Daily

daily@lists.cert.at

1 participants
3196 discussions

Tageszusammenfassung - 03.01.2025
by Daily end-of-shift report 03 Jan '25

03 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-01-2025 18:00 − Freitag 03-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SwaetRAT Delivery Through Python ∗∗∗ --------------------------------------------- We entered a new year, but attack scenarios have not changed (yet). I found a Python script with an interesting behavior[1] and a low Virustotal score (7/61). It targets Microsoft Windows hosts because it starts by loading all .. --------------------------------------------- https://isc.sans.edu/forums/diary/SwaetRAT+Delivery+Through+Python/31554/ ∗∗∗ 3,1 Millionen bösartige Fake-Sterne auf GitHub entdeckt – Tendenz steigend ∗∗∗ --------------------------------------------- In einer umfassenden Studie ist ein US-Forschungsteam auf Millionen Fake-Sterne bei GitHub gestoßen und warnt vor einem rasant steigenden Trend. --------------------------------------------- https://www.heise.de/news/3-1-Millionen-boesartige-Fake-Sterne-auf-GitHub-e… ∗∗∗ Configurations Mega Blog: Why Configurations Are the Wrong Thing to Get Wrong ∗∗∗ --------------------------------------------- So many times, we look beyond the mark. With our feeds constantly inundated with headline-grabbing news about AI-generated threats, nation states upping their cybercrime game, and sophisticated new forms of malware, we can be tempted to think that the bulk of cyberwarfare is going on "up there" somewhere. In reality, most breaches still originate .. --------------------------------------------- https://www.tripwire.com/state-of-security/configurations-mega-blog-why-con… ∗∗∗ 10 Non-tech things you wish you had done after being breached ∗∗∗ --------------------------------------------- TL;DR Non-tech aspects to breach follow-up are often overlooked but essential NDAs, supply chain, and third party contracts and obligations should be reviewed Reviewing communication protocols and employee .. --------------------------------------------- https://www.pentestpartners.com/security-blog/10-non-tech-things-you-wish-y… ∗∗∗ Von Social Media bis App: So sind Sie Kriminellen einen Schritt voraus ∗∗∗ --------------------------------------------- Internetbetrug wird immer raffinierter und kann jeden Menschen treffen. Deshalb ist es wichtig, auf dem Laufenden zu bleiben und die aktuellen Betrugsmaschen zu kennen. Vom klassischen Newsletter über .. --------------------------------------------- https://www.watchlist-internet.at/news/unsere-kanaele/ ∗∗∗ NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT ∗∗∗ --------------------------------------------- Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar .. --------------------------------------------- https://hackread.com/npm-package-disguised-ethereum-tool-quasar-rat/ ∗∗∗ Schädliche Versionen von zahlreichen Chrome-Erweiterungen in Umlauf ∗∗∗ --------------------------------------------- Über die Weihnachtstage verschafften sich die Täter Zugriff auf diverse Chrome-Extensions – in einigen Fällen sogar schon deutlich früher. --------------------------------------------- https://heise.de/-10224745 ∗∗∗ Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405) ∗∗∗ --------------------------------------------- Wiz’s engineering team discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution. --------------------------------------------- https://www.wiz.io/blog/nuclei-signature-verification-bypass ∗∗∗ Malicious npm Campaign Targets Ethereum Developers with Fake Hardhat Packages ∗∗∗ --------------------------------------------- Hardhat, maintained by the Nomic Foundation, is a vital tool for Ethereum developers. As a versatile development environment for Ethereum, it streamlines the creation, testing, and deployment of smart contracts and dApps. Its flexible plugin architecture allows developers to customize workflows with tools and extensions, optimizing productivity and supporting .. --------------------------------------------- https://socket.dev/blog/malicious-npm-campaign-targets-ethereum-developers ===================== = Vulnerabilities = ===================== ∗∗∗ iTerm2 3.5.11 released with a critical security fix ∗∗∗ --------------------------------------------- https://iterm2.com/downloads/stable/iTerm2-3_5_11.changelog -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2025
by Daily end-of-shift report 02 Jan '25

02 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 30-12-2024 18:00 − Donnerstag 02-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriff: Hacker wollen Daten von IT-Dienstleister Atos erbeutet haben ∗∗∗ --------------------------------------------- Die Angreifer behaupten, im Besitz einer Firmendatenbank von Atos zu sein. Der IT-Dienstleister findet bisher keine Beweise für einen Angriff. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-wollen-daten-von-it-dienstlei… ∗∗∗ Supportende naht: Forscher warnt vor Security-Fiasko durch Windows 10 ∗∗∗ --------------------------------------------- Rund zwei Drittel aller Windows-PCs in Deutschland arbeiten noch mit Windows 10. Es besteht dringender Handlungsbedarf - nicht erst im Oktober dieses Jahres. --------------------------------------------- https://www.golem.de/news/supportende-naht-forscher-warnt-vor-security-fias… ∗∗∗ Chinas cyber intrusions took a sinister turn in 2024 ∗∗∗ --------------------------------------------- >From targeted espionage to pre-positioning - not that they are mutually exclusive The Chinese governments intrusions into Americas telecommunications and other critical infrastructure networks this year appears to signal a shift from cyberspying as usual to prepping for destructive attacks. --------------------------------------------- https://www.theregister.com/2024/12/31/china_cyber_intrusions_2024/ ∗∗∗ US Treasury Department outs the blast radius of BeyondTrusts key leak ∗∗∗ --------------------------------------------- Data pilfered as miscreants roamed affected workstations The US Department of the Treasury has admitted that miscreants were in its systems, accessing documents in what has been called a "major incident." --------------------------------------------- https://www.theregister.com/2024/12/31/us_treasury_department_hacked/ ∗∗∗ "Die perfekte Phishing-Mail": Mit KI-Textgeneratoren gegen Führungskräfte ∗∗∗ --------------------------------------------- KI-Technik ermöglicht es Kriminellen, hochpersonalisierte Phishing-Mails an Führungskräfte zu schicken, warnt ein Versicherer. Trainingsmaterial gibt es online. --------------------------------------------- https://www.heise.de/news/Die-perfekte-Phishing-Mail-Mit-KI-Textgeneratoren… ∗∗∗ U.S. Army Soldier Arrested in AT&T, Verizon Extortions ∗∗∗ --------------------------------------------- Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and .. --------------------------------------------- https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizo… ∗∗∗ Vorsicht vor betrügerischen E-Mails zur Rückerstattung von ORF-Gebühren ∗∗∗ --------------------------------------------- Derzeit finden zahlreiche Personen ein E-Mail in ihrem Postfach, in dem behauptet wird, dass sie Anspruch auf eine Rückerstattung von ORF-Gebühren in Höhe von 34,40 Euro haben. Achtung: Es handelt sich dabei um einen Phishing-Versuch, der darauf abzielt, Kontodaten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-orf-rueckerstattung-… ∗∗∗ Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability ∗∗∗ --------------------------------------------- The jailbreak technique "Bad Likert Judge" manipulates LLMs to generate harmful content using Likert scales, exposing safety gaps in LLM guardrails. --------------------------------------------- https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/ ∗∗∗ DORA Regulation (Digital Operational Resilience Act): A Threat Intelligence Perspective ∗∗∗ --------------------------------------------- The Digital Operational Resilience Act (DORA) is coming in 2025. --------------------------------------------- https://www.team-cymru.com/post/dora-regulation-digital-operational-resilie… ∗∗∗ Passkey technology is elegant, but it’s most definitely not usable security ∗∗∗ --------------------------------------------- It's that time again, when families and friends gather and implore the more technically inclined among them to troubleshoot problems they're having behind the device screens all around them. One of the most vexing .. --------------------------------------------- https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-… ∗∗∗ I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny ∗∗∗ --------------------------------------------- API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits .. --------------------------------------------- https://eaton-works.com/2024/12/19/mcdelivery-india-hack/ ∗∗∗ Déjà vu: Ghostly CVEs in my terminal title ∗∗∗ --------------------------------------------- As I've spoken and written about all modern terminals are actually "emulating" something dating from the .. --------------------------------------------- https://dgl.cx/2024/12/ghostty-terminal-title ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1737: Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1737/ ∗∗∗ ZDI-24-1736: (0Day) Paessler PRTG Network Monitor SNMP Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1736/ ∗∗∗ ZDI-24-1739: Foxit PDF Reader Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1739/ ∗∗∗ ZDI-24-1738: Foxit PDF Reader AcroForm Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1738/ ∗∗∗ PAN-OS Firewall Denial of Service (DoS) Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5610 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2024
by Daily end-of-shift report 30 Dec '24

30 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-12-2024 18:00 − Montag 30-12-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Customer data from 800,000 electric cars and owners exposed online ∗∗∗ --------------------------------------------- Volkswagens automotive software company, Cariad, exposed data collected from around 800,000 electric cars. The info could be linked to drivers names and reveal precise vehicle locations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/customer-data-from-800-000-e… ∗∗∗ Malware botnets exploit outdated D-Link routers in recent attacks ∗∗∗ --------------------------------------------- Two botnets tracked as Ficora and Capsaicin have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-botnets-exploit-outd… ∗∗∗ Hackerangriff auf Flughäfen von Mailand ∗∗∗ --------------------------------------------- Eine prorussische Hackergruppe bekannte sich zu dem Cyberangriff. Der Flugbetrieb war nicht gefährdet. --------------------------------------------- https://futurezone.at/digital-life/hackerangriff-auf-flughaefen-von-mailand… ∗∗∗ Bundestagswahlen: Wahlsoftware immer noch unsicher ∗∗∗ --------------------------------------------- Seit Jahren fordert der CCC eine transparente Wahlsoftware. Wie sinnvoll das wäre, zeigt die Analyse eines weit verbreiteten Tools. Ein Bericht von Friedhelm Greis. --------------------------------------------- https://www.golem.de/news/bundestagswahlen-wahlsoftware-immer-noch-unsicher… ∗∗∗ Rundsteuerempfänger gehackt: Lässt sich über Funksignale ein Blackout herbeiführen? ∗∗∗ --------------------------------------------- Zwei Sicherheitsforscher haben die Protokolle für funkbasierte Rundsteuerempfänger entschlüsselt. Doch es ist strittig, in welchem Umfang sich manipulierte Signale missbrauchen lassen. Ein Bericht von Friedhelm Greis. --------------------------------------------- https://www.golem.de/news/rundsteuerempfaenger-gehackt-laesst-sich-ueber-fu… ∗∗∗ Prioritizing patching: A deep dive into frameworks and tools – Part 2: Alternative frameworks ∗∗∗ --------------------------------------------- In the second of a two-part series on tools and frameworks designed to help with remediation prioritization, we explore some alternatives to CVSS --------------------------------------------- https://news.sophos.com/en-us/2024/12/30/prioritizing-patching-a-deep-dive-… ∗∗∗ 16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft ∗∗∗ --------------------------------------------- A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal --------------------------------------------- https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html ∗∗∗ Its only a matter of time before LLMs jump start supply-chain attacks ∗∗∗ --------------------------------------------- The greatest concern is with spear phishing and social engineering Interview Now that criminals have realized theres no need to train their own LLMs for any nefarious purposes - its much cheaper and easier to steal credentials and then jailbreak existing ones - the threat of a large-scale supply chain attack using generative AI becomes more real. --------------------------------------------- https://www.theregister.com/2024/12/29/llm_supply_chain_attacks/ ∗∗∗ 38C3: Große Sicherheitsmängel in elektronischer Patientenakte 3.0 aufgedeckt ∗∗∗ --------------------------------------------- Gravierende Sicherheitslücken müssten bis zum Start der ePA 3.0 noch geschlossen werden. Das demonstrieren Martin Tschirsich und Bianca Kastl auf dem 38C3. --------------------------------------------- https://www.heise.de/news/38C3-Weitere-Sicherheitsmaengel-in-elektronischer… ∗∗∗ 38C3: BogusBazaar-Bande betreibt noch immer Tausende Fakeshops ∗∗∗ --------------------------------------------- Monate nach der Entdeckung operiert eine chinesische Cyberbande weiterhin unbehelligt, berichten Sicherheitsforscher. Schützenhilfe leisten auch US-Anbieter. --------------------------------------------- https://www.heise.de/news/38C3-BogusBazaar-Bande-betreibt-noch-immer-Tausen… ∗∗∗ 38C3: BitLocker-Verschlüsselung von Windows 11 umgangen, ohne PC zu öffnen. ∗∗∗ --------------------------------------------- Zwei Jahre nach der vermeintlichen Behebung einer Lücke kann diese weiterhin genutzt werden, um BitLocker-geschützte Festplatten von Windows 11 zu entschlüsseln --------------------------------------------- https://www.heise.de/news/38C3-BitLocker-Verschluesselung-von-Windows-11-um… ∗∗∗ On the sixth day of Christmas, an X account gave to me: a fake 7-Zip ACE ∗∗∗ --------------------------------------------- An account with the name @NSA_Employee39 claimed to have dropped a zero-day vulnerability for the popular file archive software 7-Zip. Nobody could get it to work. --------------------------------------------- https://therecord.media/fake-zero-day-7Zip ∗∗∗ Lets Encrypt to end OCSP support in 2025 ∗∗∗ --------------------------------------------- Well, the writing has been on the wall for some years now, arguably over a decade, but the time has finally come where the largest CA in the World is going to drop support for the Online Certificate Status Protocol.What is OCSP?The Online Certificate Status Protocol is a --------------------------------------------- https://scotthelme.ghost.io/lets-encrypt-to-end-ocsp-support-in-2025/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-good1.0 and opensc), Fedora (iwd and libell), and SUSE (chromium, govulncheck-vulndb, and poppler). --------------------------------------------- https://lwn.net/Articles/1003768/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2024
by Daily end-of-shift report 27 Dec '24

27 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 23-12-2024 18:00 − Freitag 27-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybersecurity firms Chrome extension hijacked to steal users data ∗∗∗ --------------------------------------------- One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Among Cyberhaven's customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis. [..] Cyberhaven's internal security team removed the malicious package within an hour since its detection, the company says in an email to its customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-e… ∗∗∗ Microsoft warnt: Bug könnte Security-Updates verhindern ∗∗∗ --------------------------------------------- Microsoft warnt Nutzer, die ihr System vor Kurzem via CD oder USB-Stick installiert haben. Konkret geht es um Installationsmedien, die das Sicherheitsupdate vom Oktober oder das vom November inkludiert haben. Hier kann es passieren, dass diese Systeme keine weiteren Updates mehr erhalten, wenn sie derzeit auf 24H2 sind. --------------------------------------------- https://futurezone.at/produkte/microsoft-warnung-bug-security-updates-windo… ∗∗∗ Datenschutzverletzung: Volkwagen-Bewegungsprofile von 800.000 E-Autos offengelegt ∗∗∗ --------------------------------------------- Persönliche Daten und Bewegungsprofile von rund 800.000 VW-E-Auto-Besitzern lagen monatelang öffentlich zugänglich in der Cloud. --------------------------------------------- https://www.golem.de/news/datenschutzverletzung-volkwagen-bewegungsprofile-… ∗∗∗ Threat landscape for industrial automation systems in Q3 2024 ∗∗∗ --------------------------------------------- The ICS CERT quarterly report covers threat landscape for industrial automation systems in Q3 2024. --------------------------------------------- https://securelist.com/ics-cert-q3-2024-report/115182/ ∗∗∗ More SSH Fun!, (Tue, Dec 24th) ∗∗∗ --------------------------------------------- A few days ago, I wrote a diary about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one. --------------------------------------------- https://isc.sans.edu/diary/rss/31542 ∗∗∗ Jahresrückblick: Diese Themen beschäftigten uns 2024! ∗∗∗ --------------------------------------------- Wir sagen „DANKE“ und blicken noch einmal zurück auf die Entwicklungen und Geschehnisse des vergangenen Jahres. --------------------------------------------- https://www.watchlist-internet.at/news/jahresrueckblick-2024/ ∗∗∗ ASUS: "Weihnachtsüberraschung" mit christmas.exe schief gegangen ∗∗∗ --------------------------------------------- Anbieter ASUS wollte seine Benutzer überraschen und hat diesen eine besondere Weihnachtskarte mit dem Dateinamen christmas.exe zukommen lassen. Ist natürlich seit Jahren bekannt, dass man aus Sicherheitsgründen keine .exe-Grußkarte mit Weihnachtsgrüßen verschickt. --------------------------------------------- https://www.borncity.com/blog/2024/12/26/asus-weihnachtsueberraschung-mit-c… ∗∗∗ PMKID Attacks: Debunking the 802.11r Myth ∗∗∗ --------------------------------------------- This article addresses common misconceptions surrounding PMKID-based attacks while offering technical insights into their mechanics and effective countermeasures. The PMKID-based attack, first disclosed in 2018 by the Hashcat team, introduced a novel method of compromising WPA2-protected Wi-Fi networks. Unlike traditional techniques, this approach does not require capturing a full 4-way handshake, instead leveraging a design flaw in the Pairwise Master Key Identifier (PMKID). --------------------------------------------- https://www.nccgroup.com/us/research-blog/pmkid-attacks-debunking-the-80211… ∗∗∗ From Arbitrary File Write to RCE in Restricted Rails apps ∗∗∗ --------------------------------------------- Introduction Recently, we came across a situation where we needed to exploit an arbitrary file write vulnerability in a Rails application running in a restricted environment. The application was deployed via a Dockerfile that imposed...O post From Arbitrary File Write to RCE in Restricted Rails apps apareceu primeiro em Conviso AppSec. --------------------------------------------- https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restr… ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto: CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet (Severity: HIGH) ∗∗∗ --------------------------------------------- A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-3393 ∗∗∗ Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions. The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024. --------------------------------------------- https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html ∗∗∗ Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database. The SQL injection vulnerability, tracked as CVE-2024-45387, is rated 9.9 out of 10.0 on the CVSS scoring system. --------------------------------------------- https://thehackernews.com/2024/12/critical-sql-injection-vulnerability-in.h… ∗∗∗ Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions. Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0. --------------------------------------------- https://thehackernews.com/2024/12/apache-mina-cve-2024-52046-cvss-100.html ∗∗∗ Adobe warns of critical ColdFusion bug with PoC exploit code ∗∗∗ --------------------------------------------- Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept exploit code. In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-cold… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (containernetworking-plugins, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile:1.0.31, mpg123:1.32.9, pam, php:8.1, php:8.2, python3.11, python3.11-urllib3, python3.12, python3.9:3.9.21, skopeo, and unbound:1.16.2), Debian (intel-microcode), Fedora (python3-docs and python3.12), Mageia (emacs), Red Hat (podman), and SUSE (gdb, govulncheck-vulndb, libparaview5_12, mozjs115, mozjs78, and vhostmd). --------------------------------------------- https://lwn.net/Articles/1003381/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (sympa and tomcat), Red Hat (kernel), and SUSE (poppler). --------------------------------------------- https://lwn.net/Articles/1003462/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fastnetmon, webkit2gtk, and xen), Fedora (sympa), Oracle (postgresql), and Red Hat (pcp, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland). --------------------------------------------- https://lwn.net/Articles/1003542/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-postcss), Fedora (age, dr_libs, incus, libxml2, moodle, and python-sql), and SUSE (poppler and python-grpcio). --------------------------------------------- https://lwn.net/Articles/1003601/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2024
by Daily end-of-shift report 23 Dec '24

23 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-12-2024 18:00 − Montag 23-12-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Middle East Cyberwar Rages On, With No End in Sight ∗∗∗ --------------------------------------------- Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/middle-east-cyberwar… ∗∗∗ Cloud Atlas seen using a new tool in its attacks ∗∗∗ --------------------------------------------- We analyze the latest activity by the Cloud Atlas gang. The attacks employ the PowerShower, VBShower and VBCloud modules to download victims data with various PowerShell scripts. --------------------------------------------- https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/ ∗∗∗ Modiloader From Obfuscated Batch File ∗∗∗ --------------------------------------------- My last investigation is a file called "Albertsons Payments.gz", received via email. The file looks like an archive but is identified as a picture by .. --------------------------------------------- https://isc.sans.edu/diary/Modiloader+From+Obfuscated+Batch+File/31540 ∗∗∗ Vulnerability & Patch Roundup - November 2024 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help .. --------------------------------------------- https://blog.sucuri.net/2024/12/vulnerability-patch-roundup-november-2024.h… ∗∗∗ Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service ∗∗∗ --------------------------------------------- An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm."It appears that the [Rockstar2FA] group running the service experienced at least a .. --------------------------------------------- https://thehackernews.com/2024/12/rockstar2fa-collapse-fuels-expansion-of.h… ∗∗∗ l+f: Sicherheitsforscher bestellt bei McDonalds für 1 Cent ∗∗∗ --------------------------------------------- Der McDonalds-Lieferservice in Indien war kaputt und Bestellungen waren umfangreich manipulierbar. --------------------------------------------- https://www.heise.de/news/l-f-Sicherheitsforscher-bestellt-bei-McDonald-s-f… ∗∗∗ Webbrowser: Chrome und Edge sollen mittels KI vor Spam-Seiten warnen ∗∗∗ --------------------------------------------- Um Nutzer vor betrügerischen Websites zu warnen, haben Chrome und Edge neuerdings einen KI-Schutz an Bord. Noch ist das Feature aber nicht standardmäßig aktiv. --------------------------------------------- https://www.heise.de/news/Webbrowser-Chrome-und-Edge-sollen-mittels-KI-vor-… ∗∗∗ Heels on fire. Hacking smart ski socks ∗∗∗ --------------------------------------------- TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks .. but only when in Bluetooth range AND when the owner’s phone is out of range of their feet! Having […]The post Heels on fire. Hacking smart ski socks first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/heels-on-fire-hacking-smart-s… ∗∗∗ Fast zwei Drittel aller gestohlenen Kryptogelder wanderten 2024 nach Nordkorea ∗∗∗ --------------------------------------------- Eine aktuelle Analyse zeigt, dass der Gesamtwert gestohlener Kryptowährungen heuer bisher um 21 Prozent auf 2,2 Milliarden Dollar gestiegen ist --------------------------------------------- https://www.derstandard.at/story/3000000250591/fast-zwei-drittel-aller-gest… ∗∗∗ NSO-Group für WhatsApp-Angriff mit Pegasus-Spyware schuldig gesprochen ∗∗∗ --------------------------------------------- Im Jahr 2019 wurden WhatsApp-Nutzer Opfer eines Angriffs durch Spyware, die über eine Schwachstelle auf Android und iOS-Geräte installiert werden konnte. WhatsApp verklagte die NSO Group, die den .. --------------------------------------------- https://www.borncity.com/blog/2024/12/22/nso-group-fuer-angriff-mit-pegasus… ∗∗∗ Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy ∗∗∗ --------------------------------------------- Virtual offices have revolutionized the way businesses operate. They provide cost-effective flexibility by eliminating the .. --------------------------------------------- https://www.team-cymru.com/post/how-virtual-offices-enable-a-facade-of-legi… ∗∗∗ A Primer on JA4+: Empowering Threat Analysts with Better Traffic Analysis ∗∗∗ --------------------------------------------- What is JA4+ and Why Does It Matter? Introduction Threat analysts and researchers are continually seeking tools and methodologies to gain .. --------------------------------------------- https://www.team-cymru.com/post/a-primer-on-ja4-empowering-threat-analysts-… ∗∗∗ Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner ∗∗∗ --------------------------------------------- Popular npm packages, Rspack and Vant, were recently compromised with malicious code. Learn about the attack, the impact, and how to protect your projects from similar threats. --------------------------------------------- https://hackread.com/supply-chain-attack-rspack-vant-npm-monero-miner/ ∗∗∗ Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition ∗∗∗ --------------------------------------------- A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners .. --------------------------------------------- https://www.greynoise.io/blog/checking-it-twice-profiling-benign-internet-s… ∗∗∗ Kritische Sicherheitslücken bedrohen Sophos-Firewalls ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Firewalls von Sophos erschienen. Mit den Standardeinstellungen installieren sie sich automatisch. --------------------------------------------- https://heise.de/-10218914 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, libxstream-java, php-laravel-framework, python-urllib3, and sqlparse), Fedora (chromium, libcomps, libdnf, mingw-directxmath, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-orc, ofono, prometheus-podman-exporter, .. --------------------------------------------- https://lwn.net/Articles/1003287/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 ∗∗∗ --------------------------------------------- Date Reported: December 22, 2024 Advisory ID: WSA-2024-0008 CVE identifiers: CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54534 Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2024-54479 Versions affected: WebKitGTK and WPE WebKit before 2.46.5. Credit to Seunghyun Lee. Impact: Processing maliciously .. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0008.html ∗∗∗ TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-91 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2024
by Daily end-of-shift report 20 Dec '24

20 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-12-2024 18:00 − Freitag 20-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Junior IT-Security Analyst:in (m/w/d - Vollzeit - Wien) ∗∗∗ --------------------------------------------- Für unsere laufenden Routinetätigkeiten suchen wir derzeit eine:n Berufsein- oder -umsteiger:in mit Interesse an IT-Security. --------------------------------------------- https://www.cert.at/de/ueber-uns/jobs/ ∗∗∗ BadBox malware botnet infects 192,000 Android devices despite disruption ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole operation that attempted to disrupt the operation in Germany. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infect… ∗∗∗ The Windows Registry Adventure #5: The regf file format ∗∗∗ --------------------------------------------- This post aimed to systematically explore the inner workings of the regf format, focusing on the hard requirements enforced by Windows. Due to my role and interests, I looked at the format from a strictly security-oriented angle rather than digital forensics, which is the context in which registry hives are typically considered. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventu… ∗∗∗ BellaCPP: Discovering a new BellaCiao variant written in C++ ∗∗∗ --------------------------------------------- While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed "BellaCPP". --------------------------------------------- https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/ ∗∗∗ Auslaufmodell NTLM: Aus Windows 11 24H2 und Server 2025 teils entfernt ∗∗∗ --------------------------------------------- Weitgehend unbemerkt wurden in Windows 11 24H2 und Server 2025 zudem NTLMv1 entfernt. --------------------------------------------- https://heise.de/-10217239 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1718: (0Day) Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-12830. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1718/ ∗∗∗ ZDI-24-1724: (0Day) Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12836. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1724/ ∗∗∗ Sophos: Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729) ∗∗∗ --------------------------------------------- Sophos has resolved three independent security vulnerabilities in Sophos Firewall (2x Critical, 1x High). To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and gunicorn), Fedora (jupyterlab), Oracle (bluez, containernetworking-plugins, edk2:20220126gitbb1bba3d77, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, and unbound:1.16.2), SUSE (avahi, docker, emacs, govulncheck-vulndb, haproxy, kernel, libmozjs-128-0, python-grpcio, python310-xhtml2pdf, sudo, and tailscale), and Ubuntu (dpdk, linux-hwe-5.15, and linux-iot). --------------------------------------------- https://lwn.net/Articles/1003019/ ∗∗∗ Autodesk: DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0027 ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0 and 6.4.5: SC-202412.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2024
by Daily end-of-shift report 19 Dec '24

19 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-12-2024 18:00 − Donnerstag 19-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers exploiting a patched FortiClient EMS vulnerability in the wild ∗∗∗ --------------------------------------------- During a recent incident response, Kaspersky’s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company’s networks by targeting a Fortinet vulnerability for which a patch was already available. --------------------------------------------- https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-t… ∗∗∗ HubPhish Abuses HubSpot Tools to Target 20,000 European Users for Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims Microsoft Azure cloud infrastructure. [..] Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe. [..] The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials. --------------------------------------------- https://thehackernews.com/2024/12/hubphish-exploits-hubspot-tools-to.html ∗∗∗ Spyware distributed through Amazon Appstore ∗∗∗ --------------------------------------------- Recently, we uncovered a seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-th… ∗∗∗ Achtung: AG Reparaturservice ist Betrug ∗∗∗ --------------------------------------------- Geschirrspüler kaputt? Die Website ag-reparaturservice.at bietet angeblich Reparaturen verschiedenster Geräte an. Von Kühlschränken über Waschmaschinen bis hin zu Backöfen repariert das Unternehmen angeblich Haushaltsgeräte. Wir raten zur Vorsicht: Die Reparatur wird trotz Bezahlung nicht durchgeführt. Sie verlieren Ihr Geld. Wir zeigen Ihnen, wie Sie die Betrugsmasche erkennen! --------------------------------------------- https://www.watchlist-internet.at/news/ag-reparaturservice-ist-betrug/ ∗∗∗ CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach ∗∗∗ --------------------------------------------- A 5-page advisory provided troves of guidance for both Apple and Android users, urging all “highly targeted individuals” to rely on the “consistent use of end-to-end encryption.” --------------------------------------------- https://therecord.media/cisa-urges-senior-officials-to-lock-down-devices-sa… ∗∗∗ Hacker könnten über Schwachstellen in Solaranlagen das europäische Stromnetz knacken ∗∗∗ --------------------------------------------- Unschöne, aber keineswegs neue Erkenntnis. Deutschland ist zwar "stolz" ob der installierten Leistung an Solarkollektoren. Aber ein griechischer White Hat-Hacker hat gezeigt, wie er sich mittels Notebook und Internet in zahlreiche europäischen Solaranlagen hacken und diese – auch in Deutschland – einfach ausknipsen könnte. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/hacker-koennten-ueber-schwachstell… ∗∗∗ Kritische LDAP-Schwachstelle in Windows (CVE-2024-49112) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag vom Dezember 2024-Patchday. Zum 10. Dezember 2024 hat Microsoft einen kritische Schwachstelle (CVE-2024-49112) im Lightweight Directory Access Protocol (LDAP) öffentlich gemacht. Diese ermöglicht Remote-Angriffe auf Windows-Clients und -Server, wurde aber gepatcht. [..] Hunter schreibt, dass jährlich 178.900 LDAP- und LDAPS-Dienste jährlich beim Scans über hunter.how gefunden würden. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/kritische-ldap-schwachstelle-in-wi… ∗∗∗ Exploring vulnerable Windows drivers ∗∗∗ --------------------------------------------- This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. --------------------------------------------- https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/ ∗∗∗ Betrugsmail: Cyberversicherung muss Schaden nicht ersetzen ∗∗∗ --------------------------------------------- Klassisches Mail-Spoofing kostete eine deutsche Firma 85.000 Euro. Ihre Cyberversicherung deckt den Schaden nicht, sagt das Landgericht Hagen. --------------------------------------------- https://heise.de/-10215212 ∗∗∗ Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages ∗∗∗ --------------------------------------------- Socket’s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. [..] Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction. --------------------------------------------- https://socket.dev/blog/skuld-infostealer-returns-to-npm ===================== = Vulnerabilities = ===================== ∗∗∗ FortiWLM Unauthenticated limited file read vulnerability ∗∗∗ --------------------------------------------- A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files. Severity: Critical, CVE-2023-34990 --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-23-144 ∗∗∗ FortiManager OS command injection ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. Severity: High, CVE-2024-48889 --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-425 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bluez, edk2:20220126gitbb1bba3d77, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, kernel-rt, mpg123, php:8.2, python3.11-urllib3, and tuned), Fedora (ColPack, glibc, golang-github-chainguard-dev-git-urls, golang-github-task, icecat, python-nbdime, python3.13, and python3.14), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, dwarves and kernel-linus), Red Hat (gstreamer1-plugins-base and gstreamer1-plugins-good), SUSE (curl, emacs, git-bug, glib2, helm, kernel, and traefik2), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, gstreamer1.0, libvpx, linux-gcp, phpunit, and yara). --------------------------------------------- https://lwn.net/Articles/1002903/ ∗∗∗ Delta Electronics DTM Soft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-03 ∗∗∗ Hitachi Energy SDM600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-02 ∗∗∗ Hitachi Energy RTU500 series CMU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-01 ∗∗∗ Ossur Mobile Logic Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01 ∗∗∗ Tibbo AggreGate Network Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.12.2024
by Daily end-of-shift report 18 Dec '24

18 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-12-2024 18:00 − Mittwoch 18-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical security hole in Apache Struts under exploit ∗∗∗ --------------------------------------------- A critical security hole in Apache Struts 2 [..] CVE-2024-53677 [..] is currently being exploited using publicly available proof-of-concept (PoC) code. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/17/critical_rce… ∗∗∗ How to Lose a Fortune with Just One Bad Click ∗∗∗ --------------------------------------------- Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device. --------------------------------------------- https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad… ∗∗∗ AI-generated malvertising “white pages” are fooling detection engines ∗∗∗ --------------------------------------------- In this blog post, we take a look at a couple of examples where threat actors are buying Google Search ads and using AI to create white pages. The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check. --------------------------------------------- https://www.malwarebytes.com/blog/cybercrime/2024/12/ai-generated-malvertis… ∗∗∗ Spotify: Vorsicht vor betrügerischen Phishing-Mails ∗∗∗ --------------------------------------------- Derzeit häufen sich Meldungen über betrügerische E-Mails, die angeblich von Spotify stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Spotify die Nutzungsgebühr nicht abbuchen konnte und daher den Account vorübergehend gesperrt hat. Um Spotify weiter nutzen zu können, werden Sie aufgefordert die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing! --------------------------------------------- https://www.watchlist-internet.at/news/spotify-vorsicht-vor-betruegerischen… ∗∗∗ Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger ∗∗∗ --------------------------------------------- Trend ZDI researchers have performed an analysis of the discrete hardware components found in the device. --------------------------------------------- https://www.thezdi.com/blog/2024/12/16/detailing-the-attack-surfaces-of-the… ∗∗∗ Phishing-Masche nimmt Nutzer von Google-Kalender ins Visier ∗∗∗ --------------------------------------------- Cyberkriminelle nutzen laut einer Analyse von Sicherheitsforschern offenbar verstärkt Google-Kalender-Invites, um Internetnutzer auf Phishingseiten zu locken. --------------------------------------------- https://heise.de/-10214705 ∗∗∗ [Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th) ∗∗∗ --------------------------------------------- TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence. On November 4th, 2024, my DShield sensor recorded suspicious activity targeting my web server. The attacker attempted to use a technique that tricks the server into running harmful commands. --------------------------------------------- https://isc.sans.edu/diary/rss/31530 ===================== = Vulnerabilities = ===================== ∗∗∗ BeyondTrust BT24-10: Command Injection Vulnerability / Severity: Critical ∗∗∗ --------------------------------------------- A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. CVE(s): CVE-2024-12356 --------------------------------------------- https://www.beyondtrust.com/trust-center/security-advisories/bt24-10 ∗∗∗ Juniper: 2024-12 Reference Advisory: Session Smart Router: Mirai malware found on systems when the default password remains unchanged ∗∗∗ --------------------------------------------- On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network. The impacted systems were all using default passwords. Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database. [..] This affects all versions of Session Smart Router (SSR) --------------------------------------------- https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Sess… ∗∗∗ Foxit PDF Editor und Reader: Attacken über präparierte PDF-Dateien möglich ∗∗∗ --------------------------------------------- PDF-Anwendungen von Foxit sind unter macOS und Windows verwundbar. Sicherheitsupdates stehen bereit. [..] Die Einstufung des Bedrohungsgrads der Lücken (CVE-2024-49576, CVE-2024-47810) steht zurzeit noch aus. --------------------------------------------- https://heise.de/-10211267 ∗∗∗ Windows-Sicherheitslösung Trend Micro Apex One als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in Trend Micro Apex One ansetzen. Sicherheitsupdates sind verfügbar. [..] Die darin geschlossenen Sicherheitslücken (CVE-2024-52048, CVE-2024-52049, CVE-2024-52050, CVE-2024-55631, CVE-2024-55632, CVE-2024-55917) sind mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-10213518 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11). --------------------------------------------- https://lwn.net/Articles/1002703/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben. --------------------------------------------- https://heise.de/-10202355 ∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗ --------------------------------------------- DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf… ∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗ --------------------------------------------- Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi… ∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in… ∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims. --------------------------------------------- https://isc.sans.edu/diary/rss/31524 ∗∗∗ Technical Analysis of RiseLoader ∗∗∗ --------------------------------------------- In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-riseload… ∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗ --------------------------------------------- APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel). --------------------------------------------- https://lwn.net/Articles/1002496/ ∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗ --------------------------------------------- Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar. --------------------------------------------- https://heise.de/-10202537 ∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-466.html ∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-465.html ∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03 ∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02 ∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01 ∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.3 ∗∗∗ BD Diagnostic Solutions Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily