Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 06.12.2024
by Daily end-of-shift report 06 Dec '24

06 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-12-2024 18:00 − Freitag 06-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges ∗∗∗ --------------------------------------------- At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn. --------------------------------------------- https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-ba… ∗∗∗ Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage ∗∗∗ --------------------------------------------- In this first of a two-part blog series, we discuss how Secret Blizzard has used the infrastructure of the Pakistan-based threat activity cluster we call Storm-0156 — which overlaps with the threat actor known as SideCopy, Transparent Tribe, and APT36 — to install backdoors and collect intelligence on targets of interest in South Asia. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloade… ∗∗∗ Malicious Script Injection on WordPress Sites ∗∗∗ --------------------------------------------- Recently, our team discovered a JavaScript-based malware affecting WordPress sites, primarily targeting those using the Hello Elementor theme. This type of malware is commonly embedded within legitimate-looking website files to load scripts from an external source. The malware injects a malicious external script into the theme’s header.php file, leading to harmful consequences for site owners and visitors. --------------------------------------------- https://blog.sucuri.net/2024/12/malicious-script-injection-on-wordpress-sit… ∗∗∗ Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware ∗∗∗ --------------------------------------------- The threat actor known as Gamaredon has been observed leveraging Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting a malware called GammaDrop.The activity is part of an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024 thats designed to drop the Visual Basic Script malware, Recorded Futures Insikt Group said in a new analysis. --------------------------------------------- https://thehackernews.com/2024/12/hackers-leveraging-cloudflare-tunnels.html ∗∗∗ Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution. The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month. --------------------------------------------- https://thehackernews.com/2024/12/researchers-uncover-flaws-in-popular.html ∗∗∗ Announcing the launch of Vanir: Open-source Security Patch Validation ∗∗∗ --------------------------------------------- Today, we are announcing the availability of Vanir, a new open-source security patch validation tool. Introduced at Android Bootcamp in April, Vanir gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches. --------------------------------------------- http://security.googleblog.com/2024/12/announcing-launch-of-vanir-open-sour… ∗∗∗ Tagesgeldkonten: Vorsicht vor betrügerischen Angeboten im Namen von CHECK24 ∗∗∗ --------------------------------------------- In den letzten Tagen wurden vermehrt SMS versendet, in denen im Namen von CHECK24 mit verlockenden Tagesgeldkonten zu einem Zinssatz von bis zu 5,25% geworben wird. Möchte man das Angebot wahrnehmen, wird man auf eine täuschend echt aussehende Phishing-Seite weitergeleitet. Wird dort Geld eingezahlt, landet es auf den Konten von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/tagesgeldkonten-betruegerischen-ange… ∗∗∗ Windows 11 24H2 auf mehr Geräten verfügbar; TPM 2.0-Pflicht; Installation auf unsupported CPUs ∗∗∗ --------------------------------------------- Microsoft hat damit begonnen, dass im Oktober 2024 allgemein freigegebene Windows 11 24H2 (als Windows 11 2024 Update bezeichnet), auf mehr Geräte zu verteilen. Weiterhin hat Microsoft bekräftigt, dass TPM 2.0 für Windows 11 Pflicht ist. Andererseits gibt es Leute, die die Erfahrung machen, dass Windows 11 24H2 auf Hardware, die nicht kompatibel ist, ohne Tricks installiert werden kann. --------------------------------------------- https://www.borncity.com/blog/2024/12/06/windows-11-24h2-auf-mehr-geraeten-… ∗∗∗ Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages ∗∗∗ --------------------------------------------- Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages. --------------------------------------------- https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewa… ∗∗∗ New Malware Campaign Exposes Gaps in Manufacturing Cybersecurity Defenses ∗∗∗ --------------------------------------------- In a recent analysis by Cyble Research and Intelligence Labs (CRIL), a multi-stage cyberattack campaign has been identified, targeting the manufacturing industry. The attack, which heavily relies on process injection techniques, aims to deliver dangerous payloads, including Lumma Stealer and Amadey Bot. --------------------------------------------- https://thecyberexpress.com/lumma-stealer-amadey-bot-target-manufacturing/ ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- CVE: CVE-2024-38475, CVE-2024-40763, CVE-2024-45318, CVE-2024-45319, CVE-2024-53702, CVE-2024-53703 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro). --------------------------------------------- https://lwn.net/Articles/1001164/ ∗∗∗ Windows: 0patch für 0-day URL File NTLM Hash Disclosure-Schwachstelle ∗∗∗ --------------------------------------------- ACROS Security ist auf eine bisher nicht per Update geschlossene Schwachstelle in Windows gestoßen, die per URL die Offenlegung von NTLM Hash-Werten ermöglicht. ACROS Security hat einen opatch Micropatch veröffentlicht, um diese Schwachstelle zu beseitigen. Bis zum Bereitstellen eines Updates durch Microsoft ist der opatch-Micropatch kostenlos verfügbar. --------------------------------------------- https://www.borncity.com/blog/2024/12/06/windows-0patch-fuer-0-day-url-file… ∗∗∗ Sicherheitsupdate: Backupsoftware Dell NetWorker kann Daten leaken ∗∗∗ --------------------------------------------- Dell hat wichtige Sicherheitspatches für seine Backup- und Recovery-Software NetWorker und das SDK BSAFE veröffentlicht. Noch sind aber nicht alle Updates da. --------------------------------------------- https://heise.de/-10190285 ∗∗∗ QNAP: Vulnerability in Qsync Central ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-48 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-49 ∗∗∗QNAP: Vulnerability in License Center ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-50 ∗∗∗ Tenable: [R1] Security Center Version 6.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-19 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2024
by Daily end-of-shift report 05 Dec '24

05 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-12-2024 18:00 − Donnerstag 05-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kostenfalle Gesundheitstest: So schützen Sie sich vor Abzocke ∗∗∗ --------------------------------------------- Auf gesundheitskontrolle.com oder gesundheitsbewertung.com werden 2-minütige Gesundheitstests versprochen. Nach Beantwortung einiger Fragen erhalten Sie angeblich eine „maßgenschneiderte und individuelle Gesundheitsanalyse“ von Gesundheitsexperten. Wir raten zur Vorsicht: Wenige Tage später flattert eine Rechnung über 79 Euro ins Haus. --------------------------------------------- https://www.watchlist-internet.at/news/kostenfalle-gesundheitstest/ ∗∗∗ MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks ∗∗∗ --------------------------------------------- Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html ∗∗∗ Telecom Giant BT Group Hit by Black Basta Ransomware ∗∗∗ --------------------------------------------- BT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the companys Conferencing division, leading to server shutdowns and potential data theft. --------------------------------------------- https://hackread.com/telecom-giant-bt-group-black-basta-ransomware-attack/ ∗∗∗ Vorsicht vor Whatsapp-Phishing mit gespoofter Rufnummer ∗∗∗ --------------------------------------------- Cyber-Kriminelle nehmen deutschsprachige WhatsApp-Nutzer ins Visier und versuchen mit einem perfiden Trick und einem Chatbot deren Accounts zu kapern. --------------------------------------------- https://heise.de/-10188150 ∗∗∗ USA: Acht Telekommunikationsdienste von Cyberangriffen betroffen ∗∗∗ --------------------------------------------- Bereits im Wahlkampf wurde bekannt, dass Kriminelle an die Telefondaten hochrangiger US-Politiker gekommen sind. Doch der Angriff war umfangreicher als gedacht. --------------------------------------------- https://heise.de/-10188807 ∗∗∗ [Guest Diary] Business Email Compromise, (Thu, Dec 5th) ∗∗∗ --------------------------------------------- Business Email Compromise (BEC) is a lucrative attack, which FBI data shows 51 billion dollars in losses between 2013 to 2022 [2]. According to SentinelOne, nearly all cybersecurity attacks (98%) contain a social engineering component [3].The social engineering attacks include phishing, spear phishing, smishing, whaling , etc. --------------------------------------------- https://isc.sans.edu/diary/rss/31474 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have released a proof-of-concept (PoC) exploit that strings together a now-patched critical security flaw impacting Mitel MiCollab with an arbitrary file read zero-day, granting an attacker the ability to access files from susceptible instances. [..] WatchTowr Labs' analysis further found that the authentication bypass could be chained with an as-yet-unpatched post-authentication arbitrary file read flaw to extract sensitive information. --------------------------------------------- https://thehackernews.com/2024/12/critical-mitel-micollab-flaw-exposes.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils). --------------------------------------------- https://lwn.net/Articles/1000870/ ∗∗∗ Vier Lücken in HPE Aruba Networking ClearPass Policy Manager geschlossen ∗∗∗ --------------------------------------------- In aktuellen Versionen von HPE Aruba Networking ClearPass Policy Manager haben die Entwickler insgesamt vier Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer eigenen Code ausführen und Systeme kompromittieren. --------------------------------------------- https://heise.de/-10188868 ∗∗∗ Drupal: Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-071 ∗∗∗ Drupal: Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-070 ∗∗∗ Drupal: Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-069 ∗∗∗ Drupal: Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-068 ∗∗∗ Drupal: OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-067 ∗∗∗ Drupal: Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-066 ∗∗∗ Drupal: Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-065 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 25, 2024 to December 1, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/12/wordfence-intelligence-weekly-wordpr… ∗∗∗ AutomationDirect C-More EA9 Programming Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-01 ∗∗∗ Planet Technology Planet WGS-804HPT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2024
by Daily end-of-shift report 04 Dec '24

04 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-12-2024 18:00 − Mittwoch 04-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supply Chain Attack Detected in Solanas web3.js Library ∗∗∗ --------------------------------------------- A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library, which receives more than ~350,000 weekly downloads on npm. These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets. [..] npm has moved swiftly to remove the affected versions. [..] Anza recommends developers who suspect they were compromised to rotate any suspect authority keys, including multisigs, program authorities, and server keypairs. --------------------------------------------- https://socket.dev/blog/supply-chain-attack-solana-web3-js-library ∗∗∗ Jetzt patchen! Exploit für kritische Lücke in Whatsup Gold in Umlauf ∗∗∗ --------------------------------------------- Eine "kritische" Sicherheitslücke ist seit September dieses Jahres bekannt. Seitdem gibt es auch ein Sicherheitsupdate. Weil mittlerweile Exploitcode für die Schwachstelle kursiert, könnten Attacken bevorstehen. --------------------------------------------- https://heise.de/-10187538 ∗∗∗ Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability ∗∗∗ --------------------------------------------- Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA. [..] The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug. --------------------------------------------- https://hackread.com/cisco-patch-decade-old-webvpn-vulnerability/ ∗∗∗ (QR) Coding My Way Out of Here: C2 in Browser Isolation Environments ∗∗∗ --------------------------------------------- In this blog post, Mandiant demonstrates a novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2. Mandiant shows how attackers can use machine-readable QR codes to send commands from an attacker-controlled server to a victim device. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolati… ∗∗∗ Wegem schwerem Cyberangriff auf US-Provider: FBI wirbt für Verschlüsselung ∗∗∗ --------------------------------------------- Angesichts eines verheerenden Cyberangriffs auf US-Provider haben die US-Bundespolizei FBI und die Cybersicherheitsbehörde CISA die Menschen in den Vereinigten Staaten aufgefordert, ihre Kommunikation möglichst zu verschlüsseln. --------------------------------------------- https://heise.de/-10187110 ∗∗∗ Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware ∗∗∗ --------------------------------------------- Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators. --------------------------------------------- https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign… ∗∗∗ PROXY.AM Powered by Socks5Systemz Botnet ∗∗∗ --------------------------------------------- After a year long investigation, Bitsight TRACE follows up on Socks5Systemz research. --------------------------------------------- https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet ∗∗∗ New era of slop security reports for open source ∗∗∗ --------------------------------------------- Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects. [..] Security reports that waste maintainers' time result in confusion, stress, frustration, and to top it off a sense of isolation due to the secretive nature of security reports. [..] If this is happening to a handful of projects that I have visibility for, then I suspect that this is happening on a large scale to open source projects. This is a very concerning trend. --------------------------------------------- https://sethmlarson.dev/slop-security-reports ===================== = Vulnerabilities = ===================== ∗∗∗ Identitätsmanagement: Sicherheitslücke mit Höchstwertung bedroht IdentityIQ ∗∗∗ --------------------------------------------- Bislang gibt es von SailPoint noch keine Warnung zur Sicherheitslücke. Alle Informationen zur "kritischen" Schwachstelle (CVE-2024-10905) basieren derzeit auf einem Eintrag in der National Vulnerability Database (NVD) des National Insitute of Standards and Technology (NIST). [..] Die Lücke soll in den Ausgaben 8.2p8, 8.3p5 und 8.4p2 geschlossen sein. --------------------------------------------- https://heise.de/-10187194 ∗∗∗ Cisco NX-OS Software Image Verification Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signature verification. CVE-2024-20397 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (go-toolset:rhel8, grafana, kernel, kernel-rt, kernel:4.18.0, pam, pam:1.5.1, pcs, postgresql:12, postgresql:15, postgresql:16, python3:3.6.8, qemu-kvm, rhc, rhc-worker-playbook, and virt:rhel and virt-devel:rhel) and SUSE (ansible-10, ansible-core, avahi, bpftool, python, python3, python36, webkit2gtk3, and xen). --------------------------------------------- https://lwn.net/Articles/1000721/ ∗∗∗ Scan2Net: Mehrere kritische Schwachstellen in Image Access Scan2Net ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-kritische-sch… ∗∗∗ PGST: Mehrere Schwachstellen in PGST-Alarmanlagen (SYSS-2024-070 bis -073) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-pgst-alarmanlage… ∗∗∗ F5: K000148830: Linux kernel vulnerabilities CVE-2024-41090 and CVE-2024-41091 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148830 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2024
by Daily end-of-shift report 03 Dec '24

03 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-12-2024 18:00 − Dienstag 03-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Building Cyber Resilience Against Ransomware Attacks ∗∗∗ --------------------------------------------- This is the first blogpost in this series. Its aim is twofold: to enable organizations embarking on a journey to build resilience against ransomware to recognize common misconceptions hindering readiness efforts and offer a conceptual framework to guide effective resilience building. --------------------------------------------- https://blog.nviso.eu/2024/12/03/building-cyber-resilience-against-ransomwa… ∗∗∗ Unveiling RevC2 and Venom Loader ∗∗∗ --------------------------------------------- Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. These tools have been utilized by other threat groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz uncovered two significant campaigns leveraging Venom Spider's MaaS tools between August and October 2024. During our investigation, we identified two new malware families, which we named RevC2 and Venom Loader, that were deployed using Venom Spider MaaS Tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-l… ∗∗∗ Gafgyt Malware Targeting Docker Remote API Servers ∗∗∗ --------------------------------------------- Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-doc… ∗∗∗ Secure Coding: Sichere Fehlerbehandlung in Java – CWE-778-Risiken vermeiden ∗∗∗ --------------------------------------------- Mit sicheren Java-Design-Patterns wie dem Decorator und Proxy Pattern die Kontrolle über Fehlerberichte verbessern – zum Schutz gegen CWE-778-Schwachstellen. --------------------------------------------- https://heise.de/-10084007 ∗∗∗ On Almost Signing Android Builds ∗∗∗ --------------------------------------------- This blog post has two goals: to raise awareness about this issue, to introduce a script intended as a quick check to verify if an Android build was (incorrectly) signed with a known private key. When Android-based devices boot up, first the bootloader is verified to be running signed code, then the bootloader verifies the high-level operating system (HLOS). This blog post only covers the latter part. --------------------------------------------- https://www.nccgroup.com/us/research-blog/on-almost-signing-android-builds/ ∗∗∗ Extracting Files Embedded Inside Word Documents, (Tue, Dec 3rd) ∗∗∗ --------------------------------------------- I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools. --------------------------------------------- https://isc.sans.edu/diary/rss/31486 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy). --------------------------------------------- https://lwn.net/Articles/1000591/ ∗∗∗ Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and WiFi extenders ∗∗∗ --------------------------------------------- CVE-2024-8748 ... could allow an attacker to cause denial of service (DoS) conditions against the web management interface [..] CVE-2024-9197 ... could allow an authenticated attacker with administrator privileges to cause DoS conditions against the web management interface [..] CVE-2024-9200 ... could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Patchday: Android 12, 13, 14 und 15 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In einer Warnmeldung hebt Google eine Sicherheitslücke (CVE-2024-43767 "hoch") im System als besonders bedrohlich hervor: Angreifer können Schadcode ausführen. Dafür seien keine zusätzlichen Ausführungsrechte nötig. Wie so ein Angriff genau ablaufen könnte, bleibt aber unklar. --------------------------------------------- https://heise.de/-10185926 ∗∗∗ HPE: HPESBGN04760 rev.1 - HPE AutoPass License Server (APLS), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04760en_us&doc… ∗∗∗ Fuji Electric Monitouch V-SFT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-05 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-06 ∗∗∗ ICONICS and Mitsubishi Electric GENESIS64 Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04 ∗∗∗ Open Automation Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-03 ∗∗∗ Ruijie Reyee OS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01 ∗∗∗ F5: K000148809: Qt vulnerabilities CVE-2023-38197, CVE-2023-37369, and CVE-2023-32763 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148809 ∗∗∗ F5: K000148689: Qt vulnerability CVE-2023-32762 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148689 ∗∗∗ Veeam: Veeam Service Provider Console Vulnerability (CVE-2024-42448 | CVE-2024-42449) ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4679 ∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3 ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4693 ∗∗∗ ZDI-24-1640: XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1640/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2024
by Daily end-of-shift report 02 Dec '24

02 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-11-2024 18:00 − Montag 02-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing: Angreifer umgehen Virenscan mittels beschädigter Word-Dokumente ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine neue Methode gestoßen, wie Cyberkriminelle präparierte Dokumente am Virenschutz vorbeischieben. --------------------------------------------- https://www.heise.de/-10184679 ∗∗∗ "Juice-Jacking": Wie gefährlich ist das Laden vom Smartphone im öffentlichen Raum? ∗∗∗ --------------------------------------------- Immer wieder warnen Behörden vor Angriffen durch manipulierte Charger, beim Cert Austria sieht man darin aber eine vorwiegend theoretische Bedrohung. --------------------------------------------- https://www.derstandard.at/story/3000000246594/juice-jacking-wie-gefaehrlic… ∗∗∗ Helldown, DoxNet & Darkrace Ransomware ∗∗∗ --------------------------------------------- In the following article I list some unique detection opportunities for all three ransomware groups, which seem to have the same affiliates or use the same server with similar ransomware variants to deploy their malware. --------------------------------------------- https://detect.fyi/helldown-donex-darktrace-ransomware-fd8683b7d135?source=… ∗∗∗ Code found online exploits LogoFAIL to install Bootkitty Linux backdoor ∗∗∗ --------------------------------------------- Researchers have discovered malicious code circulating in the wild that hijacks the earliest stage boot process of Linux devices by exploiting a year-old firmware vulnerability when it remains unpatched on affected models. [..] The ultimate objective of the exploit, which Binarly disclosed Friday, is to install Bootkitty, a bootkit for Linux that was found and reported on Wednesday by researchers from security firm ESET. --------------------------------------------- https://arstechnica.com/security/2024/11/code-found-online-exploits-logofai… ∗∗∗ Copilot: Administratorwissen zum Schutz der Daten ∗∗∗ --------------------------------------------- Microsoft hat ja damit begonnen, seine AI-Lösung Copilot in Microsoft Office-Anwendungen mit "Auto-Opt-in" an Kunden mit entsprechender Lizenz auszurollen. Administratoren kommt eine besondere Verantwortung zu, was den Schutz von Daten im Unternehmen betrifft. Microsoft hat dazu kürzlich einen Beitrag mit entsprechenden Hinweisen veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2024/12/01/copilot-was-administratoren-zum-sc… ∗∗∗ Cyber Resilience Act: Mehr Sicherheit für das Internet der Dinge ∗∗∗ --------------------------------------------- Der Cyber Resilience Act der EU soll vernetzte Geräte besser vor Angriffen aus dem Netz schützen. Unternehmen müssen ihn bis 2027 umsetzen. --------------------------------------------- https://www.golem.de/news/cyber-resilience-act-mehr-sicherheit-fuer-das-int… ∗∗∗ Digitale Bedrohungen: EU-Rat billigt Cyberschutzschild und Frühwarnsystem ∗∗∗ --------------------------------------------- Die EU-Staaten werden ein Cybersicherheitswarnsystem einrichten, mit dem sie Gefahren aus dem Internet quasi in Echtzeit erkennen und abwehren können wollen. --------------------------------------------- https://heise.de/-10185408 ∗∗∗ German intelligence launches task force to combat foreign election interference ∗∗∗ --------------------------------------------- Germanys domestic intelligence service (BfV) has created a special task force to counter cyberattacks, espionage, sabotage and disinformation campaigns ahead of federal elections in February. --------------------------------------------- https://therecord.media/german-bfv-election-task-force-cyberattacks-disinfo… ∗∗∗ Tamanoir: A KeyLogger using eBPF ∗∗∗ --------------------------------------------- Tamanoir is developed for educational purposes only. --------------------------------------------- https://github.com/pythops/tamanoir ∗∗∗ Webinar: Smartphone, Tablet & Co sicher nutzen! ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. Machen Sie mit unseren ExpertInnen Ihre digitalen Geräte sicher: Montag, 16. Dezember 2024, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, editorconfig-core, lemonldap-ng, proftpd-dfsg, python3.9, simplesamlphp, tgt, and xfpt), Fedora (qbittorrent, webkitgtk, and wireshark), Mageia (libsoup3 & libsoup), Red Hat (buildah, grafana, grafana-pcp, and podman), SUSE (gimp, kernel, postgresql14, python, webkit2gtk3, xen, and zabbix), and Ubuntu (ansible and postgresql-12, postgresql-14, postgresql-16). --------------------------------------------- https://lwn.net/Articles/1000465/ ∗∗∗ Multiple vulnerabilities in UNIVERGE IX/IX-R/IX-V series routers ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN53958863/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2024
by Daily end-of-shift report 29 Nov '24

29 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-11-2024 18:00 − Freitag 29-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ So schützen Sie sich in der Weihnachtszeit vor Fake-Shops! ∗∗∗ --------------------------------------------- Zur Weihnachtszeit möchte man seinen Liebsten gerne eine Freude bereiten. Bei den kalten Temperaturen bietet es sich an, bequem von zu Hause aus online einzukaufen. Damit die Weihnachtsfreude nicht durch eine Bestellung bei einem Fake-Shop getrübt wird, zeigen wir Ihnen die wichtigsten Punkte, an denen Sie betrügerische Online-Shops erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-online-einkaufen-zu-weihnacht… ∗∗∗ Nach Nothalt: Microsoft verteilt korrigierte Exchange-Server-Updates ∗∗∗ --------------------------------------------- Das Exchange-Update zum November-Patchday war fehlerhaft, Microsoft zog die Notbremse. Jetzt stehen korrigierte Sicherheitsupdates bereit. --------------------------------------------- https://heise.de/-10181645 ∗∗∗ Hochriskante Sicherheitslücke in PostgreSQL: Gitlab patcht (noch) nicht ∗∗∗ --------------------------------------------- Postgres hat die Lücken bereits mit einem Update gefixt und empfiehlt, die Versionen 12.21, 13.17, 14.14, 15.9, 16.5 und 17.1 sofort einzuspielen. Wie bereits im März wiesen Leser uns darauf hin, dass GitLab nach wie vor an den alten, gefährdeten Versionen 14.11 und 16.4 festhält und die Updates verzögert. --------------------------------------------- https://heise.de/-10181730 ∗∗∗ QR-Codes an Parkautomaten – Polizei warnt vor Betrugsmasche ∗∗∗ --------------------------------------------- Derzeit tauchen bundesweit vermehrt manipulierte QR-Codes an Parkscheinautomaten auf. Dabei handelt es sich nach Angaben der Polizei um eine Betrugsmasche, bei der Kriminelle versuchen, über QR-Codes an sensible Daten zu gelangen – sogenanntes Quishing. --------------------------------------------- https://www.heise.de/-10181611 ∗∗∗ EU leitet Vertragsverletzungsverfahren gegen Deutschland wegen NIS2 ein ∗∗∗ --------------------------------------------- Gegen 24 Mitgliedstaaten inklusive Deutschland hat die Brüsseler Regierungsinstitution zugleich weitere Verletzungsverfahren gestartet, weil sie ihr keine nationalen Maßnahmen zur Umsetzung der Richtlinie über die Resilienz kritischer Einrichtungen mitgeteilt haben. Dabei handelt es sich quasi um die Analog-Variante der NIS2. --------------------------------------------- https://heise.de/-10181402 ∗∗∗ Ransomware Gangs Seek Pen Testers to Boost Quality ∗∗∗ --------------------------------------------- Qualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware. --------------------------------------------- https://www.darkreading.com/threat-intelligence/ransomware-gangs-seek-pen-t… ∗∗∗ IT threat evolution Q3 2024 ∗∗∗ --------------------------------------------- In this part of the malware report we discuss the most remarkable findings of Q3 2024, including APT and hacktivist attacks, ransomware, stealers, macOS malware and so on. --------------------------------------------- https://securelist.com/malware-report-q3-2024/114678/ ∗∗∗ Race Condition Attacks against LLMs ∗∗∗ --------------------------------------------- In modern LLM systems, there is a lot of code between what you type and what the LLM receives, and between what the LLM produces and what you see. All of that code is exploitable, and I expect many more vulnerabilities to be discovered in the coming year. --------------------------------------------- https://www.schneier.com/blog/archives/2024/11/race-condition-attacks-again… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, redis, twisted, and tzdata), Fedora (firefox, nss, pam, rust-rustls, rust-zlib-rs, thunderbird, tuned, and xen), and SUSE (cobbler, kernel, libjxl-devel, libuv, postgresql12, postgresql14, postgresql15, python-waitress, seamonkey, tomcat, and tomcat10). --------------------------------------------- https://lwn.net/Articles/1000185/ ∗∗∗ B&R: 2024-11-29: Cyber Security Advisory - B&R Authentication bypass flaw in several mapp components ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA22P014-90c4aa35.pdf ∗∗∗ Windows Server 2012 Mark of the Web Vulnerability (0day) - and Free Micropatches for it ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/11/windows-server-2012-mark-of-web.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2024
by Daily end-of-shift report 28 Nov '24

28 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-11-2024 18:00 − Donnerstag 28-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zello asks users to reset passwords after security incident ∗∗∗ --------------------------------------------- Zello is warning customers to reset their passwords if their account was created before November 2nd in what appears to be another security breach. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zello-asks-users-to-reset-pa… ∗∗∗ Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday ∗∗∗ --------------------------------------------- A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields. --------------------------------------------- https://www.darkreading.com/application-security/sneaky-skimmer-malware-mag… ∗∗∗ Microsoft-Sicherheitsfunktion "Administrator Protection" jetzt ausprobierbar ∗∗∗ --------------------------------------------- Microsoft will die Windows-Bedienung sicherer machen. "Administrator Protection" soll vor unbefugten Admin-Zugriffen schützen. --------------------------------------------- https://www.heise.de/-10179558 ∗∗∗ Vorsicht vor gefälschte Paketbenachrichtigungen ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Vorsicht ist geboten! Derzeit kursieren zahlreiche gefälschte Benachrichtigungen über den Lieferstatus von Bestellungen. Prüfen Sie daher Nachrichten von Paketdiensten genau, um nicht in eine Phishing- oder Abo-Falle zu tappen. Wir zeigen Ihnen, wie Sie gefälschte Nachrichten erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-paketbenachrichtigungen/ ∗∗∗ Malicious NPM Package Exploits React Native Documentation Example ∗∗∗ --------------------------------------------- A recent discovery revealed how official documentation can become an unexpected attack vector for supply chain attacks. It happened when an npm package called “rtn-centered-text” exploited an example from React Native’s Fabric Native Components guide in an attempt to trick developers into downloading their package, putting systems at risk. --------------------------------------------- https://checkmarx.com/blog/malicious-npm-package-exploits-react-native-docu… ∗∗∗ The Ultimate Handheld Hacking Device - My Experience with NetHunter ∗∗∗ --------------------------------------------- For those unfamiliar, Kali NetHunter is a version of Kali Linux that you can set up on your phone. There are several types of NetHunter setups, each determining the capabilities of your device. --------------------------------------------- https://andy.codes/blog/security_articles/2024-11-27-the-ultimate-handheld-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslecks in Entwicklerwerkzeug Jenkins gestopft ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung listen die Jenkins-Entwickler drei verwundbare Add-ons auf. Am schwersten wiegt die Schwachstelle im Simple Queue Plug-in. Es versieht Namen von Views nicht mit Escape. Das mündet in einer Stored-Cross-Site-Scripting-Lücke, die Angreifer mit "View/Create"-Rechten missbrauchen können (CVE-2024-54003, CVSS 8.0, Risiko "hoch"). Den Fehler korrigieren die Plug-in-Version 1.4.5 sowie neuere. --------------------------------------------- https://heise.de/-10180515 ∗∗∗ Multiple Vulnerabilities in Fuji Electric Products ZDI-24-1614 - ZDI-24-1630 ∗∗∗ --------------------------------------------- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Drupal: Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-064 ∗∗∗ ZABBIX: SQL injection in user.get API (CVE-2024-42327) Critical ∗∗∗ --------------------------------------------- https://support.zabbix.com/browse/ZBX-25623 ∗∗∗ NVIDIA Security Bulletin: NVIDIA UFM Enterprise, UFM Appliance, UFM CyberAI - November 2024 ∗∗∗ --------------------------------------------- https://nvidia.custhelp.com/app/answers/detail/a_id/5584 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2024
by Daily end-of-shift report 27 Nov '24

27 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-11-2024 18:05 − Mittwoch 27-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RomCom exploits Firefox and Windows zero days in the wild ∗∗∗ --------------------------------------------- ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and… ∗∗∗ Betrug auf Telegram und WhatsApp mit Fake Job angeboten ∗∗∗ --------------------------------------------- Unterhalb finden Sie unseren Bericht des Telegram Betrugs und wie wir es sogar geschafft haben die Betrüger auszutricksen. Außerdem geben wir Ticks und Tricks, was Sie machen können und wie Sie solch einen Betrug erkennen. --------------------------------------------- https://www.zettasecure.com/post/betrug-auf-telegram-und-whatsapp-mit-fake-… ∗∗∗ Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers ∗∗∗ --------------------------------------------- A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023 , was not officially made available until August 2024 with the release of version r1720. --------------------------------------------- https://thehackernews.com/2024/11/critical-flaw-in-projectsend-under.html ∗∗∗ Gaming Engines: An Undetected Playground for Malware Loaders ∗∗∗ --------------------------------------------- Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. --------------------------------------------- https://research.checkpoint.com/2024/gaming-engines-an-undetected-playgroun… ∗∗∗ New NachoVPN attack uses rogue VPN servers to install malicious updates ∗∗∗ --------------------------------------------- A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nachovpn-attack-uses-rog… ∗∗∗ Rockstar 2FA Phishing-as-a-Service (PaaS): Noteworthy Email Campaigns ∗∗∗ --------------------------------------------- Welcome to the second part of our investigation into the Rockstar kit, please check out part one here. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2f… ∗∗∗ Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. --------------------------------------------- https://thehackernews.com/2024/11/researchers-discover-bootkitty-first.html ∗∗∗ BEC-ware the Phish (part 3): Detect and Prevent Incidents in M365 ∗∗∗ --------------------------------------------- This blog discusses a few options in M365, such as guidance on configuring threat and alert policies and how to deal with these alerts downstream in the SIEM. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-3-det… ∗∗∗ Modern solutions against cross-site attacks ∗∗∗ --------------------------------------------- This article is about cross-site leak attacks and what recent defenses have been introduced to counter them. I also want to finally answer the question why web security best practices is always opt-in and finally how YOU can get increased security controls. --------------------------------------------- https://frederikbraun.de/modern-solutions-xsleaks.html ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Globalprotect: Schadcode-Lücke durch unzureichende Zertifikatsprüfung ∗∗∗ --------------------------------------------- Die Entdecker der Sicherheitslücke von Amberwolf schreiben in ihrer detaillierten Analyse, dass die Globalprotect-VPN-Clients sowohl unter macOS als auch unter Windows anfällig für das Ausführen von Schadcode aus dem Netz und der Ausweitung der Rechte sind, und zwar durch den automatischen Update-Mechanismus (CVE-2024-5921, CVSS-B 7.2, Risiko "hoch"). Zwar erfordert der Update-Prozess, dass MSI-Dateien signiert sind, jedoch können Angreifer den PanGPS-Dienst zum Installieren eines bösartigen, dadurch vertrautem Root-Zertifikat missbrauchen. --------------------------------------------- https://heise.de/-10178649 ∗∗∗ Microsoft patcht teils kritische Lücken außer der Reihe ∗∗∗ --------------------------------------------- Microsoft hat in der Nacht zum Mittwoch vier Sicherheitsmitteilungen veröffentlicht. [..] Einige Updates müssen Nutzer installieren. --------------------------------------------- https://www.heise.de/-10178400 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mpg123 and php8.2), Fedora (libsndfile, mingw-glib2, mingw-libsoup, mingw-python3, and qbittorrent), Oracle (pam:1.5.1 and perl-App-cpanminus), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (mozilla), SUSE (firefox, rclone, tomcat, tomcat10, and xen), and Ubuntu (gh, libsoup2.4, libsoup3, pygments, TinyGLTF, and twisted). --------------------------------------------- https://lwn.net/Articles/999897/ ∗∗∗ GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5 ∗∗∗ --------------------------------------------- https://about.gitlab.com/releases/2024/11/26/patch-release-gitlab-17-6-1-re… ∗∗∗ HPE Insight Remote Support: Monitoring-Software ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- https://www.heise.de/-10178034 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0007.html ∗∗∗ Synology-SA-24:27 DSM ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_27 ∗∗∗ Synology-SA-24:26 BeeDrive for desktop ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_26 ∗∗∗ Omada Identity: Stored Cross-Site Scripting in Omada Identity ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-in-omada-i… ∗∗∗ F5: K000148716: REXML vulnerability CVE-2024-41123 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148716 ∗∗∗ F5: K000148692: Qt vulnerability CVE-2023-34410 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148692 ∗∗∗ F5: K000148690: Qt vulnerability CVE-2023-32573 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148690 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2024
by Daily end-of-shift report 26 Nov '24

26 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 25-11-2024 18:00 − Dienstag 26-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit critical bug in Array Networks SSL VPN products ∗∗∗ --------------------------------------------- Americas Cyber Defense Agency has received evidence of hackers actively exploiting a remote code execution vulnerability in SSL VPN products Array Networks AG and vxAG ArrayOS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug… ∗∗∗ Matrix Unleashes A New Widespread DDoS Campaign ∗∗∗ --------------------------------------------- Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix’s methods, targets, tools, and overall goals. --------------------------------------------- https://blog.aquasec.com/matrix-unleashes-a-new-widespread-ddos-campaign ∗∗∗ Wake up and Smell the BitLocker Keys ∗∗∗ --------------------------------------------- >From this demonstration we can see that with a minimal set of tools and a small-time investment it is quite practical to access a drive encrypted with BitLocker. [..] This type of attack can be avoided by implementing a second factor for pre-boot authentication, either a user PIN and/or USB Startup Key. --------------------------------------------- https://blog.nviso.eu/2024/11/26/wake-up-and-smell-the-bitlocker-keys/ ∗∗∗ Detection Opportunities — EDR Silencer, EDRSandblast, Kill AV… ∗∗∗ --------------------------------------------- There are many ways to disable or modify security solutions which you can for. e.g test with at least 53 different Atomic Red Team as starting point, but today I would like to limit myself to a few tools that successful ransomware groups use within the top 20 ransomware groups for October 2024. --------------------------------------------- https://detect.fyi/detection-opportunities-edr-silencer-edrsandblast-kill-a… ∗∗∗ Web-Security: Mit Content Security Policy gegen Cross-Site Scripting, Teil 2 ∗∗∗ --------------------------------------------- Erweiterte CSP-Direktiven helfen dabei, Anwendungen effizient gegen Cross-Site Scripting zu schützen. --------------------------------------------- https://heise.de/-10175246 ∗∗∗ Graykey: Entschlüsselungswerkzeug kann teilweise iOS 18 aufsperren ∗∗∗ --------------------------------------------- Im Zusammenhang mit Apples neuem Reboot-Schutz vor Entsperrung sind Informationen aufgetaucht, was Forensikunternehmen mit aktuellen iPhones tun können. --------------------------------------------- https://heise.de/-10175639 ===================== = Vulnerabilities = ===================== ∗∗∗ Dell Wyse Management Suite: Angreifer können Sicherheitsmechanismen umgehen ∗∗∗ --------------------------------------------- Einer Warnmeldung zufolge sind unter anderem DoS-Attacken (CVE-2024-49595 "hoch") denkbar, außerdem können Angreifer nicht näher beschriebene Sicherheitsmechanismen umgehen (CVE-2024-49597 "hoch"). In beiden Fällen sind Attacken aus der Ferne möglich, Angreifer benötigen aber bereits hohe Nutzerrechte. --------------------------------------------- https://www.heise.de/-10176009 ∗∗∗ Trellix: Update dichtet Sicherheitslücken in Enterprise Security Manager ab ∗∗∗ --------------------------------------------- Auf konkrete Sicherheitslücken geht Trellix nicht weiter ein. Jedoch aktualisiert Trellix ESM 11.6.13 etwa Azul Java und geht damit mehrere nicht aufgelistete CVEs an. Ebenso bessert die mitgelieferte libcurl-Bibliothek zwei Sicherheitslücken aus (CVE-2023-38545, CVSS 9.8, Risiko "kritisch"; CVE-2023-38546, CVSS 3.7, niedrig). Auch im "Snow Service" lauerten zuvor zwei "Reverse Shell"-Schwachstellen (CVE-2024-1148, CVSS 9.8, kritisch; CVE-2024-11482 [noch nicht öffentlich]). --------------------------------------------- https://www.heise.de/-10176250 ∗∗∗ Wordpress-Plug-in Anti-Spam by Cleantalk gefährdet 200.000 Seiten ∗∗∗ --------------------------------------------- Nicht authentifizierte Angreifer können dadurch auf angreifbaren Wordpress-Instanzen beliebige Plug-ins installieren und aktivieren und somit am Ende beliebigen Code ausführen (CVE-2024-10542, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10175993 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pypy3), Fedora (chromium, cobbler, and libsoup3), Oracle (kernel), SUSE (glib2, govulncheck-vulndb, javapackages-tools, xmlgraphics-batik, xmlgraphics- commons, xmlgraphics-fop, libblkid-devel, opentofu, php8, postgresql, postgresql16, postgresql17, thunderbird, traefik, and ucode-intel), and Ubuntu (needrestart and rapidjson). --------------------------------------------- https://lwn.net/Articles/999744/ ∗∗∗ WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN87182660/ ∗∗∗ VMware: VMSA-2024-0022: VMware Aria Operations updates address multiple vulnerabilities(CVE-2024-38830, CVE-2024-38831, CVE-2024-38832, CVE-2024-38833, CVE-2024-38834) ∗∗∗ --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ Mozilla Security Advisories November 26, 2024 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Splunk: SVD-2024-1102: Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1102 ∗∗∗ Splunk: SVD-2024-1101: Third-Party Package Updates in Python for Scientific Computing - November 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1101 ∗∗∗ Synology-SA-24:25 Surveillance Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_25 ∗∗∗ Synology-SA-24:15 BeeFiles ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_15 ∗∗∗ Hitachi Energy RTU500 Scripting Interface ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-05 ∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-04 ∗∗∗ F5: K000148713: libssh2 vulnerabilities CVE-2019-3858 and CVE-2019-3862 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148713 ∗∗∗ PHP Patches Multiple Vulnerabilities Including CVE-2024-8932 ∗∗∗ --------------------------------------------- https://thecyberthrone.in/2024/11/26/php-patches-multiple-vulnerabilities-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2024
by Daily end-of-shift report 25 Nov '24

25 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-11-2024 18:00 − Montag 25-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NAS nicht benutzbar: Qnap streicht fehlerhaftes Sicherheitsupdate ∗∗∗ --------------------------------------------- Besitzer von NAS-Geräten des Herstellers Qnap haben nach der Installation eines Patches Probleme sich anzumelden. Bislang hilft nur ein Downgrade. [..] Mittlerweile hat Qnap eine Stellungnahme zur Updateproblematik veröffentlicht. Demzufolge haben sie den Sicherheitspatch QTS 5.2.2.2950 build 20241114 nun repariert und wieder veröffentlicht. --------------------------------------------- https://heise.de/-10146878 ∗∗∗ Nearest Neighbor Attack: Angriff über WLAN des Nachbarn ∗∗∗ --------------------------------------------- Dass man über das Gast-WLAN des Ziels kritische Systeme erreichen konnte, lag daran, dass eines davon sowohl per drahtgebundenem Ethernet wie das Gast-WLAN erreichbar war. Damit fiel MFA weg, es handelte sich offenbar um eine Fehlkonfiguration. --------------------------------------------- https://heise.de/-10129358 ∗∗∗ Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver (BYOVD) to disarm security protections and ultimately gain access to the infected system. [..] The starting point of the attack is an executable file (kill-floor.exe) that drops the legitimate Avast Anti-Rootkit driver, which is subsequently registered as a service using Service Control (sc.exe) to perform its malicious actions. --------------------------------------------- https://thehackernews.com/2024/11/researchers-uncover-malware-using-byovd.h… ∗∗∗ Microsoft testing Windows 11 support for third-party passkeys ∗∗∗ --------------------------------------------- Microsoft is now testing WebAuthn API updates that add support for support for using third-party passkey providers for Windows 11 passwordless authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-testing-windows-11… ∗∗∗ Decrypting a PDF With a User Password, (Sat, Nov 23rd) ∗∗∗ --------------------------------------------- In diary entry "Analyzing an Encrypted Phishing PDF", I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn't have to provide a password. What happens if you try this with a PDF encrypted for confidentiality (user password), where a password is needed to open the document? --------------------------------------------- https://isc.sans.edu/diary/rss/31466 ∗∗∗ Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform ∗∗∗ --------------------------------------------- ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems. Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:TALOS-2024-1964 (CVE-2024-38184)TALOS-2024-1965 (CVE-2024-38185) --------------------------------------------- https://blog.talosintelligence.com/finding-vulnerabilities-in-clipsp-the-dr… ∗∗∗ Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft ∗∗∗ --------------------------------------------- The package, @0xengine/xmlrpc, began its life as a “legitimate” XML-RPC implementation in October 2023, but strategically transformed into a malicious tool in later versions and has remained active through November of 2024. This discovery serves as a stark reminder that a package’s longevity and consistent maintenance history do not guarantee its safety. --------------------------------------------- https://checkmarx.com/blog/npm-supply-chain-attack-combines-crypto-mining-a… ∗∗∗ Secure Coding: CWE-377 – TOCTOU-Race-Conditions in den Griff bekommen ∗∗∗ --------------------------------------------- TOCTOU-Schwachstellen zählen zu den schwerwiegendsten in der Common Weakness Enumeration CWE-377 beschriebenen. [..] Der Schlüssel zur Vermeidung dieser Schwachstellen liegt in der Beseitigung der Lücke zwischen dem Zeitpunkt der Überprüfung und dem Zeitpunkt der Nutzung, typischerweise durch den Einsatz atomarer Dateierstellungsmethoden – etwa die von sicheren APIs wie File.createTempFile() oder Files.createTempFile(). --------------------------------------------- https://heise.de/-10081613 ∗∗∗ Phishing-Warnung: Kriminelle missbrauchen Black-Friday-Trubel ∗∗∗ --------------------------------------------- Im Phishingradar warnen die Verbraucherzentralen, dass seit Freitag betrügerische E-Mails im Umlauf sind, die zum Gegenstand haben, dass unbekannte Zugriffe auf das Konto zu einer vorübergehenden Sperrung des Kontos führe. --------------------------------------------- https://heise.de/-10143500 ∗∗∗ Advanced threat predictions for 2025 ∗∗∗ --------------------------------------------- Kasperskys Global Research and Analysis Team monitors over 900 APT (Advanced Persistent Threat) groups and operations. In this piece of KSB series, we review the advanced threat trends from the past year and offer insights into what we can expect in 2025. --------------------------------------------- https://securelist.com/ksb-apt-predictions-2025/114582/ ∗∗∗ Webinar: Internetkriminalität - Betrugsfallen & Fakes im Internet ∗∗∗ --------------------------------------------- Dieses Webinar informiert Sie über gängige Betrugsfallen im Internet (Abo-Fallen, Fake Shops, Kleinanzeigenbetrug, Scamming & Co.) und zeigt, wie Sie diese erkennen können. Nehmen Sie kostenlos teil: Montag, 9. Dezember 2024, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-betrug… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, chromium, ghostscript, glib2.0, intel-microcode, and kernel), Fedora (dotnet9.0, needrestart, php, and python3.6), Oracle (cups, kernel, osbuild-composer, podman, python3.12-urllib3, squid, and xerces-c), Red Hat (buildah, edk2, gnome-shell, haproxy, kernel, kernel-rt, libvpx, pam, python3.11-urllib3, python3.12-urllib3, qemu-kvm, rhc-worker-script, squid:4, and tigervnc), Slackware (php), SUSE (chromedriver, chromium, dcmtk, govulncheck-vulndb, iptraf-ng, and traefik2), and Ubuntu (linux-oracle and openjdk-23). --------------------------------------------- https://lwn.net/Articles/999597/ ∗∗∗ UmweltOffice: SQL Injection in Siempelkamp NIS UmweltOffice <7.4.3 (SYSS-2024-074) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/sql-injection-in-siempelkamp-nis-umweltoff… ∗∗∗ F5: K000148495: libssh vulnerability CVE-2023-1667 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148495 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

← Newer
1
...
7
8
9
10
11
12
13
...
315
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily