=====================
= End-of-Day report =
=====================
Timeframe: Freitag 04-10-2024 18:00 − Montag 07-10-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Russia arrests US-sanctioned Cryptex founder, 95 other linked suspects ∗∗∗
---------------------------------------------
Russian law enforcement detained almost 100 suspects linked to the Cryptex cryptocurrency exchange, the UAPS anonymous payment service, and 33 other online services and platforms used to make illegal payments and sell stolen credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/russia-arrests-us-sanctioned…
∗∗∗ MoneyGram: No evidence ransomware is behind recent cyberattack ∗∗∗
---------------------------------------------
MoneyGram says there is no evidence that ransomware is behind a recent cyberattack that led to a five-day outage in September.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/moneygram-no-evidence-ransom…
∗∗∗ Spielzeugmarke: Hack der Lego-Webseite zielt auf Kryptobetrug ab ∗∗∗
---------------------------------------------
Am 4. Oktober 2024 wurde die offizielle Website von Lego Opfer eines Hacks. Unbekannte bewarben eine Kryptowährung namens Lego-Coin.
---------------------------------------------
https://www.golem.de/news/spielzeugmarke-hack-der-lego-webseite-zielt-auf-k…
∗∗∗ Nach US-Bann: Kaspersky fliegt weltweit aus dem Google Play Store ∗∗∗
---------------------------------------------
Kaspersky-Software ist seit Tagen nicht mehr im Play Store erhältlich. Ursache ist das US-Verbot des russischen Herstellers - mit globalen Auswirkungen.
---------------------------------------------
https://www.golem.de/news/nach-us-bann-kaspersky-fliegt-weltweit-aus-dem-go…
∗∗∗ Awaken Likho is awake: new techniques of an APT group ∗∗∗
---------------------------------------------
Kaspersky experts have discovered a new version of the APT Awaken Likho RAT Trojan, which uses AutoIt scripts and the MeshCentral system to target Russian organizations.
---------------------------------------------
https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/
∗∗∗ HUMINT and its Role within Cybersecurity ∗∗∗
---------------------------------------------
This blog explores HUMINTs role in cybersecurity, detailing its implementation, benefits, and potential risks.
---------------------------------------------
https://www.sans.org/blog/humint-and-its-role-within-cybersecurity
∗∗∗ Largest Recorded DDoS Attack is 3.8 Tbps ∗∗∗
---------------------------------------------
Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.)
---------------------------------------------
https://www.schneier.com/blog/archives/2024/10/largest-recorded-ddos-attack…
∗∗∗ Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications ∗∗∗
---------------------------------------------
A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.The flaw, tracked as CVE-2024-47561, ..
---------------------------------------------
https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html
∗∗∗ Chinesische Hacker stehlen sensible Daten von US-Gerichten ∗∗∗
---------------------------------------------
Via Internetdienstanbieter verschafft sich die "Salt Typhoon"-Kampagne Zugriff zu heiklen Daten. US-Behörden befürchten weitere Angriffe
---------------------------------------------
https://www.derstandard.at/story/3000000239609/chinesische-hacker-stehlen-s…
∗∗∗ No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection ∗∗∗
---------------------------------------------
Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/
∗∗∗ From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities ∗∗∗
---------------------------------------------
This blog post highlights two additional vulnerabilities in the Autel Maxicharger that were exploited at Pwn2Own Automotive 2024. Details of the patches are also included.
---------------------------------------------
https://www.thezdi.com/blog/2024/10/2/from-pwn2own-automotive-more-autel-ma…
∗∗∗ Russian state media company operation disrupted by ‘unprecedented’ cyberattack ∗∗∗
---------------------------------------------
Russian state television and radio broadcasting company VGTRK was hit by a cyberattack on Monday that disrupted its operations, the company confirmed in a statement to local news agencies.
---------------------------------------------
https://therecord.media/russian-state-media-company-disrupted-cyberattack
∗∗∗ Engaging with Boards to improve the management of cyber security risk ∗∗∗
---------------------------------------------
How to communicate more effectively with board members to improve cyber security decision making.
---------------------------------------------
https://www.ncsc.gov.uk/guidance/board-level-cyber-discussions-communicatin…
∗∗∗ Forensic Readiness in Container Environments ∗∗∗
---------------------------------------------
One of the most frustrating issues that Digital Forensics and Incident Response (DFIR) consultants encounter is a lack of forensic data available for analysis. This article aims to mitigate such situations by providing key considerations for improving forensic readiness.
---------------------------------------------
https://www.nccgroup.com/us/research-blog/forensic-readiness-in-container-e…
=====================
= Vulnerabilities =
=====================
∗∗∗ DSA-5785-1 mediawiki - security update ∗∗∗
---------------------------------------------
Dom Walden discovered that the AbuseFilter extension in MediaWiki, a website engine for collaborative work, performed incomplete authorisation checks.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00198.html
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), ..
---------------------------------------------
https://lwn.net/Articles/993160/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 03-10-2024 18:00 − Freitag 04-10-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps ∗∗∗
---------------------------------------------
During a distributed denial-of-service campaign targeting organizations in the financial services, internet, and telecommunications sectors, volumetric attacks peaked at 3.8 terabits per second, the largest publicly recorded to date. The assault consisted of a "month-long" barrage of more than 100 hyper-volumetric DDoS attacks flood. [..] Many of the attacks aimed at the target’s network infrastructure (network and transport layers L3/4) exceeded two billion packets per second (pps) and three terabits per second (Tbps). [..] The threat actor behind the campaign leveraged multiple types of compromised devices, which included a large number of Asus home routers, Mikrotik systems, DVRs, and web servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cloudflare-blocks-largest-re…
∗∗∗ Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks ∗∗∗
---------------------------------------------
Approximately 5% of all Adobe Commerce and Magento online stores, or 4,275 in absolute numbers, have been hacked in "CosmicSting" attacks. [..] The CosmicSting vulnerability (CVE-2024-34102) is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc's iconv function, an attacker can achieve remote code execution on the target server. [..] Sansec says that multiple threat actors are now conducting attacks as patching speed is not matching the critical nature of the situation.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-4-000-adobe-commerce-ma…
∗∗∗ Survey of CUPS exploit attempts, (Fri, Oct 4th) ∗∗∗
---------------------------------------------
It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.
---------------------------------------------
https://isc.sans.edu/diary/rss/31326
∗∗∗ Apple fixes bug that let VoiceOver shout your passwords ∗∗∗
---------------------------------------------
Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/10/04/apple_voiceo…
∗∗∗ Sicherheitsupdates: Cisco patcht Lücken in Produkten quer durch die Bank ∗∗∗
---------------------------------------------
Neben einem kritischen Fehler kümmert sich der Netzwerkausrüster auch um einige Lücken mit mittlerem und hohem Risikograd. Patches stehen bereit.
---------------------------------------------
https://heise.de/-9961998
∗∗∗ DRAY:BREAK Breaking Into DreyTek Routers Before Threat Actors Do It Again ∗∗∗
---------------------------------------------
In 2024, routers are a primary target for cybercriminals and state-sponsored attackers – and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks. Our latest research discovered 14 new vulnerabilities in DrayTek routers.
---------------------------------------------
https://www.forescout.com/resources/draybreak-draytek-research/
∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗
---------------------------------------------
Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor.
---------------------------------------------
https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne…
∗∗∗ Ransomware Groups Demystified: CyberVolk Ransomware ∗∗∗
---------------------------------------------
As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-c…
∗∗∗ Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks ∗∗∗
---------------------------------------------
Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks.
---------------------------------------------
https://thehackernews.com/2024/10/android-14-adds-new-security-features.html
∗∗∗ Portable Hacking Lab: Control The Smallest Kali Linux With a Smartphone ∗∗∗
---------------------------------------------
Running Kali Linux on a Raspberry Pi Zero is a fantastic way to create a portable, powerful testing device. This guide will walk you through setting up Kali Linux Pi-Tail on a headless Raspberry Pi Zero 2 W that is powered and controlled from a smartphone via SSH or VNC that provides a graphical interface to your Pi-Tail.
---------------------------------------------
https://www.mobile-hacker.com/2024/10/04/portable-hacking-lab-control-the-s…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip).
---------------------------------------------
https://lwn.net/Articles/992936/
∗∗∗ Keycloak 26.0.0 released ∗∗∗
---------------------------------------------
CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core, CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect , CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak, CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java
---------------------------------------------
https://www.keycloak.org/2024/10/keycloak-2600-released
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 02-10-2024 18:00 − Donnerstag 03-10-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Fake browser updates spread updated WarmCookie malware ∗∗∗
---------------------------------------------
A new FakeUpdate campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-browser-updates-spread-…
∗∗∗ FIN7 hackers launch deepfake nude “generator” sites to spread malware ∗∗∗
---------------------------------------------
The notorious APT hacking group known as FIN7 launched a network of fake AI-powered deepnude generator sites to infect visitors with information-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-deepfake…
∗∗∗ Weird Zimbra Vulnerability ∗∗∗
---------------------------------------------
Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit.In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage ..
---------------------------------------------
https://www.schneier.com/blog/archives/2024/10/weird-zimbra-vulnerability.h…
∗∗∗ INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa ∗∗∗
---------------------------------------------
INTERPOL has announced the arrest of eight individuals in Côte dIvoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud.Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes ..
---------------------------------------------
https://thehackernews.com/2024/10/interpol-arrests-8-in-major-phishing.html
∗∗∗ APT and financial attacks on industrial organizations in Q2 2024 ∗∗∗
---------------------------------------------
This summary provides an overview of the reports of APT and financial attacks on industrial enterprises that were disclosed in Q2 2024, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities.
---------------------------------------------
https://ics-cert.kaspersky.com/publications/apt-and-financial-attacks-on-in…
∗∗∗ Experts warn of DDoS attacks using linux printing vulnerability ∗∗∗
---------------------------------------------
A set of bugs that has caused alarm among cybersecurity experts may enable threat actors to launch powerful attacks designed to knock systems offline.
---------------------------------------------
https://therecord.media/ddos-attacks-cups-linux-print-vulnerability
∗∗∗ As ransomware attacks surge, UK privacy regulator investigating fewer incidents than ever ∗∗∗
---------------------------------------------
Of the 1,253 incidents reported to the Information Commissioner’s Office (ICO) in 2023, only 87 were investigated — fewer than 7%. The numbers so far for 2024 are similar.
---------------------------------------------
https://therecord.media/uk-ico-ransomware-investigations-data
∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗
---------------------------------------------
Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. Intelligence collected by Talos on tools regularly employed by the threat ..
---------------------------------------------
https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne…
∗∗∗ perfctl: A Stealthy Malware Targeting Millions of Linux Servers ∗∗∗
---------------------------------------------
In this blog post, Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has actively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you ..
---------------------------------------------
https://blog.aquasec.com/perfctl-a-stealthy-malware-targeting-millions-of-l…
∗∗∗ "Alptraum": Daten aller niederländischen Polizisten geklaut – von Drittstaat? ∗∗∗
---------------------------------------------
Hacker haben die Kontaktdaten aller Mitarbeiter der Polizei erbeutet. Nun kommt das Justizministerium mit einer weiteren alarmierenden Nachricht.
---------------------------------------------
https://heise.de/-9961529
∗∗∗ Thailändische Regierung von neuem APT "CeranaKeeper" angegriffen ∗∗∗
---------------------------------------------
Bei Angriffen auf thailändische Behörden erbeuteten Cyberkriminelle Daten, indem sie verschlüsselte Dateien zu Filesharing-Diensten hochluden.
---------------------------------------------
https://heise.de/-9961562
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-24-1321: Apple macOS AppleVADriver Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-40841.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1321/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15).
---------------------------------------------
https://lwn.net/Articles/992798/
∗∗∗ Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-043
∗∗∗ Cisco Nexus Dashboard Fabric Controller Arbitrary Command Execution Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 01-10-2024 18:00 − Mittwoch 02-10-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Crook made millions by breaking into execs’ Office365 inboxes, feds say ∗∗∗
---------------------------------------------
Email accounts inside 5 US companies unlawfully breached through password resets.
---------------------------------------------
https://arstechnica.com/?p=2053721
∗∗∗ Evil Corp hit with new sanctions, BitPaymer ransomware charges ∗∗∗
---------------------------------------------
The Evil Corp cybercrime syndicate has been hit with new sanctions by the United States, United Kingdom, and Australia. The US also indicted one of its members for conducting BitPaymer ransomware attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/evil-corp-hit-with-new-sanct…
∗∗∗ Arc browser launches bug bounty program after fixing RCE bug ∗∗∗
---------------------------------------------
The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/arc-browser-launches-bug-bou…
∗∗∗ CISA: Network switch RCE flaw impacts critical infrastructure ∗∗∗
---------------------------------------------
U.S. cybersecurity agency CISA is warning about two critical vulnerabilities that allow authentication bypass and remote code execution in Optigo Networks ONS-S8 Aggregation Switch products used in critical infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-network-switch-rce-flaw…
∗∗∗ PyPI Repository Found Hosting Fake Crypto Wallet Recovery Tools That Steal User Data ∗∗∗
---------------------------------------------
A new set of malicious packages has been unearthed in the Python Package Index (PyPI) repository that masqueraded as cryptocurrency wallet recovery and management services, only to siphon sensitive data and facilitate the theft ..
---------------------------------------------
https://thehackernews.com/2024/10/pypi-repository-found-hosting-fake.html
∗∗∗ Alert: Over 700,000 DrayTek Routers Exposed to Hacking via 14 New Vulnerabilities ∗∗∗
---------------------------------------------
A little over a dozen new security vulnerabilities have been discovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices."These vulnerabilities could enable attackers to take control ..
---------------------------------------------
https://thehackernews.com/2024/10/alert-over-700000-draytek-routers.html
∗∗∗ NISTs security flaw database still backlogged with 17K+ unprocessed bugs. Not great ∗∗∗
---------------------------------------------
Logjam hurting infosec processes world over one expert tells us as US body blows its own Sept deadline NIST has made some progress clearing its backlog of security vulnerability reports to process - though its not quite on target as hoped.
---------------------------------------------
https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/
∗∗∗ After Code Execution, Researchers Show How CUPS Can Be Abused for DDoS Attacks ∗∗∗
---------------------------------------------
Over 58,000 internet-exposed CUPS hosts can be abused for significant DDoS attacks, according to Akamai.
---------------------------------------------
https://www.securityweek.com/after-code-execution-researchers-show-how-cups…
∗∗∗ Dotnet Source Generators in 2024 Part 1: Getting Started ∗∗∗
---------------------------------------------
In this blog post, we will cover the basics of a source generator, the major types involved, some common issues you might encounter, how to properly log those issues, and how to fix them.
---------------------------------------------
https://posts.specterops.io/dotnet-source-generators-in-2024-part-1-getting…
∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in Zimbra Mail Server (CVE-2024-45519) ∗∗∗
---------------------------------------------
Der Hersteller des Zimbra Mail-Servers, Synacor, hat ein Advisory zu einer Sicherheitslücke in Zimbra Collaboration veröffentlicht. Die veröffentlichte Schwachstelle, CVE-2024-45519, erlaubt es nicht-authentifizierten Benutzern aus der Ferne Code auszuführen. Für die betroffenen Versionen (9.0.0, 10.0.9, 10.1.1 und 8.8.15) stehen jeweils Updates bereit, welche eine ..
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/10/zimbra-rce-cve-2024-45519
∗∗∗ Sicherheit: Datenabflüsse bei Cyberangriffen ∗∗∗
---------------------------------------------
Nach einem Cyberangriff auf eine Klinik in Bad Wildungen im August 2024 sind nun Daten im Darknet aufgetaucht. Auch bei der niederländischen Polizei gab es einen Datenabfluss nach einem Cyberangriff. Hier einige Informationen ..
---------------------------------------------
https://www.borncity.com/blog/2024/10/02/sicherheit-datenabfluesse-bei-cybe…
∗∗∗ All that JavaScript for… spear phishing? ∗∗∗
---------------------------------------------
NVISO employs several hunting rules in multiple Threat Intelligence Platforms and other sources, such as VirusTotal. As you can imagine, there is no lack of APT (Advanced Persistent Threat) campaigns, cybercriminals and their associated malware families and campaigns, phishing, and so on. But now and then, something slightly different and perhaps novel ..
---------------------------------------------
https://blog.nviso.eu/2024/10/02/all-that-javascript-for-spear-phishing/
∗∗∗ ASD’s ACSC, CISA, FBI, NSA, and International Partners Release Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations ∗∗∗
---------------------------------------------
Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) - in partnership with CISA, U.S. government and international partners - released the guide Principles of Operational Technology Cybersecurity. This guidance provides critical information on how to create and maintain a safe, secure operational ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/10/01/asds-acsc-cisa-fbi-nsa-a…
∗∗∗ LKA Niedersachsen warnt vor andauernder Masche mit Erpresser-Mails ∗∗∗
---------------------------------------------
Die Betrüger lassen nicht nach, warnt das LKA Niedersachsen. Erpresser-Mails etwa mit angeblichen Videoaufnahmen kursieren weiter.
---------------------------------------------
https://heise.de/-9960503
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim).
---------------------------------------------
https://lwn.net/Articles/992650/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 30-09-2024 18:00 − Dienstag 01-10-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Microsoft Defender adds detection of unsecure Wi-Fi networks ∗∗∗
---------------------------------------------
Microsoft Defender now automatically detects and notifies users with a Microsoft 365 Personal or Family subscription when theyre connected to unsecured Wi-Fi networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-defender-now-autom…
∗∗∗ Microsoft overhauls security for publishing Edge extensions ∗∗∗
---------------------------------------------
Microsoft has introduced an updated version of the "Publish API for Edge extension developers" that increases the security for developer accounts and the updating of browser extensions.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-overhauls-securit…
∗∗∗ What Are Hackers Searching for in SolarWinds Serv-U (CVE-2024-28995)? ∗∗∗
---------------------------------------------
Discover how GreyNoise’s honeypots are monitoring exploit attempts on the SolarWinds Serv-U vulnerability (CVE-2024-28995). Gain insights into the specific files attackers target and how real-time data helps security teams focus on true threats.
---------------------------------------------
https://www.greynoise.io/blog/what-are-hackers-searching-for-in-solarwinds-…
∗∗∗ Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning ∗∗∗
---------------------------------------------
Researchers detail the discovery of Swiss Army Suite, an underground tool used for SQL injection scans discovered with a machine learning model.
---------------------------------------------
https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-t…
∗∗∗ Rackspace internal monitoring web servers hit by zero-day ∗∗∗
---------------------------------------------
Reading between the lines, it appears Rackspace was hosting a ScienceLogic-powered monitoring dashboard for its customers on its own internal web servers, those servers included a program that was bundled with ScienceLogic's software, and that program was exploited, using a zero-day vulnerability, by miscreants to gain access to those web servers. From there, the intruders were able to get hold of some monitoring-related customer information before being caught.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/09/30/rackspace_ze…
∗∗∗ Crooked Cops, Stolen Laptops & the Ghost of UGNazi ∗∗∗
---------------------------------------------
A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, a new indictment charges. KrebsOnSecurity has learned that many of the mans alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012.
---------------------------------------------
https://krebsonsecurity.com/2024/09/crooked-cops-stolen-laptops-the-ghost-o…
∗∗∗ BSI empfiehlt die Nutzung von Passkeys ∗∗∗
---------------------------------------------
Das BSI empfiehlt die Nutzung von Passkeys. Eine Umfrage zeige auf, dass die Bekanntheit und Verbreitung ausbaufähig seien.
---------------------------------------------
https://heise.de/-9959270
∗∗∗ Ransomware: Ermittler melden neue Erfolge im Kampf gegen Lockbit ∗∗∗
---------------------------------------------
Neben Verhaftungen in Frankreich und Großbritannien haben internationale Strafverfolger die Infrastruktur der Erpresser gestört – zudem ergingen Sanktionen.
---------------------------------------------
https://heise.de/-9959100
∗∗∗ WordPress Vulnerability & Patch Roundup September 2024 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education.
---------------------------------------------
https://blog.sucuri.net/2024/09/wordpress-vulnerability-patch-roundup-septe…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (debian-security-support, nghttp2, and sqlite3), Oracle (cups-filters, kernel, and osbuild-composer), SUSE (openssl-3), and Ubuntu (bubblewrap, flatpak and python2.7, python3.5).
---------------------------------------------
https://lwn.net/Articles/992444/
∗∗∗ Mozilla Foundation Security Advisories 2024-10-01 (Thunderbird and Firefox) ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ Juniper: 2024-09-30 Out of Cycle Security Advisory: Multiple Products: RADIUS protocol susceptible to forgery attacks (Blast-RADIUS) (CVE-2024-3596) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-09-30-Out-of-Cycle-Securit…
∗∗∗ Bosch: Sensitive information disclosure in Bosch Configuration Manager ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-981803-bt.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 27-09-2024 18:00 − Montag 30-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ US-Wahlkampf: Anklage wegen des Hacks der Trump-Kampagne erhoben ∗∗∗
---------------------------------------------
Drei Männer müssen sich vor Gericht wegen des Cyberangriffs auf das Wahlkampfteam von Donald Trump verantworten.
---------------------------------------------
https://www.golem.de/news/us-wahlkampf-anklage-wegen-des-hacks-der-trump-ka…
∗∗∗ How to Know if Your Website Is Hacked ∗∗∗
---------------------------------------------
Whether you manage a gaming blog, an e-commerce platform, or an enterprise-level website you probably want to be able to detect infections when they occur. A hacked website can lead to financial loss, disruption of business operations, and the exposure of confidential information. The key is acting fast once you discover possible ..
---------------------------------------------
https://blog.sucuri.net/2024/09/how-do-website-owners-know-that-their-websi…
∗∗∗ If youre holding important data, Iran is probably trying spearphish it ∗∗∗
---------------------------------------------
Its election year for more than 50 countries and the Islamic Republic threatens a bunch of them US and UK national security agencies are jointly warning about Iranian spearphishing campaigns, which remain an ongoing threat to various industries and governments.
---------------------------------------------
https://www.theregister.com/2024/09/30/iran_spearphishing/
∗∗∗ The Pig Butchering Invasion Has Begun ∗∗∗
---------------------------------------------
Scamming operations that once originated in Southeast Asia are now proliferating around the world, likely raking in billions of dollars in the process.
---------------------------------------------
https://www.wired.com/story/pig-butchering-scam-invasion/
∗∗∗ Eliminating Memory Safety Vulnerabilities at the Source ∗∗∗
---------------------------------------------
Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning ..
---------------------------------------------
http://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabil…
∗∗∗ The Data Breach Disclosure Conundrum ∗∗∗
---------------------------------------------
The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know?
---------------------------------------------
https://www.troyhunt.com/the-data-breach-disclosure-conundrum/
∗∗∗ How can you protect your data, privacy, and finances if your phone gets lost or stolen? ∗∗∗
---------------------------------------------
Steps to take when your device is lost or stolen TL;DR This is a guide to help prepare for a situation where your mobile device is lost or stolen, including ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/how-can-you-protect-your-data…
∗∗∗ Cyber Security Month: Stärken Sie Ihr Wissen ∗∗∗
---------------------------------------------
Im Oktober dreht sich alles um das Thema Cybersicherheit. Nutzen Sie die Gelegenheit, um Ihr Wissen über Phishing, Schadsoftware und andere Cyberbedrohungen aufzufrischen.
---------------------------------------------
https://www.watchlist-internet.at/news/cyber-security-month-2024/
∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗
---------------------------------------------
In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP ..
---------------------------------------------
https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end…
∗∗∗ Datenschutzvorfall bei GlobalSign (Sept. 2024) ∗∗∗
---------------------------------------------
Der Anbieter GlobalSign musste gegenüber einigen Kunden einen Datenschutzvorfall eingestehen. Bei deren Customer Relationship Management Platform (CRM) kam es zu einer Fehlkonfigurierung, so dass ein ..
---------------------------------------------
https://www.borncity.com/blog/2024/09/30/datenschutzvorfall-bei-globalsign-…
∗∗∗ Facial DNA provider leaks biometric data via WordPress folder ∗∗∗
---------------------------------------------
ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress…
---------------------------------------------
https://hackread.com/facial-dna-provider-leak-biometric-data-wordpress-fold…
=====================
= Vulnerabilities =
=====================
∗∗∗ Local Privilege Escalation mittels MSI Installer in Nitro PDF Pro ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 26-09-2024 18:00 − Freitag 27-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Storm-0501: Ransomware attacks expanding to hybrid cloud environments ∗∗∗
---------------------------------------------
Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The ..
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomw…
∗∗∗ NIST Recommends Some Common-Sense Password Rules ∗∗∗
---------------------------------------------
NIST’s second draft of its “SP 800-63-4“ - its digital identify guidelines - finally contains some really good rules about passwords.
---------------------------------------------
https://www.schneier.com/blog/archives/2024/09/nist-recommends-some-common-…
∗∗∗ Kaspersky Defends Stealth Swap of Antivirus Software on US Computers ∗∗∗
---------------------------------------------
Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software. Kaspersky ..
---------------------------------------------
https://it.slashdot.org/story/24/09/26/1825249/kaspersky-defends-stealth-sw…
∗∗∗ Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate."These attacks could be ..
---------------------------------------------
https://thehackernews.com/2024/09/hackers-could-have-remotely-controlled.ht…
∗∗∗ Victims lose $70K to one single wallet-draining app on Googles Play Store ∗∗∗
---------------------------------------------
Attackers got 10k people to download trusted web3 brand cheat before Mountain View intervened The latest in a long line of cryptocurrency wallet-draining attacks has stolen $70,000 from people who downloaded a dodgy app in a single campaign ..
---------------------------------------------
https://www.theregister.com/2024/09/26/victims_lose_70k_to_play/
∗∗∗ Patch now: Critical Nvidia bug allows container escape, complete host takeover ∗∗∗
---------------------------------------------
33% of cloud environments using the toolkit impacted, were told A critical bug in Nvidias widely used Container Toolkit could allow a rogue user or software to escape their containers and ultimately take complete control of the underlying host.
---------------------------------------------
https://www.theregister.com/2024/09/26/critical_nvidia_bug_container_escape/
∗∗∗ Highly Anticipated Linux Flaw Allows Remote Code Execution, but Less Serious Than Expected ∗∗∗
---------------------------------------------
A researcher has disclosed the details of an unpatched vulnerability that was expected to pose a serious threat to many Linux systems.
---------------------------------------------
https://www.securityweek.com/highly-anticipated-linux-flaw-allows-remote-co…
∗∗∗ US Announces Charges, Sanctions Against Russian Administrator of Carding Website ∗∗∗
---------------------------------------------
US offers up to $10 million for information on Timur Shakhmametov, charging him with running the carding website Joker’s Stash.
---------------------------------------------
https://www.securityweek.com/us-announces-charges-sanctions-against-russian…
∗∗∗ Spatenstich für Cybersecurity-Campus der TU Graz ∗∗∗
---------------------------------------------
Rund 25 Millionen Euro werden in den Komplex für bis zu 160 Forschende in der Sandgasse investiert. Auch IT-Start-ups sollen dort Platz finden
---------------------------------------------
https://www.derstandard.at/story/3000000238456/spatenstich-fuer-cybersecuri…
∗∗∗ Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023 ∗∗∗
---------------------------------------------
ESET Research has conducted a comprehensive technical analysis of Gamaredon’s toolset used to conduct its cyberespionage activities focused in Ukraine
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/cyberespionage-gamaredon-wa…
∗∗∗ Geoblocking als einfache DDoS-Abwehr ∗∗∗
---------------------------------------------
Distributed Denial of Service (DDoS) Angriffe gibt es in diversen Varianten, das reicht von reflected UDP mit hoher Bandbreite über Tricksereien auf Layer 4 (etwa TCP-SYN Flooding, oder auch nur Überlastung der State-Tabellen in Firewalls) bis hin zu Layer 7 Angriffen mit vielen teuren http Anfragen. Aktuell sehen wir gerade letztere, dazu wollen wir ein ..
---------------------------------------------
https://www.cert.at/de/blog/2024/9/geoblocking-gegen-ddos
∗∗∗ Meta fined $101 million for storing hundreds of millions of passwords in plaintext ∗∗∗
---------------------------------------------
European regulators fined Meta for an engineering mistake that the social media giant first reported in 2019.
---------------------------------------------
https://therecord.media/meta-unprotected-passwords-fine-gdpr
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-24-1290: TeamViewer Missing Authentication Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1290/
∗∗∗ ZDI-24-1289: TeamViewer Missing Authentication Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1289/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 25-09-2024 18:00 − Donnerstag 26-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC ∗∗∗
---------------------------------------------
Cisco Talos’ Vulnerability Research team recently disclosed two vulnerabilities in Microsoft products that have been patched by the company over the past two Patch Tuesdays. One is a vulnerability in the High-Definition Audio Bus Driver in Windows systems that could lead to a denial of service, while the other is a memory corruption issue that exists in a multicasting protocol in Windows 10. [..] For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
---------------------------------------------
https://blog.talosintelligence.com/talos-discovers-denial-of-service-vulner…
∗∗∗ The Cyber Resilience Act, an Accidental European Alien Torts Statute? ∗∗∗
---------------------------------------------
What if someone is harmed by their own government, but the technology used against them was created by a company based in the United States? Should that person be able to hold the American company responsible?
---------------------------------------------
https://www.lawfaremedia.org/article/the-cyber-resilience-act--an-accidenta…
∗∗∗ Threat landscape for industrial automation systems, Q2 2024 ∗∗∗
---------------------------------------------
In this report, we share statistics on threats to industrial control systems in Q2 2024, including statistics by region, industry, malware and other threat types.
---------------------------------------------
https://securelist.com/industrial-threat-landscape-q2-2024/113981/
∗∗∗ Direct Memory Access (DMA) attacks. Risks, techniques, and mitigations in hardware hacking ∗∗∗
---------------------------------------------
DMA allows input-output (I/O) devices to access memory without CPU involvement. Bypassing the Operating System (OS) by providing direct high-speed access to the system’s memory improves efficiency for Graphics processing units (GPUs), Network Interface Cards (NICs), storage devices (e.g. NVMe) and peripheral devices. DMA capable connections include PCI, PCI Express (PCIe), Thunderbolt, FireWire, ExpressCard. Without additional safeguards, DMA can make systems vulnerable to attacks.
---------------------------------------------
https://www.pentestpartners.com/security-blog/direct-memory-access-dma-atta…
∗∗∗ Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy ∗∗∗
---------------------------------------------
We analyze new tools DPRK-linked APT Sparkling Pisces (aka Kimsuky) used in cyberespionage campaigns: KLogExe (a keylogger) and FPSpy (a backdoor variant).
---------------------------------------------
https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/
∗∗∗ Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam ∗∗∗
---------------------------------------------
Spammers are always looking for creative ways to bypass spam filters. As a spammer, one of the problems with creating your own architecture to deliver mail is that, once the spam starts flowing, these sources (IPs/domains) can be blocked. Spam can more easily find its way into the inbox if it is delivered from an unexpected or legitimate source. Realizing this, many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.
---------------------------------------------
https://blog.talosintelligence.com/simple-mail-transfer-pirates/
∗∗∗ Phishing and Social Engineering: The Human Factor in Election Security ∗∗∗
---------------------------------------------
Discover how phishing and social engineering threaten the 2024 U.S. elections in part three of our Election Cybersecurity series. Learn how attackers exploit human vulnerabilities to compromise systems and how to defend against these evolving threats.
---------------------------------------------
https://www.greynoise.io/blog/phishing-and-social-engineering-the-human-fac…
∗∗∗ Dell Hit by Third Data Leak in a Week Amid “grep” Cyberattacks ∗∗∗
---------------------------------------------
Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive internal files, including project documents and MFA data, were exposed. Dell has yet to issue a formal response.
---------------------------------------------
https://hackread.com/dell-data-leak-in-week-amid-grep-cyberattacks/
=====================
= Vulnerabilities =
=====================
∗∗∗ HPE Aruba Networking fixes critical flaws impacting Access Points ∗∗∗
---------------------------------------------
HPE Aruba Networking has fixed three critical vulnerabilities in the Command Line Interface (CLI) service of its Aruba Access Points, which could let unauthenticated attackers gain remote code execution on vulnerable devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-t…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (container-tools:rhel8, dovecot, emacs, expat, git-lfs, go-toolset:rhel8, golang, grafana, grafana-pcp, gtk3, kernel, kernel-rt, nano, python3, python3.11, python3.12, and virt:rhel and virt-devel:rhel), Debian (mediawiki and puredata), Fedora (chisel), Mageia (glib2.0, gtk+2.0 and gtk+3.0, and python-astropy), Red Hat (git-lfs, grafana, grafana-pcp, kernel, and kernel-rt), SUSE (kubernetes1.24, kubernetes1.25, kubernetes1.26, kubernetes1.27, kubernetes1.28, opensc, and python36), and Ubuntu (apparmor, apr, ca-certificates, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, openjpeg2, ruby-rack, and tomcat8, tomcat9).
---------------------------------------------
https://lwn.net/Articles/991897/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0005 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23271, CVE-2024-27808, CVE-2024-27820, CVE-2024-27833, CVE-2024-27838, CVE-2024-27851, CVE-2024-40866, CVE-2024-44187
---------------------------------------------
https://webkitgtk.org/security/WSA-2024-0005.html
∗∗∗ Cisco IOS XE Software for Wireless Controllers CWA Pre-Authentication ACL Bypass Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS and IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 16, 2024 to September 22, 2024) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 24-09-2024 18:00 − Mittwoch 25-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ ChatGPT macOS Flaw Couldve Enabled Long-Term Spyware via Memory Function ∗∗∗
---------------------------------------------
A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger said.
---------------------------------------------
https://thehackernews.com/2024/09/chatgpt-macos-flaw-couldve-enabled-long.h…
∗∗∗ Schon wieder: Offizielles Twitter-Konto OpenAIs von Krypto-Betrügern übernommen ∗∗∗
---------------------------------------------
Der offizielle Twitter-Account der Pressestelle von ChatGPT-Anbieter OpenAI wurde von Betrügern übernommen und genutzt, um eine Fake-Kryptowährung zu promoten.
---------------------------------------------
https://heise.de/-9953073
∗∗∗ AI-Generated Malware Found in the Wild ∗∗∗
---------------------------------------------
HP has intercepted an email campaign comprising a standard malware payload delivered by an AI-generated dropper.
---------------------------------------------
https://www.securityweek.com/ai-generated-malware-found-in-the-wild/
∗∗∗ Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz ∗∗∗
---------------------------------------------
Delve into the infrastructure and tactics of phishing platform Sniper Dz, which targets popular brands and social media. We discuss its unique aspects and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tact…
∗∗∗ LummaC2: Obfuscation Through Indirect Control Flow ∗∗∗
---------------------------------------------
This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the malware now leverages customized control flow indirection to manipulate the execution of the malware.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscatio…
∗∗∗ Modified LockBit and Conti ransomware shows up in DragonForce gang’s attacks ∗∗∗
---------------------------------------------
The manufacturing, real estate and transportation industries are recent targets of the cybercrime operation known as DragonForce. Researchers say its serving up versions of LockBit and Conti to affiliates.
---------------------------------------------
https://therecord.media/lockbit-conti-dragonforce-ransomware-cybercrime
∗∗∗ Shedding Light on Election Deepfakes ∗∗∗
---------------------------------------------
Contrary to popular belief, deepfakes — AI-crafted audio files, images, or videos that depict events and statements that never occurred; a portmanteau of “deep learning” and “fake” — are not all intrinsically malicious. [..] Let’s take a look at the state of deepfakes during the 2020 elections, how it’s currently making waves in the 2024 election cycle, and how voters can tell truth from digital deception.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/shedding-li…
=====================
= Vulnerabilities =
=====================
∗∗∗ 20,000 WordPress Sites Affected by Privilege Escalation Vulnerability in WCFM – WooCommerce Frontend Manager WordPress Plugin ∗∗∗
---------------------------------------------
This vulnerability makes it possible for an authenticated attacker to change the email of any user, including an administrator, which allows them to reset the password and take over the account and website. [..] After providing full disclosure details, the developer released a patch on September 23, 2024. [..] CVE ID: CVE-2024-8290
---------------------------------------------
https://www.wordfence.com/blog/2024/09/20000-wordpress-sites-affected-by-pr…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma).
---------------------------------------------
https://lwn.net/Articles/991701/
∗∗∗ WatchGuard SSO and Moodle ∗∗∗
---------------------------------------------
rt-sa-2024-008: WatchGuard SSO Client Denial-of-Service,
rt-sa-2024-007: WatchGuard SSO Agent Telnet Authentication Bypass,
rt-sa-2024-006: WatchGuard SSO Protocol is Unencrypted and Unauthenticated,
rt-sa-2024-009: Moodle: Remote Code Execution via Calculated Questions
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/
∗∗∗ Teamviewer: Hochriskante Lücken ermöglichen Rechteausweitung ∗∗∗
---------------------------------------------
In den Teamviewer-Remote-Clients können Angreifer eine unzureichende kryptografische Prüfung von Treiberinstallationen missbrauchen, um ihre Rechte auszuweiten und Treiber zu installieren (CVE-2024-7479, CVE-2024-7481; beide CVSS 8.8, Risiko "hoch"). [..] Die seit Dienstag dieser Woche verfügbare Version 15.58.4 oder neuere schließen diese Sicherheitslücken.
---------------------------------------------
https://heise.de/-9953034
∗∗∗ XenServer and Citrix Hypervisor Security Update for CVE-2024-45817 ∗∗∗
---------------------------------------------
https://support.citrix.com/s/article/CTX691646-xenserver-and-citrix-hypervi…
∗∗∗ Schwachstelle in BlackBerry CylanceOPTICS Windows Installer Package ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/schwachstelle-in-blac…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 23-09-2024 18:00 − Dienstag 24-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Hackerangriff hier, Hackerangriff da? Nein. ∗∗∗
---------------------------------------------
Ein Kommentar zur aktuellen Berichterstattung rund um DDoS-Angriffe gegen die Webseiten politischer Parteien in Österreich.
---------------------------------------------
https://datenrausch.substack.com/p/hackerangriff-hier-hackerangriff
∗∗∗ New Mallox ransomware Linux variant based on leaked Kryptina code ∗∗∗
---------------------------------------------
An affiliate of the Mallox ransomware operation, also known as TargetCompany, was spotted using a slightly modified version of the Kryptina ransomware to attack Linux systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-…
∗∗∗ New Octo Android malware version impersonates NordVPN, Google Chrome ∗∗∗
---------------------------------------------
A new version of the Octo Android malware, named "Octo2," has been seen spreading across Europe under the guise of NordVPN, Google Chrome, and an app called Europe Enterprise.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-octo-android-malware-ver…
∗∗∗ Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120, (Tue, Sep 24th) ∗∗∗
---------------------------------------------
Late in July, a researcher using the alias "NETSECFISH" published a blog post revealing a vulnerability in RASIECOM gateway devices [1]. The vulnerability affects the "vpn/list_base_Config.php" endpoint and allows for unauthenticated remote code execution. According to Shodan, about 25,000 vulnerable devices are exposed to the internet. With a simple proof of concept available, it is no surprise that we aseethe vulnerability exploited.
---------------------------------------------
https://isc.sans.edu/diary/rss/31292
∗∗∗ Untersuchung von Solaris / SunOS - Persistenz mit Systemprozessen ∗∗∗
---------------------------------------------
Im Vergleich zu Windows oder sogar Linux ist das öffentliche Wissen und die Anleitung zur digitalen Forensik für Solaris / SunOS eher dünn. Während dieses Einsatzes haben wir unser Wissen über Solaris erheblich erweitert und es auf verschiedene Angreifertechniken hin untersucht. In diesem Blog-Beitrag möchten wir unsere Erfahrungen mit der Untersuchung potenzieller Persistenz durch Systemprozesse im Zusammenhang mit der MITRE ATT&CK-Technik T1543 teilen.
---------------------------------------------
https://sec-consult.com/de/blog/detail/investigating-solaris-sunos-persiste…
∗∗∗ Deloitte Says No Threat to Sensitive Data After Hacker Claims Server Breach ∗∗∗
---------------------------------------------
A notorious hacker has announced the theft of data from an improperly protected server allegedly belonging to Deloitte. {..] Deloitte says no sensitive data exposed after a notorious hacker leaked what he claimed to be internal communications.
---------------------------------------------
https://www.securityweek.com/deloitte-says-no-threat-to-sensitive-data-afte…
∗∗∗ Kirchenaustritt nicht über kirchenaustritt-digital-beantragen.at beantragen ∗∗∗
---------------------------------------------
Wer Informationen zum Kirchenaustritt sucht, landet schnell bei kirchenaustritt-digital-beantragen.at. Wir raten jedoch davon ab, über diesen kostenpflichtigen Dienst den Austritt zu beantragen. Beschwerden zufolge wird die Kündigung trotz Bezahlung nicht an die Kirche übermittelt. Außerdem werden sehr viele Daten und eine Ausweiskopie verlangt. Wir raten generell davon ab, Kündigungen usw. über Drittanbieter abzuwickeln.
---------------------------------------------
https://www.watchlist-internet.at/news/kirchenaustritt/
∗∗∗ Inside SnipBot: The Latest RomCom Malware Variant ∗∗∗
---------------------------------------------
We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain.
---------------------------------------------
https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
∗∗∗ Hacker Leaks 12,000 Alleged Twilio Call Records with Audio Recordings ∗∗∗
---------------------------------------------
A hacker has leaked 12,000 alleged Twilio call records, including phone numbers and audio recordings. The breach exposes personal data, creating significant privacy risks for businesses and individuals using the service.
---------------------------------------------
https://hackread.com/hacker-leaks-twilio-call-records-audio-recordings/
=====================
= Vulnerabilities =
=====================
∗∗∗ Unpatched Vulnerabilities Expose Riello UPSs to Hacking: Security Firm ∗∗∗
---------------------------------------------
Hackers can take control of Riello UPS devices by exploiting vulnerabilities that likely remain unpatched, according to CyberDanube, an Austria-based firm specializing in industrial cybersecurity.
---------------------------------------------
https://www.securityweek.com/unpatched-vulnerabilities-expose-riello-upss-t…
∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-24-268-01 OPW Fuel Management Systems SiteSentinel,
ICSA-24-268-02 Alisonic Sibylla,
ICSA-24-268-03 Franklin Fueling Systems TS-550 EVO,
ICSA-24-268-04 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE,
ICSA-24-268-05 Moxa MXview One,
ICSA-24-268-06 OMNTEC Proteus Tank Monitoring,
ICSA-24-156-01 Uniview NVR301-04S2-P4 (Update A),
ICSA-19-274-01 Interpeak IPnet TCP/IP Stack (Update E)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-releases-eight-indu…
∗∗∗ Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions ∗∗∗
---------------------------------------------
Zyxel has released patches for some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions affected by post-authentication memory corruption vulnerabilities. Users are advised to install them for optimal protection. (CVE-2024-38266 CVE-2024-38267 CVE-2024-38268 CVE-2024-38269)
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
∗∗∗ Critical Vulnerabilities Discovered in Automated Tank Gauge Systems ∗∗∗
---------------------------------------------
In this blogpost, we will explore the ATG systems, their inherent risk when exposed to the Internet and the several critical vulnerabilities uncovered by Bitsight TRACE. By understanding these vulnerabilities, we hope that the reader can better appreciate the urgent need for enhanced security measures and the steps that need to be taken to protect these systems from exploitation.
---------------------------------------------
https://www.bitsight.com/blog/critical-vulnerabilities-discovered-automated…
∗∗∗ Xen Security Advisory CVE-2024-45817 / XSA-462 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-462.html
∗∗∗ Keycloak Security Update Advisory (CVE-2024-8698) ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/83325/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily