Daily

daily@lists.cert.at

1 participants
3119 discussions

Tageszusammenfassung - 11.09.2024
by Daily end-of-shift report 11 Sep '24

11 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2024 18:00 − Mittwoch 11-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New PIXHELL acoustic attack leaks secrets from LCD screen noise ∗∗∗ --------------------------------------------- A novel acoustic attack named PIXHELL can leak secrets from air-gapped and audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-… ∗∗∗ Air-Gapped-Systeme: Malware nutzt LCD-Pixelmuster für Datenausleitung per Schall ∗∗∗ --------------------------------------------- Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-nutzt-lcd-pixelmuster-… ∗∗∗ Python Libraries Used for Malicious Purposes ∗∗∗ --------------------------------------------- Since I'm interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don't want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Libraries+Used+for+Malicious+Purpo… ∗∗∗ Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments."The new samples were tracked to GitHub projects that .. --------------------------------------------- https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html ∗∗∗ Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack ∗∗∗ --------------------------------------------- CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address. --------------------------------------------- https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/ ∗∗∗ So you paid a ransom demand … and now the decryptor doesnt work ∗∗∗ --------------------------------------------- A really big oh sh*t moment, for sure For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life. --------------------------------------------- https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/ ∗∗∗ Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin ∗∗∗ --------------------------------------------- On August 14th, 2024, we received a submission for a Privilege Escalation vulnerability in Post Grid and Gutenberg Blocks, a WordPress plugin with over 40,000 active installations. This vulnerability can be leveraged by attackers with minimal authenticated access to set their role to administrator utilizing the form submission functionality. --------------------------------------------- https://www.wordfence.com/blog/2024/09/over-40000-wordpress-sites-affected-… ∗∗∗ ADCS Attack Paths in BloodHound — Part 3 ∗∗∗ --------------------------------------------- In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates .. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb008… ∗∗∗ Phishing Pages Delivered Through Refresh HTTP Response Header ∗∗∗ --------------------------------------------- We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refr… ∗∗∗ The September 2024 Security Update Review ∗∗∗ --------------------------------------------- We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from .. --------------------------------------------- https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-re… ∗∗∗ SBOMs and the importance of inventory ∗∗∗ --------------------------------------------- Can a Software Bill of Materials (SBOM) provide organisations with better insight into their supply chains? --------------------------------------------- https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory ∗∗∗ We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI ∗∗∗ --------------------------------------------- Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.SummaryWhat started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel .. --------------------------------------------- https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-beca… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311). --------------------------------------------- https://lwn.net/Articles/989772/ ∗∗∗ Cisco Releases Security Updates for Cisco Smart Licensing Utility ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/cisco-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2024
by Daily end-of-shift report 10 Sep '24

10 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 09-09-2024 18:00 − Dienstag 10-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Quad7 botnet targets more SOHO and VPN routers, media servers ∗∗∗ --------------------------------------------- The Quad7 botnet is expanding its targeting scope with the addition of new clusters and custom implants that now also target Zyxel VPN appliances and Ruckus wireless routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/quad7-botnet-targets-more-so… ∗∗∗ NoName ransomware gang deploying RansomHub malware in recent attacks ∗∗∗ --------------------------------------------- The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. --------------------------------------------- https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deplo… ∗∗∗ Trustwave SpiderLabs Research: 20% of Ransomware Attacks in Financial Services Target Banking Institutions ∗∗∗ --------------------------------------------- The 2024 Trustwave Risk Radar Report: Financial Services Sector underscores the escalating threat landscape facing the industry. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-s… ∗∗∗ Russias top-secret military unit reportedly plots undersea cable sabotage ∗∗∗ --------------------------------------------- US alarmed by heightened Kremlin naval activity worldwide Russias naval activity near undersea cables is reportedly drawing the scrutiny of US officials, further sparking concerns that the Kremlin may be plotting to "sabotage" underwater infrastructure via a secretive, dedicated military unit called the General Staff Main Directorate for Deep Sea Research (GUGI). --------------------------------------------- https://www.theregister.com/2024/09/09/russia_readies_submarine_cable_sabot… ∗∗∗ Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics ∗∗∗ --------------------------------------------- Introduction Following the 2024 ThreatLabz Phishing Report, Zscaler ThreatLabz has been closely tracking domains associated with typosquatting and brand impersonation - common techniques used by threat actors to proliferate phishing campaigns. Typosquatting involves registering domains with misspelled versions of popular websites or .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/phishing-typosquatting-and-… ∗∗∗ Slim CD Data Breach Impacts 1.7 Million Individuals ∗∗∗ --------------------------------------------- Slim CD says the personal and credit card information of 1.7 million was compromised in a ten-month-long data breach. --------------------------------------------- https://www.securityweek.com/slim-cd-data-breach-impacts-1-7-million-indivi… ∗∗∗ Study Finds Excessive Use of Remote Access Tools in OT Environments ∗∗∗ --------------------------------------------- The excessive use of remote access tools in OT environments can increase the attack surface, complicate identity management, and hinder visibility. --------------------------------------------- https://www.securityweek.com/study-finds-excessive-use-of-remote-access-too… ∗∗∗ Smart home security advice. Ring, SimpliSafe, Swann, and Yale ∗∗∗ --------------------------------------------- Introduction This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you’re looking to monitor your property remotely, enhance your home’s security, or .. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-home-security-advice-ri… ∗∗∗ Firmen überschätzen eigene Abwehrbereitschaft gegen Hacker ∗∗∗ --------------------------------------------- Laut einer aktuellen Studie zahlten 86 Prozent der befragten Firmen im vergangenen Jahr "Lösegeld", nachdem ihre Systeme infiziert wurden --------------------------------------------- https://www.derstandard.at/story/3000000235958/firmen-ueberschaetzen-eigene… ∗∗∗ Threat Assessment: North Korean Threat Groups ∗∗∗ --------------------------------------------- Explore Unit 42s review of North Korean APT groups and their impact, detailing the top 10 malware and tools weve seen from these threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-g… ∗∗∗ Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware ∗∗∗ --------------------------------------------- Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more. --------------------------------------------- https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomwar… ∗∗∗ August 2024’s Most Wanted Malware: RansomHub Reigns Supreme While Meow Ransomware Surges ∗∗∗ --------------------------------------------- Check Point’s latest threat index reveals RansomHub’s continued dominance and Meow ransomware’s rise with novel tactics and significant impact. Check Point’s Global Threat Index for August 2024 revealed ransomware remains a dominant force, with RansomHub sustaining its position as the top ransomware group. This Ransomware-as-a-Service (RaaS) .. --------------------------------------------- https://blog.checkpoint.com/research/august-2024s-most-wanted-malware-ranso… ∗∗∗ CISA says SonicWall bug being exploited as experts warn of ransomware gang use ∗∗∗ --------------------------------------------- Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month. --------------------------------------------- https://therecord.media/cisa-orders-patching-of-sonicwall-bug-ransomware ∗∗∗ CISA Releases Election Security Focused Checklists for Both Cybersecurity and Physical Security ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) released two election security checklists as part of the comprehensive suite of resources available for election officials, the Physical Security Checklist for Election Offices and Election Infrastructure Cybersecurity Readiness and Resilience Checklist. These checklists are tools to quickly review existing practices and take steps to enhance physical and cyber resilience in preparation for election day. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-election-security-focus… ∗∗∗ Do We Need Yet Another Vulnerability Scoring System? If it’s SSVC that’s a resounding YASS ∗∗∗ --------------------------------------------- Want to know about Yet Another Vulnerability Scoring System (YASS)? Ben Edwards breaks down Stakeholder Specific Vulnerability Categorization and how to make it work. --------------------------------------------- https://www.bitsight.com/blog/do-we-need-yet-another-vulnerability-scoring-… ∗∗∗ Wegen US-Verbannung: Kaspersky-Kunden erhalten UltraAV von Pango ∗∗∗ --------------------------------------------- Nach dem Bann in den USA stellt das Unternehmen Kunden nun auf UltraAV um, bestätigt Kaspersky gegenüber heise online. --------------------------------------------- https://heise.de/-9862992 ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Releases Security Updates for Citrix Workspace App for Windows ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/citrix-releases-security… ∗∗∗ September 2024 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/september-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2024
by Daily end-of-shift report 09 Sep '24

09 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-09-2024 18:00 − Montag 09-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transport for London staff faces systems disruptions after cyberattack ∗∗∗ --------------------------------------------- Transport for London, the citys public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/transport-for-london-staff-f… ∗∗∗ Softwarefehler bei Landtagswahl: CCC kritisiert Intransparenz bei Wahlsoftware ∗∗∗ --------------------------------------------- Eine "stümperhafte Implementierung" könnte zu dem Berechnungsfehler bei der Landtagswahl in Sachsen geführt haben. Der CCC fordert mehr Transparenz. --------------------------------------------- https://www.golem.de/news/softwarefehler-bei-landtagswahl-ccc-kritisiert-in… ∗∗∗ Angriff auf Air-Gapped-Systeme: Malware exfiltriert Daten drahtlos durch den RAM ∗∗∗ --------------------------------------------- Die Angriffstechnik liefert zwar keine hohe Datenrate, für ein Keylogging in Echtzeit sowie das Ausleiten von Passwörtern und RSA-Keys reicht sie aber aus. --------------------------------------------- https://www.golem.de/news/angriff-auf-air-gapped-systeme-malware-exfiltrier… ∗∗∗ North Korean threat actor Citrine Sleet exploiting Chromium zero-day ∗∗∗ --------------------------------------------- Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet, a North Korean threat actor that commonly targets the cryptocurrency .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threa… ∗∗∗ The Underground World of Black-Market AI Chatbots is Thriving ∗∗∗ --------------------------------------------- An anonymous reader shares a report: ChatGPTs 200 million weekly active users have helped propel OpenAI, the company behind the chatbot, to a $100 billion valuation. But outside the mainstream theres still plenty of money to be made -- especially if youre catering to the underworld. Illicit large language models (LLMs) can make up to $28,000 in two months .. --------------------------------------------- https://slashdot.org/story/24/09/06/1648218/the-underground-world-of-black-… ∗∗∗ Hypervisor Development in Rust for Security Researchers (Part 1) ∗∗∗ --------------------------------------------- In the ever-evolving field of information security, curiosity and continuous learning drive innovation. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hypervisor-… ∗∗∗ Exploring an Experimental Windows Kernel Rootkit in Rust ∗∗∗ --------------------------------------------- Around two years ago, memN0ps took the initiative to create one of the first publicly available rootkit proof of concepts (PoCs) in Rust as an experimental project, while learning a new programming language. It still lacks many features, which are relatively easy to add once the concept is understood, but it was developed within a month, at a part-time capacity. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploring-a… ∗∗∗ Predator Spyware Resurfaces With Fresh Infrastructure ∗∗∗ --------------------------------------------- Recorded Future observes renewed Predator spyware activity on fresh infrastructure after a drop caused by US sanctions. --------------------------------------------- https://www.securityweek.com/predator-spyware-resurfaces-with-fresh-infrast… ∗∗∗ Chinese APT Abuses VSCode to Target Government in Asia ∗∗∗ --------------------------------------------- A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims environments for Southeast Asian espionage. --------------------------------------------- https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-… ∗∗∗ Sextortion-Betrugsversuch I: Aufzeichnung des Porno-Konsums; und "Rechnungszahlung" ∗∗∗ --------------------------------------------- Aktuell laufen wieder sogenannte Sextortion-Kampagnen, bei der Opfer per E-Mail mit angeblich kompromittierendem Material erpresst werden sollen. Ich fasse daher einige Informationen der letzten Tage über laufende Sextortion-Kampagnen in .. --------------------------------------------- https://www.borncity.com/blog/2024/09/09/sextortion-betrugsversuch-i-aufzei… ∗∗∗ AI Firm’s Misconfigured Server Exposed 5.3 TB of Mental Health Records ∗∗∗ --------------------------------------------- A misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health… --------------------------------------------- https://hackread.com/ai-firm-misconfigured-server-exposed-mental-health-dat… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/09/cisa-adds-three-known-ex… ∗∗∗ Eigene Identität im Blick: Google Dark Web Report warnt vor Datenlecks ∗∗∗ --------------------------------------------- Mit dem Dark Web Report von Google lässt sich die eigene Identität auf Datenpannen überwachen. Der Dienst ist nun kostenlos und nicht mehr Abo-Bestandteil. --------------------------------------------- https://heise.de/-9860797 ∗∗∗ Polen zerschlägt Ring von Cybersaboteuren ∗∗∗ --------------------------------------------- Das EU- und Nato-Land Polen ist zunehmend Ziel von Cyberattacken. Warschau vermutet dahinter die Tätigkeit russischer und belarussischer Geheimdienste. --------------------------------------------- https://heise.de/-9862555 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1196: Adobe Acrobat Reader DC Doc Object Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-45107. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1196/ ∗∗∗ DSA-5767-1 thunderbird - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00180.html ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2024
by Daily end-of-shift report 06 Sep '24

06 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-09-2024 18:00 − Freitag 06-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US charges Russian GRU hackers behind WhisperGate intrusions ∗∗∗ --------------------------------------------- Feds post $10 million bounty for each of the sixs whereabouts The US today charged five Russian military intelligence officers and one civilian for their involvement with the data-wiping WhisperGate campaign conducted against Ukraine in January 2022 before the ground invasion began. --------------------------------------------- https://www.theregister.com/2024/09/05/uncle_sam_charges_russian_gru/ ∗∗∗ Ransomware Gang Claims Cyberattack on Planned Parenthood ∗∗∗ --------------------------------------------- Planned Parenthood confirms "cybersecurity incident" as RansomHub ransomware gang threatens to leak 93 Gb of data stolen from the nonprofit last week. --------------------------------------------- https://www.securityweek.com/ransomware-gang-claims-cyberattack-on-planned-… ∗∗∗ Sicherheitslücken in Veeam Backup & Replication - Updates verfügbar ∗∗∗ --------------------------------------------- Der Softwarehersteller Veeam hat Aktualisierungen für mehrere seiner Produkte veröffentlicht. Unter den Sicherheitslücken die im Rahmen dieser Veröffentlichung behoben wurden befindet sich CVE-2024-40711, eine schwerwiegende Schwachstelle in Veeam Backup & Replication. Die Ausnutzung dieser Lücke ermöglicht es Angreifer:innen unauthentifiziert .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/sicherheitslucken-in-veeam-backup-r… ∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in SonicWall SonicOS (CVE-2024-40766) ∗∗∗ --------------------------------------------- Der Hersteller SonicWall hat am 21.08.2024 ein Advisory zu einer schwerwiegenden Sicherheitslücke in seinem Betriebssystem für Netzwerkgeräte, SonicOS, veröffentlicht. Die Ausnutzung besagter Schwachstelle, CVE-2024-40766, könnte es Angreifer:innen erlauben, betroffene Geräte zum Absturz zu bringen. Zeitgleich mit der .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/aktive-ausnutzung-einer-sicherheits… ∗∗∗ Colombian president suggests prior administration illegally sent $11 million in cash to Israel for spyware ∗∗∗ --------------------------------------------- Colombia’s President Gustavo Petro said Wednesday that his administration is probing the disappearance of $11 million allegedly used to buy powerful Pegasus spyware, which he said he believes was acquired by the previous administration. --------------------------------------------- https://therecord.media/colombian-president-pegasus-spyware-israel-missing-… ∗∗∗ Passwort Spraying-Angriffe auf (Sophos-) Firewalls von IP 92.53.65.166 ∗∗∗ --------------------------------------------- Kurze Information für Administratoren von Sophos Firewalls - ein Leser hat mich darauf hingewiesen, dass er seit dem seit dem 5. September 2024 vermehrt Angriffsversuche auf seine Firewalls von Sophos beobachtet. Und speziell das VPN-Portal wird über Port 443 mit Login-Versionen überschüttet .. --------------------------------------------- https://www.borncity.com/blog/2024/09/06/passwort-spraying-angriffe-auf-sop… ∗∗∗ Hunting Chromium Notifications ∗∗∗ --------------------------------------------- Browser notifications provide social-engineering opportunities. In this post well cover the associated forensic artifacts, threat hunting possibilities and hardening recommendations. --------------------------------------------- https://blog.nviso.eu/2024/09/06/hunting-chromium-notifications/ ∗∗∗ The best and worst ways to get users to improve their account security ∗∗∗ --------------------------------------------- In my opinion, mandatory enrollment is best enrollment. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-5-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1195: Malwarebytes Antimalware Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1195/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2024
by Daily end-of-shift report 05 Sep '24

05 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2024 18:00 − Donnerstag 05-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords ∗∗∗ --------------------------------------------- Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-trap-fake-onlyfans-to… ∗∗∗ Windows 11/Server 2024 SMB Security-Hardening ∗∗∗ --------------------------------------------- Microsoft hat im Vorgriff auf die kommenden Releases von Windows 11 24H2 und Windows Server 2025 Ende August 2024 einen Techcommunity-Beitrag zum Thema "SMB Security-Hardening" veröffentlicht. Das Ganze ist Teil der Microsoft Secure Future Initiative (SFI), und die Betriebssysteme sollen bereits vom Start an über gehärtete SMB-Einstellungen verfügen, um sich vor Cyberangriffen besser zu schützen. --------------------------------------------- https://www.borncity.com/blog/2024/09/05/windows-11-server-2024-smb-securit… ∗∗∗ CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed) ∗∗∗ --------------------------------------------- Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution (CVE-2024-45195) on Linux and Windows. Exploitation is facilitated by bypassing previous patches. [..] Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause. Since the patch bypass we are disclosing today elaborates on those previous disclosures, we’ll outline them now. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-una… ∗∗∗ Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions ∗∗∗ --------------------------------------------- In this blog, we explain how we managed to leverage typosquatting in GitHub Actions and got several applications with inadvertent typos to run our ‘fake’ action. If we had bad intentions, these mistakenly triggered actions could have included malicious code, for instance installing malware, stealing secrets, or making covert changes to code. --------------------------------------------- https://orca.security/resources/blog/typosquatting-in-github-actions/ ∗∗∗ Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 ∗∗∗ --------------------------------------------- On July 1, the project maintainers released an advisory for the vulnerability CVE-2024-36401 (CVSS score: 9.8). Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. [..] In this article, we will explore the details of the payload and malware. --------------------------------------------- https://feeds.fortinet.com/~/904077668/0/fortinet/blogs~Threat-Actors-Explo… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam warns of critical RCE flaw in Backup & Replication software ∗∗∗ --------------------------------------------- Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. --------------------------------------------- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-… ∗∗∗ Angreifer können durch Hintertür in Cisco Smart Licensing Utility schlüpfen ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen sind Attacken auf Cisco Expressway Edge, Duo Epic for Hyperdrive, Identity Services Engine, Meraki Systems Manager und Smart Licensing Utility vorstellbar. [..] Smart Licensing Utility ist durch zwei "kritische" Sicherheitslücken (CVE-2024-20439, CVE-2024-20440) bedroht. Im ersten Fall kann ein entfernter Angreifer ohne Anmeldung aufgrund von statischen Admin-Zugangsdaten auf Instanzen zugreifen. Mit den Adminrechten des Accounts erlangt ein Angreifer die volle Kontrolle. [..] Meraki Systems Manager Agent for Windows kann sich aufgrund einer Lücke (CVE-2024-20430 "hoch") an einer mit Schadcode präparierten DLL-Datei verschlucken. [..] --------------------------------------------- https://heise.de/-9857962 ∗∗∗ Drupal: Security advisories 2024-September-04 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories (1x Critical, 4x Moderately critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bubblewrap and flatpak, containernetworking-plugins, fence-agents, ghostscript, krb5, orc, podman, python3.11, python3.9, resource-agents, runc, and wget), Debian (chromium, cinder, glance, gnutls28, nova, nsis, python-oslo.utils, ruby-sinatra, and setuptools), Fedora (kernel), Oracle (bubblewrap and flatpak, buildah, containernetworking-plugins, fence-agents, ghostscript, gvisor-tap-vsock, kernel, krb5, libndp, nodejs:18, orc, podman, postgresql, python-urllib3, python3.11, python3.12, python3.9, runc, skopeo, and wget), SUSE (hdf5, netcdf, trilinos), and Ubuntu (firefox, imagemagick, ironic, openssl, python-django, vim, and znc). --------------------------------------------- https://lwn.net/Articles/989046/ ∗∗∗ Juniper: SA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP9 IF02 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2024
by Daily end-of-shift report 04 Sep '24

04 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2024 18:00 − Mittwoch 04-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YubiKeys klonen? ∗∗∗ --------------------------------------------- Heute gab es dazu eine reißerische Meldung: diese lassen sich klonen. [..] Das ist mal klarerweise nicht gut. Aber wie so oft bei Schlagzeilen dieser Art lohnt es sich, genauer zu lesen, was eigentlich passiert ist, und wie realistisch die Angriffe wirklich sind. --------------------------------------------- https://www.cert.at/de/blog/2024/9/yubikeys-eucleak ∗∗∗ Hackers Hijack 22,000 Removed PyPI Packages, Spreading Malicious Code to Developers ∗∗∗ --------------------------------------------- A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. --------------------------------------------- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html ∗∗∗ Hackers inject malicious JS in Cisco store to steal credit cards, credentials ∗∗∗ --------------------------------------------- Ciscos site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at checkout. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-inject-malicious-js-… ∗∗∗ Mallox ransomware: in-depth analysis and evolution ∗∗∗ --------------------------------------------- In this report, we provide an in-depth analysis of the Mallox ransomware, its evolution, ransom strategy, encryption scheme, etc. --------------------------------------------- https://securelist.com/mallox-ransomware/113529/ ∗∗∗ Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion ∗∗∗ --------------------------------------------- While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html ∗∗∗ Advanced forensic techniques for recovering hidden data in wearable device ∗∗∗ --------------------------------------------- This blog post covers how forensic skills and tooling can be used to recover potentially sensitive data left on phones from devices such as Google’s Fitbit. The principles and techniques here also apply to similar products with similar functionality. --------------------------------------------- https://www.pentestpartners.com/security-blog/advanced-forensic-techniques-… ∗∗∗ Vorsicht vor US Green Card Lotterie Anbietern wie AmericanGC.com ∗∗∗ --------------------------------------------- Die USA gelten für viele als Wunschziel fürs Auswandern. Über die Green Card Lotterie wird bis zu 50.000 Menschen jährlich eine Einwanderung mit Greencard ermöglicht. Der Andrang auf diese Lotterie ist groß und das machen sich auch unseriöse und betrügerische Anbieter wie AmericanGC.com zunutze. --------------------------------------------- https://www.watchlist-internet.at/news/green-card-americangccom/ ∗∗∗ US-Behörden sollen Internet-Routing absichern ∗∗∗ --------------------------------------------- Das Weiße Haus macht Druck auf Behörden: Sie sollen ihre Netzrouten kryptografisch absichern. Erst dann können Fehler auffallen. --------------------------------------------- https://heise.de/-9856483 ∗∗∗ Mesh-WLAN von Plume Design: Teure Bespitzelung ∗∗∗ --------------------------------------------- Mesh-Netzwerke sind gut gegen WLAN-Funklöcher. Doch Vorsicht: Ein US-Hersteller überwacht mit seinen Routern und Extendern Nutzer und gibt munter vertrauliche Daten weiter. Eine Recherche von Erik Bärwaldt (Datenschutz, WLAN) --------------------------------------------- https://www.golem.de/news/mesh-wlan-von-plume-design-teure-bespitzelung-240… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, nodejs:18, python-urllib3, and skopeo), Debian (firefox-esr and openssl), Fedora (apr and seamonkey), Red Hat (podman), Slackware (mozilla and seamonkey), SUSE (bubblewrap and flatpak, buildah, docker, dovecot23, ffmpeg, frr, go1.21-openssl, graphviz, java-1_8_0-openj9, kubernetes1.26, kubernetes1.27, kubernetes1.28, openssl-1_0_0, openssl-3, perl-DBI, python-aiohttp, python-Django, python-WebOb, thunderbird, tiff, ucode-intel, unbound, webkit2gtk3, and xen), and Ubuntu (drupal7 and twisted). --------------------------------------------- https://lwn.net/Articles/988746/ ∗∗∗ Android Patchday: Updates schließen mehrere hochriskante Lücken ∗∗∗ --------------------------------------------- Jetzt ist es an den Handy-Herstellern, die sicherheitsrelevanten Fehlerkorrekturen in Firmware-Updates für die Android-Smartphones zu gießen und an die betroffenen Kunden zu verteilen. --------------------------------------------- https://heise.de/-9856847 ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67963942/ ∗∗∗ Progress: OpenEdge Third-Party Vulnerabilities Fixed In OpenEdge LTS Update 11.7.20 ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/OpenEdge-Third-Party-Vulnerabiliti… ∗∗∗ Hitachi Energy: Multiple vulnerabilities in Hitachi Energy MicroSCADA X SYS600 product ∗∗∗ --------------------------------------------- https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageC… ∗∗∗ Zyxel security advisory for OS command injection vulnerability in APs and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox and Focus ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ C-MOR: Mehrere Sicherheitsschwachstellen in Videoüberwachungssoftware C-MOR (SYSS-2024-020 bis -030) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-video… ∗∗∗ F5: K000140908: MySQL Server vulnerabiliity CVE-2024-21134 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2024
by Daily end-of-shift report 03 Sep '24

03 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2024 18:00 − Dienstag 03-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ D-Link says it is not fixing four RCE flaws in DIR-846W routers ∗∗∗ --------------------------------------------- D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported. [..] The researcher published the information on August 27, 2024, but has withheld the publication of proof-of-concept (PoC) exploits for now. --------------------------------------------- https://www.bleepingcomputer.com/news/security/d-link-says-it-is-not-fixing… ∗∗∗ The state of sandbox evasion techniques in 2024 ∗∗∗ --------------------------------------------- This post is about sandbox evasion techniques and their usefulness in more targeted engagements. --------------------------------------------- https://fudgedotdotdot.github.io/posts/sandbox-evasion-in-2024/sandboxes.ht… ∗∗∗ CVE-2024-37084: Spring Cloud Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2024-37084 is a critical security vulnerability in Spring Cloud Skipper, specifically related to how the application processes YAML input. [..] The vulnerability affects versions 2.11.0 through 2.11.3 of Spring Cloud Skipper. --------------------------------------------- https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/ ∗∗∗ Intel Responds to SGX Hacking Research ∗∗∗ --------------------------------------------- Intel has shared some clarifications on claims made by a researcher regarding the hacking of its SGX security technology. --------------------------------------------- https://www.securityweek.com/intel-responds-to-sgx-hacking-research/ ∗∗∗ Rechnungen und Mahnungen von cvneed.com ignorieren ∗∗∗ --------------------------------------------- Sie haben einen Lebenslauf auf cvneed.com erstellt? Sie sind davon ausgegangen, dass dies kostenlos ist? Doch plötzlich flattern Rechnungen und sogar Mahnungen ins Haus? Ignorieren Sie diese und zahlen Sie nichts. Es handelt sich um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-von-cvneed/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2021-20123/CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability, CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/03/cisa-adds-three-known-ex… ∗∗∗ Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.” --------------------------------------------- https://blog.talosintelligence.com/threat-actors-using-macropack/ ∗∗∗ A look into Web Application Security ∗∗∗ --------------------------------------------- An in-depth look into Web Application Security, and Bitsights approach to related security metrics. --------------------------------------------- https://www.bitsight.com/blog/look-web-application-security ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel: Mehrere hochriskante Sicherheitslücken in Firewalls ∗∗∗ --------------------------------------------- Zyxel warnt vor mehreren Sicherheitslücken in den Firewalls des Unternehmens. Updates stehen bereit, die Lecks abdichten. [..] Am schwerwiegendsten ist eine Lücke, die Angreifern das Einschleusen von Befehlen im IPSec VPN der Zyxel-Firewalls ermöglicht. Mit manipulierten Nutzernamen können sie Befehle schmuggeln, die vom Betriebssystem ausgeführt werden. --------------------------------------------- https://heise.de/-9855938 ∗∗∗ VMSA-2024-0018:VMware Fusion update addresses a code execution vulnerability (CVE-2024-38811) ∗∗∗ --------------------------------------------- VMware Fusion contains a code-execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ OpenSSL Security Advisory [3rd September 2024] ∗∗∗ --------------------------------------------- Possible denial of service in X.509 name checks (CVE-2024-6119) [..] OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. --------------------------------------------- https://openssl-library.org/news/secadv/20240903.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12), Debian (calibre, exfatprogs, frr, git, libtommath, nbconvert, ruby-nokogiri, ruby-tzinfo, and webkit2gtk), Fedora (flatpak, lua-mpack, and python3.12), Red Hat (389-ds-base, 389-ds:1.4, buildah, fence-agents, gvisor-tap-vsock, httpd:2.4, kernel, kernel-rt, nodejs:18, orc, postgresql, postgresql:12, postgresql:13, postgresql:15, python-urllib3, python3.12, and skopeo), SUSE (389-ds, bubblewrap and flatpak, cacti, cacti-spine, curl, glib2, kernel-firmware, libqt5-qt3d, libqt5-qtquick3d, opera, python39, qemu, unbound, xen, and zziplib), and Ubuntu (ffmpeg, linux-raspi-5.4, and python-webob). --------------------------------------------- https://lwn.net/Articles/988570/ ∗∗∗ Chrome 128 Updates Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/chrome-128-updates-patch-high-severity-vulnera… ∗∗∗ Lenze: Install Directory with insufficient permissions ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-053/ ∗∗∗ LOYTEC Electronics LINX Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2024
by Daily end-of-shift report 02 Sep '24

02 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-08-2024 18:00 − Montag 02-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Administrative IT infiltriert: Cyberangriff trifft Deutsche Flugsicherung ∗∗∗ --------------------------------------------- Nach Angaben eines Unternehmenssprechers betrifft der Vorfall die Büro-IT der DFS. Auswirkungen auf den Flugverkehr hat der Angriff wohl nicht. [..] Wer genau hinter dem Cyberangriff auf die Deutsche Flugsicherung steckt, lässt sich noch nicht mit Gewissheit beantworten. [..] Derzeit sei das Unternehmen dabei, den Vorfall einzudämmen und dessen Auswirkungen zu minimieren. --------------------------------------------- https://www.golem.de/news/administrative-it-infiltriert-cyberangriff-trifft… ∗∗∗ TSA-Airport-Sicherheitskontrollen per SQL-Injection ausgehebelt ∗∗∗ --------------------------------------------- Sicherheitsforschern in den USA ist es gelungen, über SQL-Injection das FlyCASS-Sicherheitssystem zu täuschen und damit Zugangssperren zu umgehen. --------------------------------------------- https://heise.de/-9853305 ∗∗∗ Windows: Side-Loading DLL-Angriffe über licensingdiag.exe ∗∗∗ --------------------------------------------- Wer sich um den Punkt Windows-Sicherheit Gedanken macht, sollte das Befehlszeilentool licensingdiag.exe im Fokus behalten. Es ist ein weiteres "living of the land" Tool, welches für Side-Loading DLL-Angriffe genutzt werden kann. --------------------------------------------- https://www.borncity.com/blog/2024/09/01/windows-side-loading-dll-angriffe-… ∗∗∗ Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant ∗∗∗ --------------------------------------------- Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. --------------------------------------------- https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wi… ∗∗∗ GitHub comments abused to push password stealing malware masked as fixes ∗∗∗ --------------------------------------------- GitHub is being abused to distribute the Lumma Stealer information-stealing malware as fake fixes posted in project comments. [..] The solution tells people to download a password-protected archive from mediafire.com or through a bit.ly URL and run the executable within it. In the current campaign, the password has been "changeme" in all the comments we have seen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-comments-abused-to-pu… ∗∗∗ Docker-OSX image used for security research hit by Apple DMCA takedown ∗∗∗ --------------------------------------------- The popular Docker-OSX project has been removed from Docker Hub after Apple filed a DMCA (Digital Millennium Copyright Act) takedown request, alleging that it violated its copyright. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-osx-image-used-for-se… ∗∗∗ Cicada3301 ransomware’s Linux encryptor targets VMware ESXi systems ∗∗∗ --------------------------------------------- A new ransomware-as-a-service (RaaS) operation named Cicada3301 has already listed 19 victims on its extortion portal, as it quickly attacked companies worldwide. [..] An analysis of the new malware by Truesec revealed significant overlaps between Cicada3301 and ALPHV/BlackCat, indicating a possible rebrand or a fork created by former ALPHV's core team members. [..] For context, ALPHV performed an exit scam in early March 2024 involving fake claims about an FBI takedown operation after they stole a massive $22 million payment from Change Healthcare from one of their affiliates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cicada3301-ransomwares-linux… ∗∗∗ Ausweiskopie und persönliche Daten an Kriminelle weitergegeben? Das können Sie tun ∗∗∗ --------------------------------------------- Sie wurden Opfer einer Betrugsmasche und haben dabei persönliche Daten oder sogar Ausweiskopien übermittelt? Wir zeigen Ihnen, was Sie tun können, wenn Kriminelle Ihre Daten ergaunert haben! --------------------------------------------- https://www.watchlist-internet.at/news/ausweiskopie-und-persoenliche-daten-… ∗∗∗ Malware "Voldemort": Angreifer nehmen verstärkt Steuerzahler ins Visier ∗∗∗ --------------------------------------------- Eine neue Angriffswelle zielt verstärkt auf Steuerbehörden, aber auch auf andere Behörden und Unternehmen verschiedener Länder ab, auch hierzulande. Dabei wird die Malware "Voldemort" über Phishing-Mails verbreitet. Wer klickt, installiert sich womöglich eine Backdoor. [..] Über die Hälfte der betroffenen Organisationen stammt aus den Bereichen Versicherungen, Luft- und Raumfahrt, Verkehr und Bildung. --------------------------------------------- https://heise.de/-9854106 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra fixed two severe issues in FileCatalyst Workflow, including a critical flaw ∗∗∗ --------------------------------------------- Cybersecurity and automation company Fortra released patches for two vulnerabilities in FileCatalyst Workflow. Once of the vulnerabilities is a critical issue, tracked as CVE-2024-6633 (CVSS score of 9.8) described as Insecure Default in FileCatalyst Workflow Setup. --------------------------------------------- https://securityaffairs.com/167838/security/fortra-filecatalyst-critical-wo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql:16), Debian (dovecot, pymatgen, ruby2.7, systemd, and webkit2gtk), Fedora (microcode_ctl, python3.11, vim, and xen), Oracle (kernel, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Slackware (libpcap), SUSE (cacti, cacti-spine, python-Django, and trivy), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/988364/ ∗∗∗ WordPress Vulnerability & Patch Roundup August 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/08/wordpress-vulnerability-patch-roundup-augus… ∗∗∗ MISP 2.4.197 released with many bugs fixed, a security fix and improvements. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.197 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2024
by Daily end-of-shift report 30 Aug '24

30 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2024 18:00 − Freitag 30-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Palo Alto GlobalProtect used as lure to backdoor enterprises ∗∗∗ --------------------------------------------- Threat actors target Middle Eastern organizations with malware disguised as the legitimate Palo Alto GlobalProtect Tool that can steal data and execute remote PowerShell commands to infiltrate internal networks further. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-palo-alto-globalprotect… ∗∗∗ FBI: RansomHub ransomware breached 210 victims since February ∗∗∗ --------------------------------------------- Since surfacing in February 2024, RansomHub ransomware affiliates have breached over 200 victims from a wide range of critical U.S. infrastructure sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-ransomhub-ransomware-bre… ∗∗∗ Russische Hacker nutzen die gleichen Lücken wie Staatstrojaner ∗∗∗ --------------------------------------------- Immer wieder warnen Experten davor, dass auch Kriminelle jene Schlupflöcher nutzen können, über die auch Regierungen Verdächtige überwachen. --------------------------------------------- https://futurezone.at/netzpolitik/russische-hacker-staatstrojaner-messenger… ∗∗∗ Studie: 78 Prozent aller Ransomware-Opfer zahlen offenbar Lösegeld ∗∗∗ --------------------------------------------- Viele betroffene Unternehmen zahlen wohl sogar mehrfach. Auch vier- oder mehr Lösegeldzahlungen sind keine Seltenheit - vor allem nicht in Deutschland. --------------------------------------------- https://www.golem.de/news/studie-78-prozent-aller-ransomware-opfer-zahlen-o… ∗∗∗ Feds claim sinister sysadmin locked up thousands of Windows workstations, demanded ransom ∗∗∗ --------------------------------------------- Sordid search history evidence in case that could see him spend 35 years for extortion and wire fraud A former infrastructure engineer who allegedly locked IT department colleagues out of their employers systems, then threatened to shut down servers unless paid a ransom, has been arrested and charged after an FBI investigation. --------------------------------------------- https://www.theregister.com/2024/08/29/vm_engineer_extortion_allegations/ ∗∗∗ How to enhance the security of your social media accounts ∗∗∗ --------------------------------------------- TL;DR Strong passwords: Use a password manager. Multi-factor authentication (MFA): MFA requires multiple forms of identification, adding an extra layer of security. This makes it harder for unauthorised users to .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-enhance-the-security-o… ∗∗∗ TLD Tracker: Exploring Newly Released Top-Level Domains ∗∗∗ --------------------------------------------- Unit 42 researchers use a novel graph-based pipeline to detect misuse of 19 new TLDs for phishing, chatbots and more in several case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/tracking-newly-released-top-level-domai… ∗∗∗ Malicious North Korean packages appear again in open source code repository ∗∗∗ --------------------------------------------- North Korean hackers continue to exploit the widely used npm code repository, publishing malicious packages intended to infect software developers’ devices with malware, according to recent research. --------------------------------------------- https://therecord.media/npm-javascript-repository-north-korean-malware ∗∗∗ TR-88 - Motivation, procedure and rational for leaked credential notifications ∗∗∗ --------------------------------------------- In today’s digital landscape, protecting user data is essential for every organization. When public data leaks expose customer credentials, it is critical to respond promptly to mitigate risks. This document outlines why CIRCL .. --------------------------------------------- https://www.circl.lu/pub/tr-88 ∗∗∗ Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence ∗∗∗ --------------------------------------------- Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.… ∗∗∗ Gaps in Skills, Knowledge, and Technology Pave the Way for Breaches ∗∗∗ --------------------------------------------- The stakes continue growing higher for organizations when it comes to cybersecurity incidents, with the fallout of such incidents becoming more costly and complex. According to the Fortinet 2024 Cybersecurity Skills Gap Report, the overwhelming majority (87%) of those surveyed said they experienced one or .. --------------------------------------------- https://www.fortinet.com/blog/industry-trends/gaps-in-skills-knowledge-tech… ∗∗∗ Ransomware Roundup - Underground ∗∗∗ --------------------------------------------- The Underground ransomware has victimized companies in various industries since July 2023. It encrypts files without changing the original file extension. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground ∗∗∗ Nach Cyberangriff: Solaranbieter "Qcells" informiert Kunden über Datenleck ∗∗∗ --------------------------------------------- Wieder gibt es ein Datenleck in der Solarbranche. Kunden von Qcell werden darum informiert. --------------------------------------------- https://heise.de/-9852641 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libvpx, postgresql, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Debian (chromium and ghostscript), Fedora (python3.13), and SUSE (chromium and podman). --------------------------------------------- https://lwn.net/Articles/987836/ ∗∗∗ DSA-5761-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00174.html ∗∗∗ IPCOM vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29238389/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2024
by Daily end-of-shift report 29 Aug '24

29 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2024 18:00 − Donnerstag 29-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unpatchable 0-day in surveillance cam is being exploited to install Mirai ∗∗∗ --------------------------------------------- Vulnerability is easy to exploit and allows attackers to remotely execute commands. --------------------------------------------- https://arstechnica.com/?p=2046043 ∗∗∗ Iranian hackers work with ransomware gangs to extort breached orgs ∗∗∗ --------------------------------------------- An Iran-based hacking group known as Pioneer Kitten is breaching defense, education, finance, and healthcare organizations across the United States and working with affiliates of several ransomware operations to extort the victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-work-with-ra… ∗∗∗ Endlich: Maßnahme gegen Anrufe mit gefälschten Nummern tritt in Kraft ∗∗∗ --------------------------------------------- Dass die eigene Handynummer für Spamanrufe genutzt wird, soll ab dem 1. September nicht mehr möglich sein. --------------------------------------------- https://futurezone.at/netzpolitik/rtr-veordnung-massnahme-nummer-gefaelscht… ∗∗∗ Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations ∗∗∗ --------------------------------------------- Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-de… ∗∗∗ Cybercrime and Sabotage Cost German Firms $300 Billion In Past Year ∗∗∗ --------------------------------------------- According to a new survey from Bitkom, cybercrime and other acts of sabotage have cost German companies around $298 billion in the past year, up 29% on the year before. Reuters reports: Bitkom surveyed around 1,000 companies from all sectors and found that 90% expect more cyberattacks in the next 12 months, with the remaining 10% expecting the same level of .. --------------------------------------------- https://it.slashdot.org/story/24/08/28/211228/cybercrime-and-sabotage-cost-… ∗∗∗ 12 Best Practices to Secure Your WordPress Login Page ∗∗∗ --------------------------------------------- WordPress powers a significant portion of websites on the internet. With this popularity comes the need for strict security measures, especially for the login page. These entry points are prime targets for hackers and malicious actors. By implementing proper security practices outlined in this guide, you can maintain a secure WordPress login and .. --------------------------------------------- https://blog.sucuri.net/2024/08/12-best-practices-to-secure-your-wordpress-… ∗∗∗ Microsoft hosts a security summit but no press, public allowed ∗∗∗ --------------------------------------------- CrowdStrike, other vendors, friendly govt reps .. but not anyone who would tell you what happened op-ed Microsoft will host a security summit next month with CrowdStrike and other "key" endpoint security partners joining the fun - and during which the CrowdStrike-induced outage that borked millions of Windows machines will undoubtedly be a top-line agenda item. --------------------------------------------- https://www.theregister.com/2024/08/28/microsoft_closed_security_summit/ ∗∗∗ Censys Finds Hundreds of Exposed Servers as Volt Typhoon APT Targets Service Providers ∗∗∗ --------------------------------------------- Amidst Volt Typhoon zero-day exploitation, Censys finds hundreds of exposed servers presenting ripe attack surface for attackers. --------------------------------------------- https://www.securityweek.com/censys-finds-hundreds-of-exposed-servers-as-vo… ∗∗∗ Telegram als Betrugsfalle ∗∗∗ --------------------------------------------- Der Kurznachrichtendienst Telegram ist spätestens seit der Verhaftung des Erfinders Pawel Durow in Paris in aller Munde. Telegram beschäftigt uns bei der Watchlist Internet aber schon viel länger. Kaum woanders gelingt es Kriminellen besser, Opfer in ihre Fallen zu locken. Insbesondere Investitionsbetrug, Schneeballsysteme und betrügerische Jobangebote sorgen teils für horrende Schadenssummen. Konsequenzen gibt es auf Telegram für die Kriminellen bisher keine. --------------------------------------------- https://www.watchlist-internet.at/news/telegram-als-betrugsfalle/ ∗∗∗ $2.5 million reward offered for hacker linked to notorious Angler Exploit Kit ∗∗∗ --------------------------------------------- Who doesnt fancy earning US $2.5 million? Thats the reward thats on offer from US authorities for information leading to the arrest and/or conviction of the man who allegedly was a key figure behind the development and distribution of the notorious Angler Exploit Kit. Read more in my article on the Tripwire State of Security blog. --------------------------------------------- https://www.tripwire.com/state-of-security/25-million-reward-offered-cyber-… ∗∗∗ Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks ∗∗∗ --------------------------------------------- The BlackByte ransomware gang is only posting a fraction of its successful attacks on its leak site this year, according to researchers from Cisco. --------------------------------------------- https://therecord.media/blackbyte-ransomware-group-posting-fraction-of-leaks ∗∗∗ State-backed attackers and commercial surveillance vendors repeatedly use the same exploits ∗∗∗ --------------------------------------------- We’re sharing an update on suspected state-backed attacker APT29 and the use of exploits identical to those used by Intellexa and NSO. --------------------------------------------- https://blog.google/threat-analysis-group/state-backed-attackers-and-commer… ∗∗∗ The Big TIBER Encyclopedia ∗∗∗ --------------------------------------------- An analysis of current TIBER implementations ahead of DORA’s TLPT requirements Introduction TIBER (Threat Intelligence-Based Ethical Red Teaming) is a framework introduced by the European Central Bank (ECB) in 2018 as a response to the increasing number of cyber threats faced by financial institutions. The framework provides a .. --------------------------------------------- https://blog.nviso.eu/2024/08/29/the-big-tiber-encyclopedia/ ∗∗∗ The vulnerabilities we uncovered by fuzzing µC/OS protocol stacks ∗∗∗ --------------------------------------------- Fuzzing has long been one of our favorite ways to search for security issues or vulnerabilities in software, but when it comes to fuzzing popular systems used in ICS environments, it traditionally involved a custom hardware setup to fuzz the code in its native environment. --------------------------------------------- https://blog.talosintelligence.com/fuzzing-uc-os-protocol-stacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Family August 2024 First Round Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82727/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily