NVD derzeit aus. --------------------------------------------- https://heise.de/-9656574 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF06 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF06. Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413) ∗∗∗ --------------------------------------------- In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on users computer when the user opened a malicious hyperlink in attackers email. The micropatch was written for the following security-adopted versions of Office with all available updates installed: Microsoft Office 2013, Microsoft Office 2010 --------------------------------------------- https://blog.0patch.com/2024/03/micropatches-released-for-microsoft.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird). --------------------------------------------- https://lwn.net/Articles/965576/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2024-2247: JFrog Artifactory Cross-Site Scripting ∗∗∗ --------------------------------------------- https://jfrog.com/help/r/jfrog-release-information/cve-2024-2247-jfrog-arti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2024
by Daily end-of-shift report 14 Mar '24

14 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-03-2024 18:00 − Donnerstag 14-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PixPirate Android malware uses new tactic to hide on phones ∗∗∗ --------------------------------------------- The latest version of the PixPirate banking trojan for Android employs a previously unseen method to hide from the victim while remaining active on the infected device even if its dropper app has been removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pixpirate-android-malware-us… ∗∗∗ Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th) ∗∗∗ --------------------------------------------- Interesting trends do emerge from time to time. One such recent trend seems to be connected with an increased use of IPFS and R2 buckets to host phishing pages. --------------------------------------------- https://isc.sans.edu/diary/rss/30744 ∗∗∗ Breaking Down APT29’s Latest Tactics and How to Defend Against Them ∗∗∗ --------------------------------------------- Recently, the US National Security Agency (NSA) joined United Kingdom’s National Cyber Security Center (NCSC) in releasing an advisory detailing the recent TTPs (or tactics, techniques, and procedures) of the group known as APT29 (or, in other taxonomies of threat actors, Midnight Blizzard, the Dukes, and Cozy Bear). --------------------------------------------- https://orca.security/resources/blog/how-to-defend-against-apt29-cozy-bear-… ===================== = Vulnerabilities = ===================== ∗∗∗ A patched Windows attack surface is still exploitable ∗∗∗ --------------------------------------------- In this report, we highlight the key points about a class of recently-patched elevation-of-privilege vulnerabilities affecting Microsoft Windows, and then focus on how to check if any of them have been exploited or if there have been any attempts to exploit them. --------------------------------------------- https://securelist.com/windows-vulnerabilities/112232/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server). --------------------------------------------- https://lwn.net/Articles/965470/ ∗∗∗ Kubernetes Vulnerability Allows Remote Code Execution on Windows Endpoints ∗∗∗ --------------------------------------------- A high-severity Kubernetes vulnerability tracked as CVE-2023-5528 can be exploited to execute arbitrary code on Windows endpoints. --------------------------------------------- https://www.securityweek.com/kubernetes-vulnerability-allows-remote-code-ex… ∗∗∗ Cisco schließt hochriskante Lücken in IOS XR ∗∗∗ --------------------------------------------- Cisco warnt vor SIcherheitslücken mit teils hohem Risiko im Router-Betriebssystem IOS XR. Updates stehen bereit. --------------------------------------------- https://heise.de/-9654542 ∗∗∗ Schnell upgraden: Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Neue Funktionen liefert GarageBand 10.4.11 laut Apple nicht. Dafür steckt ein wichtiger Sicherheitsfix drin. Nutzer sollten die macOS-App schnell aktualisieren. --------------------------------------------- https://heise.de/-9654638 ∗∗∗ HP: Viele Laptops und PCs von Codeschmuggel-Lücke betroffen ∗∗∗ --------------------------------------------- Eine BIOS-Sicherheitsfunktion von HP-Laptops und -PCs kann von Angreifern umgangen werden. BIOS-Updates stehen bereit oder werden grad entwickelt. --------------------------------------------- https://heise.de/-9654678 ∗∗∗ VU#488902: CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/488902 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Softing edgeConnector ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-13 ∗∗∗ Mitsubishi Electric MELSEC-Q/L Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-14 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2024
by Daily end-of-shift report 13 Mar '24

13 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-03-2024 18:00 − Mittwoch 13-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RisePro stealer targets Github users in “gitgub” campaign ∗∗∗ --------------------------------------------- We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. [..] RisePro resurfaces with new string encryption and a bloated MSI installer that crashes reversing tools like IDA. The "gitgub" campaign already sent more than 700 archives of stolen data to Telegram. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-g… ∗∗∗ Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th) ∗∗∗ --------------------------------------------- Today, most of the malicious scripts in the wild are heavily obfuscated. [...] There was a huge amount of obfuscated strings (443 in total). Let's try tro process them with ChatGPT [..] The request took a few seconds to get some feedback but results were perfect (I only submitted a small part of the script). --------------------------------------------- https://isc.sans.edu/diary/rss/30740 ∗∗∗ FakeBat delivered via several active malvertising campaigns ∗∗∗ --------------------------------------------- A number of software brands are being impersonated with malicious ads and fake sites to distribute malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-deliv… ∗∗∗ Geldwäsche statt Babysitting: Vorsicht vor diesem Jobbetrug! ∗∗∗ --------------------------------------------- Kriminelle suchen über Babysitter-Börsen angeblich eine Betreuung für ihr Kind oder ihre Kinder. Das vermeintliche Elternteil behauptet, derzeit noch im Ausland zu leben und erst zu einem späteren Zeitpunkt nach Österreich zu ziehen. Damit sich die Kinder gleich von Anfang an wohl fühlen, sollen die neuen Babysitter:innen bereits im Vorfeld Spielzeug einkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/geldwaesche-statt-babysitting-vorsic… ∗∗∗ JetBrains vulnerability exploitation highlights debate over silent patching ∗∗∗ --------------------------------------------- Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers’ servers to Rapid7’s decision to release detailed information on the vulnerabilities. --------------------------------------------- https://therecord.media/jetbrains-rapid7-silent-patching-dispute ∗∗∗ Unpacking Flutter hives ∗∗∗ --------------------------------------------- The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code. --------------------------------------------- https://blog.nviso.eu/2024/03/13/unpacking-flutter-hives/ ∗∗∗ Threat actors leverage document publishing sites for ongoing credential and session token theft ∗∗∗ --------------------------------------------- Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. --------------------------------------------- https://blog.talosintelligence.com/threat-actors-leveraging-document-publis… ∗∗∗ CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign ∗∗∗ --------------------------------------------- The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. [..] This campaign was part of the larger Water Hydra APT zero-day analysis. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-ope… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x High, 4x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Palo Alto Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x Medium --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins – $1,250 Bounty Awarded ∗∗∗ --------------------------------------------- Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! [..] This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password. --------------------------------------------- https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpat… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn). --------------------------------------------- https://lwn.net/Articles/965278/ ∗∗∗ März-Patchday: Microsoft stopft zwei kritische Löcher in Hyper-V ∗∗∗ --------------------------------------------- Insgesamt bringt der März-Patchday Fixes für 61 Sicherheitslücken. --------------------------------------------- https://www.zdnet.de/88414822/maerz-patchday-microsoft-stopft-zwei-kritisch… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe Experience Manager, Adobe Premiere Pro, Adobe ColdFusion, Adobe Bridge, Adobe Lightroom, Adobe Animate --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/adobe-releases-security-… ∗∗∗ AMD und Intel schließen CPU-Sicherheitslücken in Core- und Ryzen-CPUs ∗∗∗ --------------------------------------------- Zum Patch-Tuesday räumen AMD und Intel weitere Sicherheitslücken in ihren Prozessoren ein. Es geht unter anderem um Race Conditions. --------------------------------------------- https://heise.de/-9653846 ∗∗∗ Fortinet-Patchday: Updates gegen kritische Schwachstellen ∗∗∗ --------------------------------------------- Fortinet hat zum März-Patchday Sicherheitslücken in FortiOS, FortiProxy, FortiClientEMS und im FortiManager geschlossen. --------------------------------------------- https://heise.de/-9653730 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-39368 and CVE-2023-38575 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX616982/citrix-hypervisor-security-upd… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lenovo Security Advisories 2024-03-12 ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/de/product_security/home ∗∗∗ Xen Security Advisory CVE-2024-2193 / XSA-453 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-453.html ∗∗∗ Xen Security Advisory CVE-2023-28746 / XSA-452 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-452.html ∗∗∗ Wago: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-039/ ∗∗∗ Bosch: BVMS affected by Autodesk Design Review Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-246962-bt.html ∗∗∗ Bosch: RPS and RPS-LITE operator and communication process vulnerabilities. ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html ∗∗∗ Canon: CPE2024-002 – Vulnerability Mitigation/Remediation for Small Office Multifunction Printers and Laser Printers – 14 March 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ SonicWall: SonicWall Email Security Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006 ∗∗∗ SonicWall: SonicOS SSLVPN Portal Stored Cross-site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005 ∗∗∗ SonicWall: Integer-Based Buffer Overflow Vulnerability In SonicOS via IPSec ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0004 ∗∗∗ Google Chrome: Drei Sicherheitslöcher gestopft ∗∗∗ --------------------------------------------- https://heise.de/-9653082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2024
by Daily end-of-shift report 12 Mar '24

12 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-03-2024 18:00 − Dienstag 12-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Inception Attack: Neue Angriffstechnik ermöglicht Manipulation von VR-Inhalten ∗∗∗ --------------------------------------------- Angreifer können nicht nur sensible Informationen abgreifen, sondern auch dem VR-Nutzer angezeigte Inhalte verändern, ohne dass dieser etwas merkt. --------------------------------------------- https://www.golem.de/news/inception-attack-neue-angriffstechnik-ermoeglicht… ∗∗∗ Verträge und Abos kündigen: Vorsicht vor kostenpflichtigen Angeboten ∗∗∗ --------------------------------------------- Sie möchten Ihren Vertrag kündigen, wissen aber nicht wie? Oft sind die Informationen zur Kündigung und Kontaktadressen des jeweiligen Unternehmens auch unauffindbar. Aus gutem Grund suchen Konsument:innen daher nach Diensten, die den Kündigungsprozess übernehmen. Oft sind diese Dienste kostenpflichtig oder selbst eine Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/vertraege-und-abos-kuendigen-vorsich… ∗∗∗ Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption ∗∗∗ --------------------------------------------- Available evidence suggests vulnerability exploitation has replaced botnets as a prime infection vector. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ CISA Publishes SCuBA Hybrid Identity Solutions Guidance ∗∗∗ --------------------------------------------- CISA has published Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Guidance (HISG) to help users better understand identity management capabilities and securely integrate their traditional on-premises enterprise networks with cloud-based solutions. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/cisa-publishes-scuba-hyb… ∗∗∗ VCURMS: A Simple and Functional Weapon ∗∗∗ --------------------------------------------- ForitGuard Labs uncovers a rat VCURMS weapon and STRRAT in a phishing campaign --------------------------------------------- https://feeds.fortinet.com/~/873512375/0/fortinet/blogs~VCURMS-A-Simple-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Mageia (libtiff and thunderbird), Red Hat (kernel, kpatch-patch, postgresql, and rhc-worker-script), SUSE (compat-openssl098, openssl, openssl1, python-Django, python-Django1, and wpa_supplicant), and Ubuntu (accountsservice, libxml2, linux-bluefield, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.1, openvswitch, postgresql-9.5, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/965113/ ∗∗∗ SAP schließt zehn Sicherheitslücken am März-Patchday ∗∗∗ --------------------------------------------- SAP hat zehn neue Sicherheitsmitteilungen zum März-Patchday veröffentlicht. Zwei der geschlossenen Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-9652057 ∗∗∗ Synology dichtet Sicherheitslecks in SRM ab ∗∗∗ --------------------------------------------- Im Synology Router Manager (SRM) klaffen Sicherheitslecks, durch die Angreifer etwa Scripte einschleusen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9652225 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ SSA-918992 V1.0: Unused HTTP Service on SENTRON 3KC ATC6 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-918992.html ∗∗∗ SSA-832273 V1.0: Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-832273.html ∗∗∗ SSA-792319 V1.0: Missing Read Out Protection in SENTRON 7KM PAC3x20 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-792319.html ∗∗∗ SSA-770721 V1.0: Multiple Vulnerabilities in SIMATIC RF160B before V2.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-770721.html ∗∗∗ SSA-653855 V1.0: Information Disclosure vulnerability in SINEMA Remote Connect Client before V3.1 SP1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-653855.html ∗∗∗ SSA-576771 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-576771.html ∗∗∗ SSA-382651 V1.0: File Parsing Vulnerability in Solid Edge before V223.0.11 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-382651.html ∗∗∗ SSA-366067 V1.0: Multiple Vulnerabilities in Fortigate NGFW before V7.4.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-366067.html ∗∗∗ SSA-353002 V1.0: Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-353002.html ∗∗∗ SSA-225840 V1.0: Vulnerabilities in the Network Communication Stack in Sinteso EN and Cerberus PRO EN Fire Protection Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-225840.html ∗∗∗ SSA-145196 V1.0: Authorization Bypass Vulnerability in Siveillance Control ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-145196.html ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in CHARX SEC charge controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-011/ ∗∗∗ Citrix SDWAN Security Bulletin for CVE-2024-2049 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX617071/citrix-sdwan-security-bulletin… ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0005 ∗∗∗ Missing PSK secret for IKEv2 connection can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-2357/CVE-2024-2357.txt ∗∗∗ Schneider Electric EcoStruxure Power Design ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-072-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2024
by Daily end-of-shift report 11 Mar '24

11 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-03-2024 18:00 − Montag 11-03-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake Leather wallet app on Apple App Store is a crypto drainer ∗∗∗ --------------------------------------------- The developers of the Leather cryptocurrency wallet are warning of a fake app on the Apple App Store, with users reporting it is a wallet drainer that stole their digital assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-leather-wallet-app-on-a… ∗∗∗ What happens when you accidentally leak your AWS API keys? [Guest Diary], (Sun, Mar 10th) ∗∗∗ --------------------------------------------- As a college freshman taking my first computer science class, I wanted to create a personal project that would test my abilities and maybe have some sort of return. I saw a video online of someone who created a python script that emailed colleges asking for free swag to be shipped to him. I liked the idea and adapted it. --------------------------------------------- https://isc.sans.edu/diary/rss/30730 ∗∗∗ Check your email security, and protect your customers ∗∗∗ --------------------------------------------- Free online tool from the NCSC prevents cyber criminals using your email to conduct cyber attacks. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/cyes-protect-customers ∗∗∗ Leicht verdientes Geld auf Instagram? Vorsicht vor dieser Betrugsmasche ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht auf Instagram – angeblich von einer Künstlerin bzw. einem Künstler. Die Person behauptet, dass sie eines Ihrer Bilder auf Instagram als Vorlage für ein Gemälde nutzen möchte. Sie bekommen dafür angeblich 500 Euro. Gehen Sie nicht auf dieses Angebot ein, Sie werden betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/leicht-verdientes-geld-auf-instagram… ∗∗∗ Misconfiguration Manager: Overlooked and Overprivileged ∗∗∗ --------------------------------------------- Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material at SO-CON 2024 on March 11, 2024. We’ll update this post with a link to the recording when it becomes available. --------------------------------------------- https://posts.specterops.io/misconfiguration-manager-overlooked-and-overpri… ∗∗∗ Ransomware tracker: The latest figures [March 2024] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current. --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ∗∗∗ Kritische Schwachstelle (CVE-2024-1403) in Progress OpenEdge Authentication Gateway/AdminServer – PoC öffentlich ∗∗∗ --------------------------------------------- Es gibt eine kritische Schwachstelle (CVE-2024-1403) in diesem Produkt (CVSS 10.0), die die Umgehung der Authentifizierung ermöglicht. Nun ist ein Exploit zur Ausnutzung dieser Schwachstelle bekannt geworden. --------------------------------------------- https://www.borncity.com/blog/2024/03/11/kritische-schwachstelle-cve-2024-1… ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated Stored XSS Vulnerability Patched in Ultimate Member WordPress Plugin ∗∗∗ --------------------------------------------- The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. --------------------------------------------- https://www.wordfence.com/blog/2024/03/unauthenticated-stored-xss-vulnerabi… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libuv1, nss, squid, tar, tiff, and wordpress), Fedora (chromium, exercism, grub2, qpdf, and wpa_supplicant), Oracle (edk2 and opencryptoki), and SUSE (cpio, openssl-1_0_0, openssl-1_1, openssl-3, sudo, tomcat, and xen). --------------------------------------------- https://lwn.net/Articles/965032/ ∗∗∗ ArubaOS: Sicherheitslücken erlauben Befehlsschmuggel ∗∗∗ --------------------------------------------- HPE Aruba warnt vor zum Teil hochriskanten Sicherheitslücken im Betriebssystem ArubaOS für Switches aus dem Hause. Mehrere gelten als hohes Risiko und erlauben das Einschmuggeln von Befehlen. --------------------------------------------- https://heise.de/-9650985 ∗∗∗ Qnap hat teils kritische Lücken in seinen Betriebssystemen geschlossen ∗∗∗ --------------------------------------------- Qnap hat Warnungen vor Sicherheitslücken in QTS, QuTS Hero und QuTScloud veröffentlicht. Aktualisierte Firmware dichtet sie ab. --------------------------------------------- https://heise.de/-9650933 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2024
by Daily end-of-shift report 08 Mar '24

08 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-03-2024 18:00 − Freitag 08-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard ∗∗∗ --------------------------------------------- This blog provides an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. --------------------------------------------- https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-followi… ∗∗∗ New Malware Campaign Found Exploiting Stored XSS in Popup Builder < 4.2.3 ∗∗∗ --------------------------------------------- In the past three weeks, we’ve started seeing an uptick in attacks from a new malware campaign targeting this same Popup Builder vulnerability. According to PublicWWW, over 3,300 websites have already been infected by this new campaign. Our own SiteCheck remote malware scanner has detected this malware on over 1,170 sites. --------------------------------------------- https://blog.sucuri.net/2024/03/new-malware-campaign-found-exploiting-store… ∗∗∗ Google-Präsenz verbessern? Vorsicht vor Abzocker-Unternehmen! ∗∗∗ --------------------------------------------- Unternehmen wenden sich derzeit an uns und berichten von unseriösen Anbietern, die sich als Kooperationspartner von Google ausgeben. Das Angebot: Sie helfen dabei, den Unternehmensauftritt bei Google zu verbessern, ein angebotenes Beratungsgespräch soll nach dem Gespräch bezahlt werden und koste einmalig bis zu 80 Euro. Doch weit gefehlt: Erfahrungsberichten zufolge tappt man hier in eine Abo-Falle, die nur schwer zu kündigen ist. --------------------------------------------- https://www.watchlist-internet.at/news/abzocke-google-praesenz/ ∗∗∗ Online scam taxonomy: the many ways to trick us ∗∗∗ --------------------------------------------- Because there are so many different types of online scams, we have compiled a list of scam taxonomy, shortly explaining what these scams mean. It’s important to stay vigilant against these threats, so it’s easier to avoid them. --------------------------------------------- https://blog.f-secure.com/online-scam-taxonomy/ ∗∗∗ Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities ∗∗∗ --------------------------------------------- Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published. Campaigns that we were able to attribute to this actor targeted Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ. --------------------------------------------- https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-… ∗∗∗ Cisco: Angreifer können sich zum Root-Nutzer unter Linux machen ∗∗∗ --------------------------------------------- Cisco AppDynamics, Duo Authentication, Secure Client, Secure Client for Linux und Wireless Access Points der Small-Business-Reihe sind angreifbar. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-9649863 ∗∗∗ Angeblicher Tesla-Hack mit Flipper Zero entpuppt sich als Sturm im Wasserglas ∗∗∗ --------------------------------------------- Mittels eines gefälschten Gast-WLANs im Tesla-Design könnten Angreifer an Superchargern oder in Service-Centern Zugänge abgreifen, warnen die Experten. --------------------------------------------- https://heise.de/-9650018 ===================== = Vulnerabilities = ===================== ∗∗∗ pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE) ∗∗∗ --------------------------------------------- “pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world. [..] If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them and gain code execution. --------------------------------------------- https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_… ∗∗∗ QNAP Security Advisories 2024-03-09 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 4x Medium --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge), Fedora (chromium, iwd, libell, and thunderbird), Oracle (buildah, kernel, skopeo, and tomcat), Red Hat (opencryptoki), Slackware (ghostscript), SUSE (go1.21, go1.22, google-oauth-java-client, jetty-minimal, openssl-1_0_0, python310, sudo, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (libhtmlcleaner-java, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-nvidia, linux-azure, linux-azure-6.5, linux-hwe-6.5, mqtt-client, ncurses, and puma). --------------------------------------------- https://lwn.net/Articles/964832/ ∗∗∗ macOS 14.4 und mehr: Apple patcht schwere Sicherheitslücken ∗∗∗ --------------------------------------------- Apples Update-Reigen geht weiter: Nach iOS und iPadOS hat der Hersteller in der Nacht auf Freitag neue Versionen und Patches veröffentlicht, die für macOS, watchOS, tvOS und visionOS veröffentlicht. Neben kleineren Funktionserweiterungen und Bugfixes sollen die Aktualisierungen auch zwei gravierende Zero-Day-Schwachstellen im Kernel ausräumen, die nach Informationen von Apple wohl bereits aktiv für Angriffe ausgenutzt wurden. --------------------------------------------- https://heise.de/-9649559 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2024
by Daily end-of-shift report 07 Mar '24

07 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-03-2024 18:00 − Donnerstag 07-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hacked WordPress sites use visitors browsers to hack other sites ∗∗∗ --------------------------------------------- Hackers are conducting widescale attacks on WordPress sites to inject scripts that force visitors browsers to bruteforce passwords for other sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-wordpress-sites-use-v… ∗∗∗ New Python-Based Snake Info Stealer Spreading Through Facebook Messages ∗∗∗ --------------------------------------------- Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that’s designed to capture credentials and other sensitive data. --------------------------------------------- https://thehackernews.com/2024/03/new-python-based-snake-info-stealer.html ∗∗∗ Code injection on Android without ptrace ∗∗∗ --------------------------------------------- I came up with the idea to port linux_injector. The project has a simple premise: injecting code into a process without using ptrace. --------------------------------------------- https://erfur.github.io/blog/dev/code-injection-without-ptrace ∗∗∗ CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2024/3/6/cve-2023-36049-microsoft-net-crlf-inje… ∗∗∗ Delving into Dalvik: A Look Into DEX Files ∗∗∗ --------------------------------------------- Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. --------------------------------------------- https://www.mandiant.com/resources/blog/dalvik-look-into-dex-files ∗∗∗ Staatstrojaner: Infrastruktur der Spyware Predator erneut abgeschaltet ∗∗∗ --------------------------------------------- Die Betreiber der Plattform hinter Predator haben offenbar Server vom Netz genommen, die sie zum Ausliefern und Steuern der Überwachungssoftware verwendeten. --------------------------------------------- https://heise.de/-9648238 ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive ∗∗∗ --------------------------------------------- On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects certain components of the OpenEdge platform. --------------------------------------------- https://www.horizon3.ai/attack-research/cve-2024-1403-progress-openedge-aut… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and yard), Fedora (cpp-jwt, golang-github-tdewolff-argp, golang-github-tdewolff-minify, golang-github-tdewolff-parse, and suricata), Mageia (wpa_supplicant), Oracle (curl, edk2, golang, haproxy, keylime, mysql, openssh, and rear), Red Hat (kernel and postgresql:12), SUSE (containerd, giflib, go1.21, gstreamer-plugins-bad, java-1_8_0-openjdk, python3, python311, python39, sudo, and vim), and Ubuntu (frr, linux, linux-gcp, linux-gcp-5.4, [...] --------------------------------------------- https://lwn.net/Articles/964725/ ∗∗∗ VMware schließt Schlupflöcher für Ausbruch aus virtueller Maschine ∗∗∗ --------------------------------------------- Angreifer können Systeme mit VMware ESXi, Fusion und Workstation attackieren. Sicherheitsupdates stehen zum Download. --------------------------------------------- https://heise.de/-9648396 ∗∗∗ VU#949046: Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/949046 ∗∗∗ Registration role - Critical - Access bypass - SA-CONTRIB-2024-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-015 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Local Privilege Escalation via writable files in CheckMK Agent ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalati… ∗∗∗ Mattermost security updates 9.5.2 (ESR) / 9.4.4 / 9.3.3 / 8.1.11 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-5-2-esr-9-4-4-9-3… ∗∗∗ Apple Releases Security Updates for iOS and iPadOS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/07/apple-releases-security-… ∗∗∗ Chirp Systems Chirp Access ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2024
by Daily end-of-shift report 06 Mar '24

06 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-03-2024 18:00 − Mittwoch 06-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Why Your Firewall Will Kill You, (Tue, Mar 5th) ∗∗∗ --------------------------------------------- The last few years have been great for attackers exploiting basic web application vulnerabilities. Usually, home and small business products from companies like Linksys, D-Link, and Ubiquity are known to be favorite targets. But over the last couple of years, enterprise products from companies like Ivanti, Fortigate, Sonicwall, and Citrix (among others) have become easy to exploit targets. The high value of the networks protected by these "solutions" has made them favorites for ransomware attackers. --------------------------------------------- https://isc.sans.edu/diary/rss/30714 ∗∗∗ Scanning and abusing the QUIC protocol, (Wed, Mar 6th) ∗∗∗ --------------------------------------------- The QUIC protocol has slowly (pun intended) crawled into our browsers and many other protocols. Last week, at BSides Zagreb I presented some research I did about applications using (and abusing) this protocol, so it made sense to put this into one diary. --------------------------------------------- https://isc.sans.edu/diary/rss/30720 ∗∗∗ Living off the land with native SSH and split tunnelling ∗∗∗ --------------------------------------------- Lately I was involved in an assumed compromise project where stealth and simplicity was required, reducing the opportunity to use a sophisticated C2 infrastructure. We did note that the built-in Windows SSH client could make this simpler for us. [..] Windows native SSH can be a convenient attack path IF an organisation doesn’t have the ability to block and monitor the forwarded internal traffic. [..] The obvious route is to restrict access to the SSH command for all users who don’t have a business need, or to uninstall it from your default Windows build and use something like PuTTY instead. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-with-nati… ∗∗∗ Schneeballsystem-Alarm bei DCPTG.com! ∗∗∗ --------------------------------------------- An die Watchlist Internet wird aktuell vermehrt ein Schneeball- bzw. Pyramidensystem mit dem Namen dcptg.com gemeldet. Versprochen werden Erfahrungsberichten nach völlig unrealistische und risikofreie Gewinnmöglichkeiten von 2 bis 5 Prozent des eingesetzten Kapitals pro Tag. Außerdem müssen laufend weitere Menschen angeworben werden, um langfristig an dem System teilnehmen zu können. Vorsicht: DCPTG.com ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/schneeballsystem-alarm-bei-dctpgcom/ ∗∗∗ Fake-Gewinnspiel im Namen vom Tiergarten Schönbrunn ∗∗∗ --------------------------------------------- Über ein Fake-Profil des Tiergartens Schönbrunn wird derzeit ein betrügerisches Gewinnspiel auf Facebook verbreitet. Die Facebook-Seite „Tiergarten Wien“ verlost angeblich 4 Eintrittskarten. Sie müssen lediglich die Versandgebühren für die Karten bezahlen. Vorsicht: Sie tappen in eine Abo-Falle und geben Ihre persönlichen Daten an Kriminelle weiter. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-im-namen-vom-tierga… ∗∗∗ Whoops! ACEMAGIC ships mini PCs with free bonus pre-installed malware ∗∗∗ --------------------------------------------- Chinese mini PC manufacturer ACEMAGIC has made life a bit more interesting for its customers, by admitting that it has also been throwing in free malware with its products. --------------------------------------------- https://grahamcluley.com/whoops-acemagic-ships-mini-pcs-with-free-bonus-pre… ∗∗∗ Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers ∗∗∗ --------------------------------------------- Ransomware actors are deploying a growing array of data-exfiltration tools in their attacks and, over the past three months alone, Symantec has found attackers using at least dozen different tools capable of data exfiltration. While some exfiltration tools are malware, the vast majority are dual-use – legitimate software used by the attackers for malicious purposes. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Badgerboard: A PLC backplane network visibility module ∗∗∗ --------------------------------------------- Analysis of the traffic between networked devices has always been of interest since devices could even communicate with one another. As the complexity of networks grew, the more useful dedicated traffic analysis tools became. Major advancements have been made over the years with tools like Snort or Wireshark, but these tools are only useful when accurate information is provided to them. By only sending a subset of the information being passed across a network to monitoring tools, analysts will be provided with an incomplete picture of the state of their network. --------------------------------------------- https://blog.talosintelligence.com/badgerboard-research/ ∗∗∗ Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs? ∗∗∗ --------------------------------------------- In this blog post, we will detail our analysis and understanding of the Coper/Octo Android malware, examining the malware’s continued development, as well as providing insights into attack patterns, infrastructure utilization and management, and hunting tips. --------------------------------------------- https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-wi… ∗∗∗ New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps ∗∗∗ --------------------------------------------- According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors. --------------------------------------------- https://www.hackread.com/new-linux-malware-alert-spinning-yarn-docker-apps/ ∗∗∗ Fritz.box: Domain aus dem Verkehr gezogen ∗∗∗ --------------------------------------------- Unbekannte sicherten sich im Januar die Domain fritz.box. Doch die Verwirrung hielt nicht lange an. Jetzt wurde die Adresse aus dem Verkehr gezogen. --------------------------------------------- https://heise.de/-9647776 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-02-28 ∗∗∗ --------------------------------------------- Security Impact Rating: 2x High, 5x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ VMSA-2024-0006 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi. [..] A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0006.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libapache2-mod-auth-openidc, libuv1, php-phpseclib, and phpseclib), Red Hat (buildah, cups, curl, device-mapper-multipath, emacs, fence-agents, frr, fwupd, gmp, gnutls, golang, haproxy, keylime, libfastjson, libmicrohttpd, linux-firmware, mysql, openssh, rear, skopeo, sqlite, squid, systemd, and tomcat), Slackware (mozilla), SUSE (kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql-jdbc, python, python-cryptography, rubygem-rack, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (c-ares, firefox, libde265, libgit2, and ruby-image-processing). --------------------------------------------- https://lwn.net/Articles/964559/ ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-23225 / CVE-2024-23296 Apple iOS and iPadOS Memory Corruption Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/06/cisa-adds-two-known-expl… ∗∗∗ Foxit: Sicherheitsupdates in Foxit PDF Reader 2024.1 und Foxit PDF Editor 2024.1 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Bosch: Git for Windows Multiple Security Vulnerabilities in Bosch DIVAR IP all-in-one Devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637386-bt.html ∗∗∗ Bosch: Multiple OpenSSL vulnerabilities in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-090577-bt.html ∗∗∗ F5: K000138827 : OpenSSH vulnerability CVE-2023-51385 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138827 ∗∗∗ iOS 17.4 und iOS 16.7.6: Wichtige sicherheitskritische Bugfixes ∗∗∗ --------------------------------------------- https://heise.de/-9647164 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2024
by Daily end-of-shift report 05 Mar '24

05 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-03-2024 18:00 − Dienstag 05-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ScreenConnect flaws exploited to drop new ToddleShark malware ∗∗∗ --------------------------------------------- The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark. --------------------------------------------- https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploite… ∗∗∗ Network tunneling with… QEMU? ∗∗∗ --------------------------------------------- While investigating an incident, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the QEMU hardware emulator. --------------------------------------------- https://securelist.com/network-tunneling-with-qemu/111803/ ∗∗∗ Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes ∗∗∗ --------------------------------------------- The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/03/warning-thread-hijacking-attack-targets.h… ∗∗∗ Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users ∗∗∗ --------------------------------------------- Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/03/pegasus-spyware-creator-orde… ∗∗∗ AnyDesk: Zugriffsversuche aus Spanien; Unsignierter Client verteilt ∗∗∗ --------------------------------------------- Das Drama bei AnyDesk geht anscheinend weiter, obwohl ich die Hoffnung hatte, das Thema langsam abschließen zu können... --------------------------------------------- https://www.borncity.com/blog/2024/03/05/anydesk-zugriffsversuche-aus-spani… ∗∗∗ WogRAT Malware Exploits aNotepad (Windows, Linux) ∗∗∗ --------------------------------------------- AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. --------------------------------------------- https://asec.ahnlab.com/en/62446/ ∗∗∗ GhostSec’s joint ransomware operation and evolution of their arsenal ∗∗∗ --------------------------------------------- Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. --------------------------------------------- https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/ ∗∗∗ Ransomware: ALPHV/Blackcat betrügt offensichtlich Partner und zieht sich zurück ∗∗∗ --------------------------------------------- Die Fakten legen nahe, dass ALPHV/Blackcat einen Cybercrime-Partner um 22 Millionen US-Dollar betrogen und sich nun zurückgezogen hat. --------------------------------------------- https://heise.de/-9646707 ===================== = Vulnerabilities = ===================== ∗∗∗ Exploit available for new critical TeamCity auth bypass bug, patch now ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-available-for-new-cr… ∗∗∗ Multiple vulnerabilities in RT-Thread RTOS ∗∗∗ --------------------------------------------- I reviewed RT-Thread’s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution. --------------------------------------------- https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rto… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django). --------------------------------------------- https://lwn.net/Articles/964450/ ∗∗∗ Zeek Security Tool Vulnerabilities Allow ICS Network Hacking ∗∗∗ --------------------------------------------- Vulnerabilities in a plugin for the Zeek network security monitoring tool can be exploited in attacks aimed at ICS environments. --------------------------------------------- https://www.securityweek.com/zeek-security-tool-vulnerabilities-allow-ics-n… ∗∗∗ VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/782720 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.8.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/ ∗∗∗ Nice Linear eMerge E3-Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-065-01 ∗∗∗ Santesoft Sante FFT Imaging ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-065-01 ∗∗∗ K000138814 : OpenLDAP vulnerability CVE-2023-2953 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138814 ∗∗∗ Patchday: Kritische Schadcode-Lücken bedrohen Android 12, 13 und 14 ∗∗∗ --------------------------------------------- https://heise.de/-9646073 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2024
by Daily end-of-shift report 04 Mar '24

04 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-03-2024 18:00 − Montag 04-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gemini, ChatGPT und LLaVA: Neuer Wurm verbreitet sich in KI-Ökosystemen selbst ∗∗∗ --------------------------------------------- Forscher haben einen KI-Wurm entwickelt. Dieser kann nicht nur sensible Daten abgreifen, sondern sich auch selbst in einem GenAI-Ökosystem ausbreiten. --------------------------------------------- https://www.golem.de/news/gemini-chatgpt-und-llava-neuer-wurm-verbreitet-si… ∗∗∗ Hunting For Integer Overflows In Web Servers ∗∗∗ --------------------------------------------- In order to overflow something (e.g. an integer overflow) we clearly need some way to be able to do that (think pouring water from a kettle into a cup), and that’s the source (us using the kettle) to overflow the cup. Cup of tea aside, what things can be accessed remotely and take user input (those sources)? Web servers! This blog post title does not lie! --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hunting-for… ∗∗∗ New Wave of SocGholish Infections Impersonates WordPress Plugins ∗∗∗ --------------------------------------------- SocGholish malware, otherwise known as “fake browser updates”, is one of the most common types of malware infections that we see on hacked websites. This long-standing malware campaign leverages a JavaScript malware framework that has been in use since at least 2017. The malware attempts to trick unsuspecting users into downloading what is actually a Remote Access Trojan (RAT) onto their computers, which is often the first stage in a ransomware infection. Late last week our incident response team identified a fresh wave of SocGholish (fake browser update) infections targeting WordPress websites. --------------------------------------------- https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersona… ∗∗∗ Rise in Deceptive PDF: The Gateway to Malicious Payloads ∗∗∗ --------------------------------------------- McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-… ∗∗∗ Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers ∗∗∗ --------------------------------------------- A team of researchers has developed malware designed to target modern programmable logic controllers (PLCs) in an effort to demonstrate that remote Stuxnet-style attacks can be launched against such industrial control systems (ICS). --------------------------------------------- https://www.securityweek.com/remote-stuxnet-style-attack-possible-with-web-… ∗∗∗ Vorsicht vor falschen Paketbenachrichtigungen ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Prüfen Sie Benachrichtigungen über den Sendungsstatus sehr genau! Derzeit sind gefälschte Paketbenachrichtigungen im Namen aller gängigen Zustelldiensten im Umlauf. Klicken Sie niemals voreilig auf Links in E-Mails und SMS und geben Sie keine Kreditkartendaten preis! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-paketbenachric… ∗∗∗ Threat Brief: WordPress Exploit Leads to Godzilla Web Shell, Discovery & New CVE ∗∗∗ --------------------------------------------- Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 50 detailed Threat Briefs, which follow a format similar to the below. Typically, these reports include specific dates and times to provide comprehensive insights; however, please note that such information has been redacted in this public version. IOCs are available to customers within Event 27236 (uuid – fe12e833-6f0c-45c9-97d6-83337ea6c5d3). --------------------------------------------- https://thedfirreport.com/2024/03/04/threat-brief-wordpress-exploit-leads-t… ∗∗∗ Microsoft schließt ausgenutzte Windows 0-day Schwachstelle CVE-2024-21338 sechs Monate nach Meldung ∗∗∗ --------------------------------------------- Im Februar 2024 hat Microsoft die Schwachstelle CVE-2024-21338 im Kernel von Windows 10/11 und diversen Windows Server-Versionen geschlossen. Super! Der Fehler an der Geschichte: Die Schwachstelle wurde von AVAST im August 2023 gemeldet, und die Schwachstelle wurde zu dieser Zeit als 0-day ausgenutzt. --------------------------------------------- https://www.borncity.com/blog/2024/03/03/microsoft-schliet-ausgenutzte-wind… ∗∗∗ Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO ∗∗∗ --------------------------------------------- The RA World (previously the RA Group) ransomware has managed to successfully breach organizations around the world since its first appearance in April 2023. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomwa… ∗∗∗ GitHub als Malware-Schleuder ∗∗∗ --------------------------------------------- Eine Sicherheitsfirma berichtet über eine neue Masche, wie Schadcode im großen Stil verteilt wird: über kompromittierte Klon-Repositories auf GitHub. --------------------------------------------- https://heise.de/-9644525 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) ∗∗∗ --------------------------------------------- JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately. --------------------------------------------- https://www.helpnetsecurity.com/2024/03/04/cve-2024-27198-cve-2024-27199/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (dotnet6.0, dotnet8.0, and mod_auth_openidc), Gentoo (Blender, Tox, and UltraJSON), Oracle (kernel), Red Hat (edk2), SUSE (sendmail and zabbix), and Ubuntu (nodejs and thunderbird). --------------------------------------------- https://lwn.net/Articles/964376/ ∗∗∗ Hikvision Patches High-Severity Vulnerability in Security Management System ∗∗∗ --------------------------------------------- Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional. The most important of these flaws is CVE-2024-25063, a high-severity bug that could lead to unauthorized access to certain URLs. --------------------------------------------- https://www.securityweek.com/hikvision-patches-high-severity-vulnerability-… ∗∗∗ Aruba: Codeschmuggel durch Sicherheitslücken im Clearpass Manager möglich ∗∗∗ --------------------------------------------- Im Aruba Clearpass Manager von HPE klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. [..] Eine Lücke betrifft den mitgelieferten Apache Struts-Server und erlaubt das Einschleusen von Befehlen (CVE-2023-50164, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-9644607 ∗∗∗ Solarwinds: Schadcode-Lücke in Security Event Manager ∗∗∗ --------------------------------------------- Sicherheitslücken in Solarwinds Secure Event Manager können Angreifer zum Einschleusen von Schadcode missbrauchen. Updates stopfen die Lecks. --------------------------------------------- https://heise.de/-9644643 ∗∗∗ Angreifer können Systeme mit Dell-Software kompromittieren ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitspatches für Dell Data Protection Advisor, iDRAC8 und Secure Connect Gateway erschienen. --------------------------------------------- https://heise.de/-9644978 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000138726 : Linux kernel vulnerability CVE-2023-3611 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138726 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2024
by Daily end-of-shift report 01 Mar '24

01 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-02-2024 18:00 − Freitag 01-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA cautions against using hacked Ivanti VPN gateways even after factory resets ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-… ∗∗∗ Angriffe auf Windows-Lücke – Update seit einem halben Jahr verfügbar ∗∗∗ --------------------------------------------- Die CISA warnt vor Angriffen auf eine Lücke in Microsofts Streaming Service. Updates gibt es seit mehr als einem halben Jahr. --------------------------------------------- https://heise.de/-9643763 ∗∗∗ Wireshark Tutorial: Exporting Objects From a Pcap ∗∗∗ --------------------------------------------- This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills. --------------------------------------------- https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-… ∗∗∗ Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses ∗∗∗ --------------------------------------------- Here’s how the blue team wards off red teamers and a few open-source tools it may leverage to identify chinks in the corporate armor. --------------------------------------------- https://www.welivesecurity.com/en/business-security/blue-team-toolkit-6-ope… ∗∗∗ Researchers spot new infrastructure likely used for Predator spyware ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified new infrastructure likely used by the operators of the commercial spyware known as Predator in at least 11 countries. --------------------------------------------- https://therecord.media/new-predator-spyware-infrastructure-identified ∗∗∗ Covert TLS n-day backdoors: SparkCockpit & SparkTar ∗∗∗ --------------------------------------------- This report documents two covert TLS-based backdoors identified by NVISO: SparkCockpit & SparkTar. Both backdoors employ selective interception of TLS communication towards the legitimate Ivanti server applications. --------------------------------------------- https://blog.nviso.eu/2024/03/01/covert-tls-n-day-backdoors-sparkcockpit-sp… ∗∗∗ How To Hunt For UEFI Malware Using Velociraptor ∗∗∗ --------------------------------------------- UEFI threats have historically been limited in number and mostly implemented bynation state actors as stealthy persistence. However, the recent proliferationof Black Lotus on the dark web, Trickbot enumeration module (late 2022), andGlupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field. --------------------------------------------- https://www.rapid7.com/blog/post/2024/02/29/how-to-hunt-for-uefi-malware-us… ∗∗∗ Bluetooth Unleashed: Syncing Up with the RattaGATTa Series! Part 1 ∗∗∗ --------------------------------------------- This post introduces GreyNoise Labs series on BTLE, highlighting its privacy and security implications, as well as the journey from basic usage to sophisticated system development, offering insights for cybersecurity professionals and tech enthusiasts alike. --------------------------------------------- https://www.greynoise.io/blog/bluetooth-unleashed-syncing-up-with-the-ratta… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7). --------------------------------------------- https://lwn.net/Articles/964166/ ∗∗∗ Sicherheitsupdate: Nividia-Grafikkarten-Treiber als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Insgesamt hat Nvidia mit den Updates acht Sicherheitslücken geschlossen. Davon sind vier (CVE-2024-0071, CVE-2024-0073, CVE-2024-0075, CVE-2024-0077) mit dem Bedrohungsgrad "hoch" eingestuft. An diesen Stellen können Angreifer auf einem nicht näher beschriebenen Weg Speicherfehler auslösen und so Schadcode auf Systeme schieben und ausführen. Im Anschluss gelten Computer in der Regel als vollständig kompromittiert. --------------------------------------------- https://heise.de/-9643306 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Autodesk: Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.02.2024
by Daily end-of-shift report 29 Feb '24

29 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-02-2024 18:00 − Donnerstag 29-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LockBit ransomware returns to attacks with new encryptors, servers ∗∗∗ --------------------------------------------- The LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new servers after last weeks law enforcement disruption. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-t… ∗∗∗ Neue Ransomwaregruppe: Angeblicher Cyberangriff auf Epic Games bleibt zweifelhaft ∗∗∗ --------------------------------------------- Die Hackergruppe Mogilevich bietet im Darknet Daten von Epic Games im Umfang von 189 GByte zum Verkauf an. Zweifel an dem Angebot sind jedoch angebracht. --------------------------------------------- https://www.golem.de/news/daten-stehen-zum-verkauf-neue-ransomwaregruppe-ha… ∗∗∗ GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks ∗∗∗ --------------------------------------------- Threat hunters have discovered a new Linux malware called GTPDOOR that’s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX). The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications. --------------------------------------------- https://thehackernews.com/2024/02/gtpdoor-linux-malware-targets-telecoms.ht… ∗∗∗ New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks. --------------------------------------------- https://thehackernews.com/2024/02/new-silver-saml-attack-evades-golden.html ∗∗∗ #StopRansomware: Phobos Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a ∗∗∗ ALPHV is singling out healthcare sector, say FBI and CISA ∗∗∗ --------------------------------------------- CISA, FBI and HHS are warning about the ALPHV/ Blackcat ransomware group targeting the healthcare industry. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/alphv-is-singling-out-health… ∗∗∗ GUloader Unmasked: Decrypting the Threat of Malicious SVG Files ∗∗∗ --------------------------------------------- This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decr… ∗∗∗ Amazon-Vishing: Vorsicht vor Fake-Amazon-Anrufen! ∗∗∗ --------------------------------------------- Am Telefon geben sich Kriminelle als Amazon-Mitarbeiter:innen aus. Unter verschiedenen Vorwänden bringen sie Sie dazu, TeamViewer oder AnyDesk zu installieren und räumen Ihr Konto leer! Sollten Sie so einen Anruf erhalten, legen Sie auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-vishing-vorsicht-vor-fake-ama… ∗∗∗ ADCS ESC14 Abuse Technique ∗∗∗ --------------------------------------------- In this blog post, we will explore the variations of abuse of explicit certificate mapping in AD, what the requirements are, and how you can protect your environment against it. --------------------------------------------- https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 ∗∗∗ The Art of Domain Deception: Bifrosts New Tactic to Deceive Users ∗∗∗ --------------------------------------------- The RAT Bifrost has a new Linux variant that leverages a deceptive domain in order to compromise systems. We analyze this expanded attack surface. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/ ∗∗∗ Vulnerabilities in business VPNs under the spotlight ∗∗∗ --------------------------------------------- As adversaries increasingly set their sights on vulnerable enterprise VPN software to infiltrate corporate networks, concerns mount about VPNs themselves being a source of cyber risk. --------------------------------------------- https://www.welivesecurity.com/en/business-security/vulnerabilities-busines… ∗∗∗ IT-Sicherheitsprodukte von Sophos verschlucken sich am Schaltjahr ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers können Sophos Endpoint, Home und Server vor dem Besucht legitimer Websites warnen. Erste Lösungen sind bereits verfügbar. --------------------------------------------- https://heise.de/-9642801 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (moodle), Red Hat (kernel, kernel-rt, and postgresql:15), Slackware (wpa_supplicant), SUSE (Java and rear27a), and Ubuntu (libcpanel-json-xs-perl, libuv1, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.4, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, python-openstackclient, and unbound). --------------------------------------------- https://lwn.net/Articles/964039/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF05 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-060-01 ∗∗∗ MicroDicom DICOM Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-060-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2024
by Daily end-of-shift report 28 Feb '24

28 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-02-2024 18:00 − Mittwoch 28-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ivanti: Enhanced External Integrity Checking Tool to Provide Additional Visibility and Protection for Customers Against Evolving Threat Actor Techniques in Relation to Previously Disclosed Vulnerabilities ∗∗∗ --------------------------------------------- As part of our exhaustive investigation into the recent attack against our customers, Ivanti and Mandiant released findings today regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that we are monitoring, even though to date they have not been deployed successfully in the wild. --------------------------------------------- https://www.ivanti.com/blog/enhanced-external-integrity-checking-tool-to-pr… ∗∗∗ Savvy Seahorse gang uses DNS CNAME records to power investor scams ∗∗∗ --------------------------------------------- A threat actor named Savvy Seahorse is abusing CNAME DNS records Domain Name System to create a traffic distribution system that powers financial scam campaigns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/savvy-seahorse-gang-uses-dns… ∗∗∗ Take Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th) ∗∗∗ --------------------------------------------- Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federations Main Intelligence Directorate of the General Staff (GRU)". The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials. Why do nation-state actors go after "simple" home devices? --------------------------------------------- https://isc.sans.edu/diary/rss/30694 ∗∗∗ European diplomats targeted by SPIKEDWINE with WINELOADER ∗∗∗ --------------------------------------------- Zscalers ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. --------------------------------------------- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted… ∗∗∗ Hacker-Gruppe fordert Bitcoins: Erpresserische E-Mails enthalten Wohnadresse als Druckmittel ∗∗∗ --------------------------------------------- „Es freut uns sehr dir mitteilen zu können, das du keine Ahnung von Cyber Security Hast und wir dein Handy infizieren konnten“ beginnt ein E-Mail von einer angeblichen Hacker-Gruppe mit dem Namen „Russian Blakmail Army“. Angeblich wurden private Fotos und Inhalte von Ihnen gesammelt. Wenn Sie nicht wollen, dass diese veröffentlicht werden, sollten Sie 1000 Euro an eine Bitcoin-Wallet senden. Ignorieren Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/hacker-gruppe-fordert-bitcoins-erpre… ∗∗∗ Navigating the Cloud: Exploring Lateral Movement Techniques ∗∗∗ --------------------------------------------- We illuminate lateral movement techniques observed in the wild within cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/ ∗∗∗ Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day ∗∗∗ --------------------------------------------- Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update. The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by ESET and AhnLab. --------------------------------------------- https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyo… ∗∗∗ Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations ∗∗∗ --------------------------------------------- This advisory provides observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters. --------------------------------------------- https://www.ic3.gov/Media/News/2024/240227.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver and wpa), Fedora (chromium, kernel, thunderbird, and yarnpkg), Mageia (c-ares), Oracle (firefox, kernel, opensc, postgresql:13, postgresql:15, and thunderbird), Red Hat (edk2, gimp:2.8, and kernel), SUSE (bind, bluez, container-suseconnect, dnsdist, freerdp, gcc12, gcc7, glib2, gnutls, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libqt5-qtbase, libqt5-qtsvg, nodejs18, nodejs20, openssl, openssl-1_0_0, poppler, python-crcmod, python-cryptography, python-cryptography- vectors, python-pip, python-requests, python3-requests, python311, python39, rabbitmq-c, samba, sccache, shim, SUSE Manager 4.2, SUSE Manager Server 4.2, the Linux-RT Kernel, and thunderbird), and Ubuntu (less, openssl, php7.0, php7.2, php7.4, and tiff). --------------------------------------------- https://lwn.net/Articles/963957/ ∗∗∗ TeamViewer Passwort-Schwachstelle CVE-2024-0819 ∗∗∗ --------------------------------------------- Der Client für Windows sollte dringend auf die Version 15.51.5 aktualisiert werden. Der Hersteller hat einen Sicherheitshinweis veröffentlicht, aus dem hervorgeht, dass ältere Software-Versionen nur einen unvollständigen Schutz der persönlichen Kennworteinstellungen bieten. --------------------------------------------- https://www.borncity.com/blog/2024/02/28/teamviewer-passwort-schwachstelle-… ∗∗∗ Cisco Security Advisories 2024-02-28 ∗∗∗ --------------------------------------------- Security Impact Rating: 2x High, 3x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Checkmk: Werk #16361: Privilege escalation in Windows agent ∗∗∗ --------------------------------------------- https://checkmk.com/werk/16361 ∗∗∗ ARISTA Security Advisory 0093 ∗∗∗ --------------------------------------------- https://www.arista.com/en/support/advisories-notices/security-advisory/1903… ∗∗∗ Wiesemann & Theis: Multiple products prone to unquoted search path ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-018/ ∗∗∗ F5: K000138731 : Linux vulnerability CVE-2023-3776 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138731 ∗∗∗ Google Chrome: Sicherheitsupdate bessert vier Schwachstellen aus ∗∗∗ --------------------------------------------- https://heise.de/-9641080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily