Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 08.11.2024
by Daily end-of-shift report 08 Nov '24

08 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-11-2024 18:00 − Freitag 08-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google To Make MFA Mandatory for Google Cloud in 2025 ∗∗∗ --------------------------------------------- Google has recently announced that it plans to implement mandatory multi-factor authentication (MFA) on all Cloud accounts by the end of 2025. [..] The implementation will affect both admins and users with access to Google Cloud. General consumer Google accounts will not be affected. --------------------------------------------- https://heimdalsecurity.com/blog/google-cloud-mfa/ ∗∗∗ 2024 Credit Card Theft Season Arrives ∗∗∗ --------------------------------------------- In today’s post we’re going to perform a malware analysis of the most common MageCart injections identified so that eCommerce website owners can better understand the risks, and (hopefully) protect themselves, their websites, and their customers from attackers. --------------------------------------------- https://blog.sucuri.net/2024/11/2024-credit-card-theft-season-arrives.html ∗∗∗ ESET APT Activity Report Q2 2024–Q3 2024 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024 --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2… ∗∗∗ Helldown Ransomware Group – A New Emerging Ransomware Threat ∗∗∗ --------------------------------------------- As of November 2024, the online resources available related to the Helldown ransomware group’s Tactics Techniques and Procedures (TTP’s) were effectively none-existent – this blogpost aims to address that and will be updated continuously as more investigations are completed. --------------------------------------------- https://www.truesec.com/hub/blog/helldown-ransomware-group ∗∗∗ TLPT & ME: Everything you need to know about Threat-Led Penetration Testing (TLPT) in a TIBER world. ∗∗∗ --------------------------------------------- While the TLPT RTS does come with some additional requirements or nuances compared to the TIBER framework, we can all be certain that adopting TIBER is indeed the way to fulfill DORA’s TLPT requirements. As mentioned in our initial post, we expect many more European countries to publish a TIBER implementation guide and/or a TIBER-EU 2.0 to be published for additional convergence. --------------------------------------------- https://blog.nviso.eu/2024/11/08/tlpt-me-everything-you-need-to-know-about-… ∗∗∗ Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations ∗∗∗ --------------------------------------------- Discover how Earth Estries employs a diverse set of tactics, techniques, and tools, including malware such as Zingdoor and Snappybee, for its campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-… ∗∗∗ Defending Your Directory: An Expert Guide to Securing Active Directory Against DCSync Attacks ∗∗∗ --------------------------------------------- Last time we took a dive deep into Kerberoasting. Up next, let's unravel the sinister secrets of DCSync attacks - a stealthy technique that can bring your entire Active Directory to its knees. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Nameless and shameless: Ransomware Encryption via BitLocker ∗∗∗ --------------------------------------------- This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving an unknown ransomware strain but known TTPs. --------------------------------------------- https://www.nccgroup.com/us/research-blog/nameless-and-shameless-ransomware… ∗∗∗ Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond ∗∗∗ --------------------------------------------- Wiz Research looks at phishing tactics, along with how to trace and investigate these campaigns. --------------------------------------------- https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktap… ===================== = Vulnerabilities = ===================== ∗∗∗ Max-Critical Cisco Bug Enables Command-Injection Attacks ∗∗∗ --------------------------------------------- Though Cisco reports of no known malicious exploitation attempts, but thanks to a CVSS 10 out of 10 security vulnerability (CVE-2024-20418) three of its wireless access points are vulnerable to remote, unauthenticated cyberattacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cisco-bug-command-injec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (edk2), Debian (webkit2gtk), Fedora (thunderbird), Oracle (bzip2, container-tools:ol8, edk2, go-toolset:ol8, libtiff, python-idna, python3.11, and python3.12), Slackware (expat), and SUSE (apache2, govulncheck-vulndb, grub2, java-1_8_0-openjdk, python3, python39, qemu, xorg-x11-server, and xwayland). --------------------------------------------- https://lwn.net/Articles/997480/ ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-312-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2024
by Daily end-of-shift report 07 Nov '24

07 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-11-2024 18:00 − Donnerstag 07-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers increasingly use Winos4.0 post-exploitation kit in attacks ∗∗∗ --------------------------------------------- Hackers are increasingly targeting Windows users with the malicious Winos4.0 framework, distributed via seemingly benign game-related apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-increasingly-use-win… ∗∗∗ A look at the latest post-quantum signature standardization candidates ∗∗∗ --------------------------------------------- NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization. In this blog post we take .. --------------------------------------------- https://blog.cloudflare.com/another-look-at-pq-signatures ∗∗∗ The Power of Process in Creating a Successful Security Posture ∗∗∗ --------------------------------------------- Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/process-in-creating-su… ∗∗∗ Microsoft Windows Server 2025 Upgrade Triggers Licensing Conflicts and Operational Fallout ∗∗∗ --------------------------------------------- A recent Microsoft update has unexpectedly forced several organizations to upgrade from Windows Server 2022 to Windows Server 2025, resulting in unexpected licensing demands and operational setbacks. First reported on November 5, 2024, this incident has affected organizations .. --------------------------------------------- https://heimdalsecurity.com/blog/microsoft-windows-server-2025-upgrade/ ∗∗∗ Steam Account Checker Poisoned with Infostealer ∗∗∗ --------------------------------------------- I found an interesting script targeting Steam users. Steam[1] is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" .. --------------------------------------------- https://isc.sans.edu/forums/diary/Steam+Account+Checker+Poisoned+with+Infos… ∗∗∗ China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait ∗∗∗ --------------------------------------------- The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an organization in the region."During this attack, the threat .. --------------------------------------------- https://thehackernews.com/2024/11/china-aligned-mirrorface-hackers-target.h… ∗∗∗ North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS ∗∗∗ --------------------------------------------- A threat actor with ties to the Democratic Peoples Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.Cybersecurity company SentinelOne, .. --------------------------------------------- https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html ∗∗∗ Office unter Windows 11 24H2 mit installiertem Crowdstrike lahmgelegt ∗∗∗ --------------------------------------------- Wer Crowdstrike-Sicherheitssoftware einsetzt und auf Windows 11 24H2 aktualisiert hat, hatte womöglich mit nicht funktionierenden Apps zu kämpfen. --------------------------------------------- https://www.heise.de/news/Crowdstrike-legte-Office-unter-Windows-11-24H2-la… ∗∗∗ Large eBay malvertising campaign leads to scams ∗∗∗ --------------------------------------------- Consumers are being swamped by Google ads claiming to be eBays customer service. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2024/11/large-ebay-malvertising-cam… ∗∗∗ Vorsicht vor gefälschten Willhaben-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Willhaben aus und versenden massenhaft gefälschte E-Mails. In den teilweise echt aussehenden E-Mails wird behauptet, dass Sie Ihre Identität bestätigen müssen oder eine Rückerstattung erhalten. Eine andere gefälschte E-Mail enthält im Anhang angeblich eine Rechnung. Wir raten zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-phishing/ ∗∗∗ Silent Skimmer Gets Loud (Again) ∗∗∗ --------------------------------------------- We discuss a new campaign from the cybercrime group behind Silent Skimmer, showcasing the exploit of ... --------------------------------------------- https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/ ∗∗∗ Unwrapping the emerging Interlock ransomware attack ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game .. --------------------------------------------- https://blog.talosintelligence.com/emerging-interlock-ransomware/ ∗∗∗ Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities ∗∗∗ --------------------------------------------- CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and .. --------------------------------------------- https://hackread.com/androxgh0st-botnet-integrate-mozi-iot-vulnerabilities/ ∗∗∗ Malicious Python Package Typosquats Popular fabric SSH Library, Exfiltrates AWS Credentials ∗∗∗ --------------------------------------------- The Socket Research Team has discovered a malicious Python package, fabrice, that is typosquatting the popular fabric SSH automation library. The threat of malware delivered through typosquatted libraries remains a significant .. --------------------------------------------- https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-libr… ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in HASOMED Elefant and Elefant Software Updater ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2024
by Daily end-of-shift report 06 Nov '24

06 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-11-2024 18:00 − Mittwoch 06-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Germany drafts law to protect researchers who find security flaws ∗∗∗ --------------------------------------------- The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-drafts-law-to-protec… ∗∗∗ Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems ∗∗∗ --------------------------------------------- SANS recently published its 2024 State of ICS.OT Cybersecurity report, highlighting the skills of cyber professionals working in critical infrastructure, budget estimates, and emerging technologies. The report .. --------------------------------------------- https://www.darkreading.com/ics-ot-security/attackers-breach-network-provid… ∗∗∗ Verbraucherschützer warnen: Smarte Fritteusen lauschen und senden Daten nach China ∗∗∗ --------------------------------------------- Verbraucherschützer haben bei verschiedenen smarten Geräten Datenschutzprobleme aufgedeckt. Ganz vorne mit dabei: Heißluftfritteusen! --------------------------------------------- https://www.golem.de/news/verbraucherschuetzer-warnen-smarte-fritteusen-lau… ∗∗∗ New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new SteelFox Trojan that mimics popular software like Foxit PDF Editor and JetBrains to spread a stealer-and-miner bundle. --------------------------------------------- https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/ ∗∗∗ INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime ∗∗∗ --------------------------------------------- INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation.Dubbed Operation Synergia II, the coordinated effort ran from April 1 to .. --------------------------------------------- https://thehackernews.com/2024/11/interpols-operation-synergia-ii.html ∗∗∗ Angreifer nutzen emulierte Linux-Umgebung als Backdoor ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine ungewöhnliche Angriffsart entdeckt: Die Täter haben eine emulierte Linux-Umgebung als Backdoor eingerichtet. --------------------------------------------- https://www.heise.de/news/CRON-TRAP-Emulierte-Linux-Umgebung-als-Backdoor-n… ∗∗∗ Canadian Man Arrested in Snowflake Data Extortions ∗∗∗ --------------------------------------------- A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first .. --------------------------------------------- https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data… ∗∗∗ You lost your iPhone, but it’s locked. That’s fine, right? ∗∗∗ --------------------------------------------- TL;DR Default iOS configuration leaves your locked device vulnerable Ensure your emergency contacts are set. Use ‘FindMy’ to track / wipe lost devices. Take regular backups. Consider turning off the .. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-lost-your-iphone-but-its-… ∗∗∗ Tückische Zahlungsanweisung: Stammt diese Mail wirklich von Ihrem Chef? ∗∗∗ --------------------------------------------- Von der Buchhaltung im internationalen Großkonzern bis zur Verwaltung im Kleinbetrieb nebenan. In letzter Zeit erhalten immer mehr Mitarbeiter:innen betrügerische Mails im Namen der Geschäftsführung .. --------------------------------------------- https://www.watchlist-internet.at/news/tueckische-zahlungsanweisung-chef/ ∗∗∗ Guidance for brands to help advertising partners counter malvertising ∗∗∗ --------------------------------------------- Advice to make it harder for cyber criminals to deliver malicious advertising, and reduce the risk of cyber-facilitated fraud. --------------------------------------------- https://www.ncsc.gov.uk/guidance/guidance-brands-advertising-partners-count… ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- The popular NPM package @lottiefiles/lottie-player enables developers to seamlessly integrate Lottie animations into websites and applications. On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to .. --------------------------------------------- https://checkmarx.com/uncategorized/with-2fa-enabled-npm-package-lottie-pla… ∗∗∗ CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits ∗∗∗ --------------------------------------------- While we finalized this blog post, a technical analysis of this activity was published by fellow researchers from Cisco Talos. While it overlaps with our findings to some extent, our report provides additional extended information about the activity. Introduction Since July 2024, Check Point Research (CPR) has been tracking an extensive a.. --------------------------------------------- https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-late… ∗∗∗ (In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments ∗∗∗ --------------------------------------------- The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved laterally from the customer’s on-premises environment to their Microsoft Entra ID .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-per… ∗∗∗ Threat Campaign Spreads Winos4.0 Through Game Application ∗∗∗ --------------------------------------------- FortiGuard Labs reveals a threat actor spreads Winos4.0, infiltrating gaming apps and targeting the education sector --------------------------------------------- https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos… ∗∗∗ Defending Your Directory: An Expert Guide to Combating Kerberoasting in Active Directory ∗∗∗ --------------------------------------------- 16 hours or less, that’s all it takes for attackers to gain access to Microsoft Active Directory (AD) and unleash mayhem on your organization. If that attack happens on a Friday afternoon, they have all weekend to wreak havoc, escalating their privileges, deploying ransomware, exploiting your VPN, or exfiltrating your data. .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) could allow an authenticated, remote attacker with low privileges to conduct a stored .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libtiff), Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5, libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c), .. --------------------------------------------- https://lwn.net/Articles/997182/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2024
by Daily end-of-shift report 05 Nov '24

05 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-11-2024 18:00 − Dienstag 05-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Server 2025 released—here are the new features ∗∗∗ --------------------------------------------- Microsoft has announced that Windows Server 2025, the latest version of its server operating system, is generally available starting Friday, November 1st. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-server-2025-release… ∗∗∗ Nokia investigates breach after hacker claims to steal source code ∗∗∗ --------------------------------------------- Nokia is investigating whether a third-party vendor was breached after a hacker claimed to be selling the companys stolen source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nokia-investigates-breach-af… ∗∗∗ Google fixes two Android zero-days used in targeted attacks ∗∗∗ --------------------------------------------- Google fixed two actively exploited Android zero-day flaws as part of its November security updates, addressing a total of 51 vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-two-android-zer… ∗∗∗ Angriff auf Schneider Electric: Hungrige Hacker fordern Baguettes als Lösegeld ∗∗∗ --------------------------------------------- Die Angreifer behaupten, über 40 GBytes an Daten von Schneider Electric erbeutet zu haben. Ihre Forderung: 125.000 US-Dollar in Form von Baguettes. --------------------------------------------- https://www.golem.de/news/angriff-auf-schneider-electric-hungrige-hacker-fo… ∗∗∗ Olympia-Kassensysteme: Registrierkassen seit drei Jahren ohne Sicherheitsupdates ∗∗∗ --------------------------------------------- Registrierkassen der Marke Olympia laufen auf Android 11 und bergen Risiken für den Zahlungsverkehr. --------------------------------------------- https://www.golem.de/news/olympia-kassensysteme-registrierkassen-seit-drei-… ∗∗∗ Python RAT with a Nice Screensharing Feature ∗∗∗ --------------------------------------------- While hunting, I found another interesting Python RAT in the wild. This is not brand new because the script was released two years ago. The script I found is based on the same tool and still .. --------------------------------------------- https://isc.sans.edu/diary/Python+RAT+with+a+Nice+Screensharing+Feature/314… ∗∗∗ Maritime lawyers assemble! ∗∗∗ --------------------------------------------- Maritime cyber insurance has been playing catch-up with maritime cyber security for a while now. It was all pretty good until the availability of cheap VSAT meant that ships .. --------------------------------------------- https://www.pentestpartners.com/security-blog/maritime-lawyers-assemble/ ∗∗∗ In final check-in before Election Day, CISA cites low-level threats, and not much else ∗∗∗ --------------------------------------------- Incidents to date have included “low level” distributed denial-of-service activity, criminal destruction of ballot drop boxes and continued threats targeting election officials, CISA Director Jen Easterly .. --------------------------------------------- https://therecord.media/cisa-2024-presidential-election-threats ∗∗∗ Smart Cities gegen Cyberattacken resilient machen ∗∗∗ --------------------------------------------- Ob es uns gefällt oder nicht – Städte weltweit wandeln sich in sogenannte "Smart Cities". Die Protagonisten versprechen Innovation, Nachhaltigkeit und digitales Wachstum. Aber diese Infrastruktur bzw. die .. --------------------------------------------- https://www.borncity.com/blog/2024/11/05/smart-cities-gegen-cyberattacken-r… ∗∗∗ SOC Around the Clock: World Tour Survey Findings ∗∗∗ --------------------------------------------- Trend surveyed 750 cybersecurity professionals in 49 countries to learn more about the state of .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/world-tour-survey-results.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, openexr, and thunderbird), Fedora (llama-cpp and python-quart), Oracle (firefox, openexr, thunderbird, and xorg-x11-server and xorg-x11-server-Xwayland), SUSE (chromium, govulncheck-vulndb, openssl-1_1, python311, and python312), and Ubuntu (linux-azure, linux-bluefield, linux-azure, linux-gcp, linux-ibm, openjpeg2, and ruby3.0, ruby3.2, ruby3.3). --------------------------------------------- https://lwn.net/Articles/997030/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2024
by Daily end-of-shift report 04 Nov '24

04 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-10-2024 18:00 − Montag 04-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Thousands of hacked TP-Link routers used in years-long account takeover attacks ∗∗∗ --------------------------------------------- The botnet is being skillfully used to launch "highly evasive" password-spraying attacks. --------------------------------------------- https://arstechnica.com/information-technology/2024/11/microsoft-warns-of-8… ∗∗∗ DDoS site Dstat.cc seized and two suspects arrested in Germany ∗∗∗ --------------------------------------------- The Dstat.cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-site-dstatcc-seized-and… ∗∗∗ Cisco says DevHub site leak won’t enable future breaches ∗∗∗ --------------------------------------------- Cisco says that non-public files recently downloaded by a threat actor from a misconfigured public-facing DevHub portal dont contain information that could be exploited in future breaches of the companys systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-says-devhub-site-leak-… ∗∗∗ Ware nicht geliefert: Betrüger hacken Tausende Webshops und kassieren Millionen ∗∗∗ --------------------------------------------- Hacker haben seit 2019 im Rahmen einer Betrugskampagne unzählige Onlineshops infiltriert. Käufer bestimmter Produkte erhielten .. --------------------------------------------- https://www.golem.de/news/ware-nicht-geliefert-betrueger-hacken-tausende-we… ∗∗∗ From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code ∗∗∗ --------------------------------------------- In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.ht… ∗∗∗ Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare ∗∗∗ --------------------------------------------- U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial dynamic display provider to show messages denouncing Israels participation .. --------------------------------------------- https://thehackernews.com/2024/11/inside-irans-cyber-playbook-ai-fake.html ∗∗∗ Financial institutions told to get their house in order before the next CrowdStrike strikes ∗∗∗ --------------------------------------------- Calls for improvements will soon turn into demands when new rules come into force The UKs finance regulator is urging all institutions under its remit to better prepare for IT meltdowns like .. --------------------------------------------- https://www.theregister.com/2024/11/02/fca_it_resilience/ ∗∗∗ Booking.com Phishers May Leave You With Reservations ∗∗∗ --------------------------------------------- A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. Well .. --------------------------------------------- https://krebsonsecurity.com/2024/11/booking-com-phishers-may-leave-you-with… ∗∗∗ Kostenlose Webinare zum Schutz im Internet ∗∗∗ --------------------------------------------- Ab 2. Dezember finden in Kooperation mit der AK Oberösterreich und Saferinternet.at spannende Webinare zum sicheren und verantwortungsvollen Umgang mit Handy und Internet statt. Erweitern Sie Ihre digitalen Kompetenzen und .. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinare-zum-schutz-im-in… ∗∗∗ TA Phone Home: EDR Evasion Testing Reveals Extortion Actors Toolkit ∗∗∗ --------------------------------------------- A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor. --------------------------------------------- https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/ ∗∗∗ FBI wants more info on hackers behind Sophos exploitation after report on China’s intrusions ∗∗∗ --------------------------------------------- The FBI is asking the public for help in tracking down the people behind a series of intrusions into edge devices and networks. --------------------------------------------- https://therecord.media/fbi-hackers-china-wants-info ∗∗∗ Kimsuky Group’s Malware Disguised as Lecture Request Form (MSC, HWP) ∗∗∗ --------------------------------------------- Recently, malware disguised as a lecture request form targeting specific users was identified. The distributed files include Hangul Word Processor (HWP) documents and files in MSC format, which download additional malicious files. Decoy document files used to disguise as legitimate documents have been found to sometimes contain .. --------------------------------------------- https://asec.ahnlab.com/en/84181/ ∗∗∗ Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware ∗∗∗ --------------------------------------------- age “jest-fet-mock,” which implements a different approach using Ethereum smart contracts for command-and-control operations. The package masquerades as a popular testing utility while distributing malware across Windows, Linux, and macOS platforms. This discovery represents a notable difference in supply chain attack methodologies, combining .. --------------------------------------------- https://checkmarx.com/blog/supply-chain-attack-using-ethereum-smart-contrac… ∗∗∗ Hackers Claim Access to Nokia Internal Data, Selling for $20,000 ∗∗∗ --------------------------------------------- Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal --------------------------------------------- https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/ ∗∗∗ Mallox Ransomware ∗∗∗ --------------------------------------------- FortiGuard Labs continue to see increase in Mallox ransomware related activities detecting Mallox ransomware on multiple hundred FortiGuard sensors. Ransomware infection may cause disruption, damage to daily operations, .. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/mallox-ransomware ∗∗∗ Missing Link: Wie ein Unternehmen bei einem Cyberangriff die Kontrolle verlor ∗∗∗ --------------------------------------------- Eigentlich fühlt sich der IT-Chef recht sicher. Bis Hacker mitten am Tag in die Firma marschieren – und unbehelligt wieder raus. Die Beute: volle Kontrolle. --------------------------------------------- https://heise.de/-9984869 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, and mod_http2), Debian (chromium, openssl, and thunderbird), Fedora (chromium, krb5, mysql8.0, polkit, python-single-version, and webkitgtk), Mageia (bind, buildah, podman, skopeo, kernel, kmod-xtables-addons. kmod-virtualbox, kernel-firmware & kernel-firmware-nonfree radeon-firmware, .. --------------------------------------------- https://lwn.net/Articles/996908/ ∗∗∗ WordPress Vulnerability & Patch Roundup October 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/11/wordpress-vulnerability-patch-roundup-octob… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2024
by Daily end-of-shift report 31 Oct '24

31 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-10-2024 18:00 − Donnerstag 31-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to take over the NPM package using a leaked automation token which was used to automate publications of NPM packages. --------------------------------------------- https://checkmarx.com/blog/with-2fa-enabled-npm-package-lottie-player-taken… ∗∗∗ GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI ∗∗∗ --------------------------------------------- Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. [..] Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including: Industrial and manufacturing plants [..] Business conferences [..] Healthcare settings [..] State and local government environments [..] Houses of worship --------------------------------------------- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vul… ∗∗∗ Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files ∗∗∗ --------------------------------------------- Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-… ∗∗∗ Discovering Hidden Vulnerabilities in Portainer with CodeQL ∗∗∗ --------------------------------------------- In this blog, we will show how we used CodeQL to find these vulnerabilities and even wrote custom queries to find a specific vulnerability. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/discovering-hidden-… ∗∗∗ Loose-lipped neural networks and lazy scammers ∗∗∗ --------------------------------------------- As large language models improve, their strengths and weaknesses, as well as the tasks they do well or poorly, are becoming better understood. Threat actors are exploring applications of this technology in a range of automation scenarios. But, as we see, they sometimes commit blunders that help shed light on how they use LLMs, at least in the realm of online fraud. --------------------------------------------- https://securelist.com/llm-phish-blunders/114367/ ∗∗∗ Mounting memory with MemProcFS for advanced memory forensics ∗∗∗ --------------------------------------------- Whilst this blog does not intend to go into any detail into some of the most popular tools available to analyse memory, nor a deep dive into analysis techniques it is intended to provide high level information about some significant enhances to memory forensics in the last few years and the difference in tooling. This also covers three memory forensic tools; many others are available. --------------------------------------------- https://www.pentestpartners.com/security-blog/mounting-memory-with-memprocf… ∗∗∗ The Persistent Perimeter Threat: Strategic Insights from a Multi-Year APT Campaign Targeting Edge Devices ∗∗∗ --------------------------------------------- Discover insights from a multi-year APT campaign that exploited network perimeter vulnerabilities to target high-value entities, revealing critical gaps in edge device security. --------------------------------------------- https://www.greynoise.io/blog/the-persistent-perimeter-threat-strategic-ins… ∗∗∗ Auditing K3s Clusters ∗∗∗ --------------------------------------------- K3s shares a great deal with standard Kubernetes, but its lightweight implementation comes with some challenges and opportunities in the security sphere. --------------------------------------------- https://www.nccgroup.com/us/research-blog/auditing-k3s-clusters/ ===================== = Vulnerabilities = ===================== ∗∗∗ LiteSpeed Cache WordPress plugin bug lets hackers get admin access ∗∗∗ --------------------------------------------- The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights. [..] The newly discovered high-severity flaw tracked as CVE-2024-50550 is caused by a weak hash check in the plugin's "role simulation" feature, designed to simulate user roles to aid the crawler in site scans from different user levels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/litespeed-cache-wordpress-pl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openssl), Fedora (firefox, libarchive, micropython, NetworkManager-libreswan, and xorg-x11-server-Xwayland), Red Hat (nano), Slackware (mozilla-firefox, mozilla-thunderbird, tigervnc, and xorg), SUSE (389-ds, Botan, go1.21-openssl, govulncheck-vulndb, java-11-openjdk, lxc, python-Werkzeug, and uwsgi), and Ubuntu (firefox, libarchive, linux-azure-fde, linux-azure-fde-5.15, python-pip, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/996526/ ∗∗∗ Drupal: Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-055 ∗∗∗ Bosch: DoS vulnerability on IndraDrive ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-315415.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2024
by Daily end-of-shift report 30 Oct '24

30 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-10-2024 18:00 − Mittwoch 30-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackers steal 15,000 cloud credentials from exposed Git config files ∗∗∗ --------------------------------------------- A global large-scale dubbed "EmeraldWhale" exploited misconfigured Git configuration files to steal over 15,000 cloud account credentials from thousands of private repositories. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-c… ∗∗∗ Jumpy Pisces Engages in Play Ransomware ∗∗∗ --------------------------------------------- Jumpy Pisces, also known as Andariel and Onyx Sleet, was historically involved in cyberespionage, financial crime and ransomware attacks. [..] We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomwa… ∗∗∗ Writing a BugSleep C2 server and detecting its traffic with Snort ∗∗∗ --------------------------------------------- In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). [..] This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. --------------------------------------------- https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ ∗∗∗ Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack ∗∗∗ --------------------------------------------- Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets. --------------------------------------------- https://checkmarx.com/blog/cryptocurrency-enthusiasts-targeted-in-multi-vec… ∗∗∗ New “Scary” FakeCall Malware Captures Photos and OTPs on Android ∗∗∗ --------------------------------------------- A new, more sophisticated variant of the FakeCall malware is targeting Android devices. [..] The FakeCall malware typically infiltrates a device through a malicious app downloaded from a compromised website or a phishing email. The app requests permission to become the default call handler. If granted, the malware gains extensive privileges. --------------------------------------------- https://hackread.com/scary-fakecall-malware-captures-photos-otps-android/ ===================== = Vulnerabilities = ===================== ∗∗∗ Nach Pwn2Own: QNAP und Synology patchen ausgenutzte NAS-Lücken ∗∗∗ --------------------------------------------- Für auf der Pwn2Own ausgenutzte TrueNAS-Lücken scheint es derweil noch keine Patches zu geben – dafür aber Hinweise, wie Nutzer ihre Systeme vor möglichen Angriffen schützen können. [..] Erste Patches gibt es beispielsweise von Synology. Das Unternehmen hat schon am 25. Oktober Updates für Beephotos für Beestation OS 1.0 und 1.1 sowie Synology Photos 1.7 und 1.6 für DSM 7.2 bereitgestellt. Diese schließen jeweils eine kritische Sicherheitslücke, die es Angreifern erlaubt, aus der Ferne Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/nach-pwn2own-qnap-und-synology-patchen-ausgenutzt… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah), Debian (python-git, texlive-bin, and xorg-server), Mageia (chromium-browser-stable), Red Hat (kernel), SUSE (Botan, go1.22-openssl, go1.23-openssl, grafana, libgsf, pcp, pgadmin4, python310-pytest-html, python313, xorg-x11-server, and xwayland), and Ubuntu (nano, python-urllib3, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/996310/ ∗∗∗ QNAP: Vulnerability in SMB Service (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-42 ∗∗∗ SPLUNK: SVD-2024-1015: Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1015 ∗∗∗ SPLUNK: SVD-2024-1014: Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1014 ∗∗∗ Ping Identity PingIDM: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/query-filter-injectio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2024
by Daily end-of-shift report 29 Oct '24

29 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 28-10-2024 18:00 − Dienstag 29-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New tool bypasses Google Chrome’s new cookie encryption system ∗∗∗ --------------------------------------------- A researcher has released a tool to bypass Googles new App-Bound encryption cookie-theft defenses and extract saved credentials from the Chrome web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tool-bypasses-google-chr… ∗∗∗ Exchange Online: Inbound SMTP DANE mit DNSSEC verfügbar ∗∗∗ --------------------------------------------- Microsoft hat das Inbound SMTP DANE mit DNSSEC für Exchange Online allgemein freigegeben, nachdem das Ganze bereits im Juli 2024 als Preview verfügbar war. Mit der neuen Funktion Inbound SMTP DANE with DNSSEC in Exchange Online soll die Sicherheit der E-Mail-Kommunikation durch die Unterstützung zweier Sicherheitsstandards erhöht werden. --------------------------------------------- https://www.borncity.com/blog/2024/10/29/exchange-online-inbound-smtp-dane-… ∗∗∗ Ransomware-Angriffe auf Sonicwall SSL-VPNs ∗∗∗ --------------------------------------------- IT-Forscher haben Attacken auf Sonicwall SSL-VPNs untersucht und dabei Ransomware-Aktivitäten von Akira und Fog entdeckt. [..] Die Sonicwall-Geräte, durch die die Täter einbrechen konnten, waren allesamt nicht gegen die Schwachstelle CVE-2024-40766 gepatcht – mit einem CVSS-Wert von 9.3 gilt sie als kritisches Risiko. Anfang September warnte Sonicwall, dass diese Sicherheitslücke in den SSL-VPNs bereits aktiv angegriffen wird, und wies nochmals auf die verfügbaren Updates hin, die das Sicherheitsleck stopfen. --------------------------------------------- https://heise.de/-9998068 ∗∗∗ New Research Reveals Spectre Vulnerability Persists in Latest AMD and Intel Processors ∗∗∗ --------------------------------------------- More than six years after the Spectre security flaw impacting modern CPU processors came to light, new research has found that the latest AMD and Intel processors are still susceptible to speculative execution attacks. [..] The attack has been described as the first, practical "end-to-end cross-process Spectre leak." --------------------------------------------- https://thehackernews.com/2024/10/new-research-reveals-spectre.html ∗∗∗ What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE ∗∗∗ --------------------------------------------- Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks. [..] if you’re a beginner with a creative mind looking to get started with code review, I definitely recommend you read this blog. --------------------------------------------- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v2… ∗∗∗ Vorsicht vor dieser Instagram-Nachricht: „Ich brauche deine Hilfe“ ∗∗∗ --------------------------------------------- „Ich brauche deine Hilfe“ schreibt eine bekannte Person oder auch ein Freund oder eine Freundin auf Instagram. Die Person bittet Sie, bei einem Voting für sie abzustimmen und schickt Ihnen einen Link. Vorsicht: Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-hilfe/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP: Vulnerability in HBS 3 Hybrid Backup Sync (PWN2OWN 2024) ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. Critical, CVE-2024-50388 --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-41 ∗∗∗ Spring: Authorization Bypass of Static Resources in WebFlux Applications ∗∗∗ --------------------------------------------- Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. CRITICAL, CVE-2024-38821 --------------------------------------------- https://spring.io/security/cve-2024-38821/ ∗∗∗ Auch verfügbar: Updates für iOS 17, macOS 14 und macOS 13 – mit Sicherheitsfixes ∗∗∗ --------------------------------------------- Apple hat neben iOS 18.1, iPadOS 18.1 und macOS 15.1 auch Updates für ältere Betriebssysteme bereitgestellt. Sie beheben nur Sicherheitsprobleme. --------------------------------------------- https://heise.de/-9997116 ∗∗∗ Mozilla Security Advisories October 29, 2024 ∗∗∗ --------------------------------------------- Thunderbird 132, Thunderbird 128.4, Firefox ESR 115.17, Firefox ESR 128.4 and Firefox 132. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4) and SUSE (chromium, openssl-1_1, and openssl-3). --------------------------------------------- https://lwn.net/Articles/996196/ ∗∗∗ 0patch: We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html ∗∗∗ OneDev Security Update Advisory (CVE-2024-45309) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84118/ ∗∗∗ Solar-Log Base 15 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-02 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2024
by Daily end-of-shift report 28 Oct '24

28 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2024 18:00 − Montag 28-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Amazon seizes domains used in rogue Remote Desktop campaign to steal data ∗∗∗ --------------------------------------------- Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data using malicious Remote Desktop Protocol connection files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-i… ∗∗∗ Redline, Meta infostealer malware operations seized by police ∗∗∗ --------------------------------------------- The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malwar… ∗∗∗ 70 Zero-Day-Lücken ausgenutzt: Pwn2Own-Hacker knacken Samsung Galaxy S24 und mehr ∗∗∗ --------------------------------------------- Bei dem Wettbewerb wurden auch diverse Kameras, Drucker und NAS-Systeme attackiert. An ein Pixel 8 oder iPhone 15 hat sich aber niemand rangetraut. --------------------------------------------- https://www.golem.de/news/70-zero-day-luecken-ausgenutzt-pwn2own-hacker-kna… ∗∗∗ The Windows Registry Adventure #4: Hives and the registry layout ∗∗∗ --------------------------------------------- To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system. But as one tries to dig deeper and understand how the registry .. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventu… ∗∗∗ Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining ∗∗∗ --------------------------------------------- The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties."The group is currently .. --------------------------------------------- https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.h… ∗∗∗ Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China ∗∗∗ --------------------------------------------- A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers. --------------------------------------------- https://www.wired.com/story/cybercriminals-disruptive-hacking-us-elections-… ∗∗∗ Vulnerabilities of Realtek SD card reader driver, part 1 ∗∗∗ --------------------------------------------- These vulnerabilities enable non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device. The vulnerabilities have remained undisclosed for years, affecting many OEMs, including Dell, .. --------------------------------------------- https://zwclose.github.io/2024/10/14/rtsper1.html ∗∗∗ Inside the Open Directory of the “You Dun” Threat Group ∗∗∗ --------------------------------------------- The DFIR Report’s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves “You Dun” .. --------------------------------------------- https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-d… ∗∗∗ Die NSA empfiehlt wöchentliches Smartphone-Reboot ∗∗∗ --------------------------------------------- Interessante Information, die mir die Woche untergekommen ist. Die US-Sicherheitsbehörde NSA (National Security Agency, Inlandsgeheimdienst) empfiehlt einmal wöchentlich sein Smartphone neu zu starten. Das ganze hat einen sicherheitstechnischen Hintergrund. Durch den Neustart soll Malware, die nicht persistent .. --------------------------------------------- https://www.borncity.com/blog/2024/10/27/die-nsa-empfiehlt-woechentliches-s… ∗∗∗ Anatomy of an LLM RCE ∗∗∗ --------------------------------------------- As large language models (LLMs) become more advanced and are granted additional capabilities by developers, security risks increase dramatically. Manipulated LLMs are no longer just a .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-r… ∗∗∗ Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives ∗∗∗ --------------------------------------------- In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-… ∗∗∗ Secure Coding: Unbefugten Zugriff durch Path Traversal (CWE-22) verhindern ∗∗∗ --------------------------------------------- CWE-22 beschreibt die unsachgemäße Veränderung eines Pfadnamens auf ein eingeschränktes Verzeichnis. Wie lässt sich die Schwachstelle in den Griff bekommen? --------------------------------------------- https://heise.de/-9982270 ∗∗∗ Black Basta-Gruppe nutzt Microsoft Teams-Chatfunktion ∗∗∗ --------------------------------------------- Die als "Black Basta" bekannte Ransomware-Gruppe hat einen neuen Mechanismus entwickelt, der die Chatfunktion von Microsoft Teams zur Kontaktaufnahme ausnutzt. --------------------------------------------- https://heise.de/-9995322 ∗∗∗ Nvidia: Rechteausweitung durch Sicherheitslücken in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia warnt vor mehreren Sicherheitslücken in den Grafiktreibern, die etwa das Ausweiten der Rechte ermöglichen. Updates stehen bereit. --------------------------------------------- https://heise.de/-9995842 ∗∗∗ Lagebericht 2024: Fast 8 Millionen Mal installierte Malware in Google Play ∗∗∗ --------------------------------------------- IT-Forscher haben die mobile-Malware-Situation der vergangenen 12 Monate untersucht. Mehr als 200 App-Fälschungen lauerten in Google Play. --------------------------------------------- https://heise.de/-9996456 ∗∗∗ VMware Tanzu Spring Security: Umgehung von Autorisierungsregeln möglich ∗∗∗ --------------------------------------------- In VMware Tanzu Spring Security klafft eine kritische Sicherheitslücke, die Angreifern die Umgehung von Autorisierungsregeln ermöglicht. --------------------------------------------- https://heise.de/-9996582 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, .. --------------------------------------------- https://lwn.net/Articles/996085/ ∗∗∗ Chatwork Desktop Application (Windows) uses a potentially dangerous function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78335885/ ∗∗∗ K000148252: Python tarfile vulnerability CVE-2024-6232 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148252 ∗∗∗ K000148256: libarchive vulnerability CVE-2018-1000880 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148256 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2024
by Daily end-of-shift report 25 Oct '24

25 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2024 18:00 − Freitag 25-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Denial of Service in Cisco ASA & FTD und weitere Cisco Advisories ∗∗∗ --------------------------------------------- Cisco berichtet in einem kürzlich veröffentlichten Advisory, sich "malicious use" einer Denial-of-Service Sicherheitslücke in Cisco Adaptive Security Appliance & Firepower Threat Defense Software Remote Access VPN bewusst zu sein. Berichten nach handelt es sich hierbei aber nicht um gezielte Denial-of-Service Angriffe, sondern um Seiteneffekte von breitgestreuten Brute-Force oder Credential-Spraying Attacken. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/denial-of-service-in-cisco-asa-ftd… ∗∗∗ Objektorientiert und weniger redundant: Das BSI stellt den IT-Grundschutz++ vor ∗∗∗ --------------------------------------------- Das BSI hat sich das Ziel gesetzt, den IT-Grundschutz anwenderfreundlicher zu machen. Dafür setzt man auf Maschinenlesbarkeit und eine schlankere Dokumentation. --------------------------------------------- https://heise.de/-9994010 ∗∗∗ AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances. [..] Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July. --------------------------------------------- https://thehackernews.com/2024/10/aws-cloud-development-kit-vulnerability.h… ∗∗∗ NotLockBit: ransomware discovery serves as wake-up call for Mac users ∗∗∗ --------------------------------------------- Historically, Mac users havent had to worry about malware as much as their Windows-using cousins. But that doesnt mean that Mac users should be complacent. And the recent discovery of a new malware strain emphasises that the threat - even if much smaller than on Windows - remains real. --------------------------------------------- https://www.tripwire.com/state-of-security/notlockbit-rransomware-discovery… ∗∗∗ Embargo ransomware: Rock’n’Rust ∗∗∗ --------------------------------------------- Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit --------------------------------------------- https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrus… ∗∗∗ From crisis to confidence: How the University of Rijeka used a network breach to reboot their cybersecurity ∗∗∗ --------------------------------------------- How would your institution respond if a seemingly ordinary system check uncovered a major security incident? That’s exactly what the University of Rijeka faced when a member of the IT team discovered an unauthorised virtual machine template during a routine check — just as a new academic year began. --------------------------------------------- https://connect.geant.org/2024/10/25/from-crisis-to-confidence-how-the-univ… ∗∗∗ Moderne Datenkraken: Smart-TVs tracken sogar HDMI-Inhalte ∗∗∗ --------------------------------------------- Smart-TVs werten sogar dann Bildinhalte aus, wenn ein HDMI-Zuspieler genutzt wird. Die Analysen dienen gezielter Werbung. --------------------------------------------- https://heise.de/-9994787 ∗∗∗ Vonovia in der Kritik: Smarte Rauchmelder bergen Risiko der Spionage ∗∗∗ --------------------------------------------- Die Rauchmelder erfassen allerhand Informationen über die Luftqualität und schicken sie durchs Internet - für Kriminelle ein willkommener Datenschatz. [..] Vonovia selbst verarbeitet die Daten angeblich nur in anonymisierter Form. --------------------------------------------- https://www.golem.de/news/vonovia-in-der-kritik-smarte-rauchmelder-bergen-r… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

← Newer
1
...
9
10
11
12
13
14
15
...
315
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily