Daily

daily@lists.cert.at

1 participants
3083 discussions

Tageszusammenfassung - 08.07.2024
by Daily end-of-shift report 08 Jul '24

08 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-07-2024 18:00 − Montag 08-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fast 10 Milliarden Passwörter: Gigantischer Passwort-Leak wirft Fragen auf ∗∗∗ --------------------------------------------- In einem Hackerforum ist eine fast 50 GByte große Passwortliste namens Rockyou2024 aufgetaucht. [..] Das erhebliche Sicherheitsrisiko, vor dem einige Medien warnen, scheint von Rockyou2024 allerdings nicht auszugehen. [..] "Sorry, hier gibt es nichts zu sehen. Das ist einfach nur minderwertiger Müll – sowohl die 'geleakte' Datei als auch die Berichterstattung darüber", so Karlslunds Fazit. --------------------------------------------- https://www.golem.de/news/fast-10-milliarden-passwoerter-gigantischer-passw… ∗∗∗ Nach Cyberangriff: Warnmail von Microsoft landet bei vielen Kunden im Spam ∗∗∗ --------------------------------------------- Seit Juni informiert Microsoft betroffene Kunden über bei einem Cyberangriff abgeflossene E-Mails. So ganz reibungslos läuft das offenbar noch nicht. [..] "Überprüfen Sie Ihre E-Mail-Protokolle (einschließlich Exchange Online) auf eine E-Mail von mbsupport(a)microsoft.com", warnt der Forscher. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-warnmail-von-microsoft-landet-b… ∗∗∗ Nach Cyberangriff: Hacker erpressen Ticketmaster und verschenken Tickets ∗∗∗ --------------------------------------------- Die Angreifer behaupten, Ticket-Barcodes im Gesamtwert von mehr als 22 Milliarden US-Dollar erbeutet zu haben. Für Taylor-Swift-Konzerte stehen schon einige im Netz. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-erpressen-ticketmaster-u… ∗∗∗ Booking.com: Aufforderung zur erneuten Buchungsbestätigung ist Betrug ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie im Nachrichtenportal von booking.com trotz bestätigter Buchung aufgefordert werden, die Buchung erneut zu bestätigen. Dahinter stecken Kriminelle, die sich Zugang zum Buchungssystem des Hotels verschafft haben. Klicken Sie nicht auf den Link und antworten Sie nicht! --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-aufforderung-zur-erneuten… ∗∗∗ Schadcode-Attacken auf Multifunktionsdrucker von Toshiba und Sharp möglich ∗∗∗ --------------------------------------------- Angreifer können hunderte Multifunktionsdrucker von Toshiba und Sharp ins Visier nehmen. Sicherheitsupdates sind verfügbar. [..] Toshiba hat bereits Mitte Juni 2024 Informationen zu den Schwachstellen und betroffenen Modellen bekannt gegeben. Der Sicherheitsforscher hat seine Informationen erst kürzlich veröffentlicht. --------------------------------------------- https://heise.de/-9793179 ∗∗∗ Kunai: Keep an Eye on your Linux Hosts Activity, (Mon, Jul 8th) ∗∗∗ --------------------------------------------- Last week, I attended « Pass The Salt », a conference focussing on open-source software and cybersecurity. I participated in a very interesting workshop about « Kunai ». This tool, developed by Quentin Jérôme from CIRCL (the Luxembourg CERT) aims to replace SysmonForLinux. Its goal is to record and log system activity but in a more «Linux-oriented» flavor. It was presented for the first time at hack.lu in 2023 and it now reaches enough maturity to be tested and deployed on some Linux hosts. --------------------------------------------- https://isc.sans.edu/diary/rss/31054 ∗∗∗ Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies ∗∗∗ --------------------------------------------- The supply chain attack targeting the widely-used Polyfill[.]io JavaScript library is broader in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024. [..] "Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it." --------------------------------------------- https://thehackernews.com/2024/07/polyfillio-attack-impacts-over-380000.html ∗∗∗ Tool: AtomDucky ∗∗∗ --------------------------------------------- Atom Ducky is a HID device controlled through a web browser. Its designed to function as a wirelessly operated Rubber Ducky, personal authenticator, or casual keyboard. Its primary aim is to help ethical hackers gain knowledge about Rubber Ducky devices while integrating their use into everyday life. --------------------------------------------- https://www.reddit.com/r/netsec/comments/1drhkc0/atom_ducky_wifi_rubber_duc… ∗∗∗ Shelltorch Explained: Multiple Vulnerabilities in Pytorch Model Server (Torchserve) (CVSS 9.9, CVSS 9.8) Walkthrough ∗∗∗ --------------------------------------------- In July 2023, the Oligo Research Team disclosed multiple new critical vulnerabilities to Pytorch maintainers Amazon and Meta, including CVE-2023-43654 (CVSS 9.8). [..] Want the deep dive, full story with technical walkthrough for the PyTorch (TorchServe) ShellTorch vulnerabilities CVE-2023-43654 (CVSS: 9.8) and CVE-2022-1471 (CVSS: 9.9)? You’re in the right place. --------------------------------------------- https://www.oligo.security/blog/shelltorch-explained-multiple-vulnerabiliti… ∗∗∗ Kimsuky Group’s New Backdoor (HappyDoor) ∗∗∗ --------------------------------------------- This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat Intelligence Platform (TIP), containing key information for analyzing breaches. The report in AhnLab TIP includes details on encoding & encryption methods, packet structure, and more in addition to the characteristics and features of the malware. --------------------------------------------- https://asec.ahnlab.com/en/67660/ ∗∗∗ The Current State of Browser Cookies ∗∗∗ --------------------------------------------- Well, almost every other website uses cookies. According to W3Techs, as of June 24, 2024, 41.3% of all websites use cookies with some of the most prominent providers included in that list, such as Google, Facebook, Microsoft and Apple. [..] Although cookies are being used to save sensitive data, they are still stored in a way that enables attackers to leak them easily and use them for malicious purposes. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/the-current-state-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (openssh), Debian (krb5), Fedora (yt-dlp), Gentoo (firefox, KDE Plasma Workspaces, Stellarium, thunderbird, and X.Org X11 library), Mageia (python-js2py and znc), Oracle (389-ds, c-ares, container-tools, cups, go-toolset, httpd:2.4/httpd, iperf3, kernel, less, libreoffice, libuv, nghttp2, openldap, openssh, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, and xmlrpc-c), Red Hat (kernel, kernel-rt, openssh, and virt:rhel and virt-devel:rhel modules), and SUSE (go1.21, go1.22, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, netty3, opera, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/981119/ ∗∗∗ Mastodon: Sicherheitslücke ermöglicht unbefugten Zugriff auf Posts ∗∗∗ --------------------------------------------- Neue Versionen der Mastodon-Serversoftware schließen eine als hochriskant eingestufte Sicherheitslücke. Angreifer können sich unbefugten Zugriff auf Posts verschaffen. [..] Der Fehler tritt demnach ab Mastodon 2.6.0 auf. Die Entwickler haben die Versionen Mastodon 4.2.10 sowie 4.1.18 veröffentlicht. [..] Nähere Details wollen die Mastodon-Entwickler laut Sicherheitsmitteilung am Montag kommender Woche, den 15. Juli, veröffentlichen. --------------------------------------------- https://heise.de/-9792706 ∗∗∗ Mattermost security updates 9.9.1 / 9.8.2 / 9.7.6 / 9.5.7 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-9-1-9-8-2-9-7-6-9… ∗∗∗ MSI Center: Schwachstelle CVE-2024-37726 ermöglicht System-Privilegien ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/07/06/msi-center-schwachstelle-cve-2024-… ∗∗∗ K000140257: OpenSSL vulnerability CVE-2024-4741 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140257 ∗∗∗ Vulnerability Summary for the Week of July 1, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-190 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2024
by Daily end-of-shift report 05 Jul '24

05 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-07-2024 18:00 − Freitag 05-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Eldorado ransomware targets Windows, VMware ESXi VMs ∗∗∗ --------------------------------------------- A new ransomware-as-a-service (RaaS) called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-eldorado-ransomware-targ… ∗∗∗ Turla: A Master’s Art of Evasion ∗∗∗ --------------------------------------------- Turla, a well-known piece of malware, has taken to weaponising LNK-files to infect computers. We have observed a current example of this. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/07/37977-turla-evasion-lnk-files ∗∗∗ New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new botnet called Zergeca thats capable of conducting distributed denial-of-service (DDoS) attacks. Written in Golang, the botnet is so named for its reference to a string named "ootheca" present in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top"). --------------------------------------------- https://thehackernews.com/2024/07/new-golang-based-zergeca-botnet-capable.h… ∗∗∗ Latest Ghostscript vulnerability haunts experts as the next big breach enabler ∗∗∗ --------------------------------------------- Theres also chatter about whether medium severity scare is actually code red nightmare Infosec circles are awash with chatter about a vulnerability in Ghostscript some experts believe could be the cause of several major breaches in the coming months. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/07/05/ghostscript_… ∗∗∗ Binance-Kund:innen aufgepasst: SMS zu Login-Versuch ist Fake ∗∗∗ --------------------------------------------- Aktuell erreichen uns Meldungen über eine SMS im Namen der Handelsplattform Binance: Angeblich gibt es einen Login-Versuch aus Malta oder einem anderen Land. Es wird um einen Rückruf gebeten. Ignorieren Sie die SMS. Kriminelle versuchen Ihr Konto zu kapern und an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/binance-login-fake/ ∗∗∗ TeamViewer gibt Entwarnung: Keine Kundendaten beim Hack im Juni 2024 abgeflossen ∗∗∗ --------------------------------------------- Der Hack des Fernwartungsanbieters TeamViewer scheint wohl glimpflicher abgegangen zu sein, als befürchtet. Ein staatlicher Akteur (APT29) hatte zwar Zugriff auf die interne IT-Umgebung des Unternehmens. Aber weder die Produktivumgebung mit den Quellen und Binärdateien der Fernwartungssoftware noch Kundendaten scheinen betroffen. Das hat der Anbieter in einem nunmehr dritten Statusupdate bekannt gegeben. --------------------------------------------- https://www.borncity.com/blog/2024/07/05/teamviewer-gibt-entwarnung-keine-k… ∗∗∗ Turning Jenkins Into a Cryptomining Machine From an Attackers Perspective ∗∗∗ --------------------------------------------- In this blog entry, we will discuss how the Jenkins Script Console can be weaponized by attackers for cryptomining activity if not configured properly. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/g/turning-jenkins-into-a-crypt… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cockpit, python-astropy, python3-docs, and python3.12), Gentoo (BusyBox, GNU Coreutils, GraphicsMagick, podman, PuTTY, Sofia-SIP, TigerVNC, and WebKitGTK+), Mageia (chromium-browser-stable and openvpn), SUSE (cockpit, krb5, and netatalk), and Ubuntu (kopanocore, libreoffice, linux-aws, linux-oem-6.8, linux-aws-5.15, linux-azure, linux-azure-4.15, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oracle, linux-starfive-6.5, and virtuoso-opensource). --------------------------------------------- https://lwn.net/Articles/980855/ ∗∗∗ ZDI-24-897: Trend Micro Apex One modOSCE SQL Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-897/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2024
by Daily end-of-shift report 04 Jul '24

04 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-07-2024 18:00 − Donnerstag 04-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ MikroTik Router als DDoS Quellen: Zahlen für Österreich ∗∗∗ --------------------------------------------- OVH beschreibt ausführlich in einem Blogbeitrag, dass sie es in letzter Zeit öfters mit DDoS-Angriffen zu tun hatten, die sie auf kompromittierte MikroTik Router zurückführen. Es geht hier um ernsthafte Bandbreiten und Packets/Sekunde: kein Wunder, wenn es die Angreifer geschafft haben, gute angebundene Router für ihre Zwecke einzuspannen. [..] Ich habe das als Anlass genommen, mal in unserer Datenbasis (basierend auf Scans von Shadowserver) nachzuschauen, wie es um diese Geräte in Österreich bestellt ist: MikroTik Router, die per SNMP ihre Modellnummern verraten. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/7/mikrotik-snmp ∗∗∗ Authy: Hacker greifen Millionen von Telefonnummern über eine ungesicherte API ab ∗∗∗ --------------------------------------------- Nachdem Kriminelle eine CSV-Datei mit Telefonnummern von angeblich 33 Millionen Authy-Nutzern geleakt haben, drohen unter anderem SMS-Phishing-Attacken. --------------------------------------------- https://heise.de/-9789229 ∗∗∗ Backup-Fiasko in Indonesien: Hacker verschenken Schlüssel und entschuldigen sich ∗∗∗ --------------------------------------------- Ein Ransomwareangriff bereitet Indonesien enorme Probleme. Die Lage ist sogar derart prekär, dass die Angreifer den Behörden nun die Hand reichen. --------------------------------------------- https://www.golem.de/news/backup-fiasko-in-indonesien-hacker-verschenken-sc… ∗∗∗ Neues zum Hack des Qualys-Blogs ∗∗∗ --------------------------------------------- Qualys hat nun (auf meinen Bericht) zum Hack des Unternehmensblogs reagiert und geantwortet. Keine Kunden- und Unternehmensdaten gefährdet, nur a bisserl Spam im Blog, der bei einem Drittanbieter lief. --------------------------------------------- https://www.borncity.com/blog/2024/07/04/neues-zum-hack-des-qualys-blogs/ ∗∗∗ Attack Cases Against HTTP File Server (HFS) (CVE-2024-23692) ∗∗∗ --------------------------------------------- HTTP File Server (HFS) is a program that provides a simple type of web service. [..] Recently, the remote code execution vulnerability CVE-2024-23692 in the HFS program that provides web services was announced. Attack cases against vulnerable versions of HFS continue to be detected ever since. Because HFS is exposed to the public in order to enable users to connect to the HFS web server and download files, it can be a target for external attacks if it has a vulnerability. --------------------------------------------- https://asec.ahnlab.com/en/67650/ ∗∗∗ WordPress User Enumeration: Risks & Mitigation Steps ∗∗∗ --------------------------------------------- In this post, we’re diving deep into WordPress user enumeration. We’ll break down what it is, why it’s a problem, and most importantly — how to prevent a compromise. --------------------------------------------- https://blog.sucuri.net/2024/07/wordpress-user-enumeration.html ∗∗∗ The Not-So-Secret Network Access Broker x999xx ∗∗∗ --------------------------------------------- Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is "x999xx," the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups. --------------------------------------------- https://krebsonsecurity.com/2024/07/the-not-so-secret-network-access-broker… ∗∗∗ Dissecting GootLoader With Node.js ∗∗∗ --------------------------------------------- We demonstrate effective methods to circumvent anti-analysis evasion techniques from GootLoader, a backdoor and loader malware distributed through fake forum posts. --------------------------------------------- https://unit42.paloaltonetworks.com/javascript-malware-gootloader/ ∗∗∗ No room for error: Don’t get stung by these common Booking.com scams ∗∗∗ --------------------------------------------- >From sending phishing emails to posting fake listings, here’s how fraudsters hunt for victims while you’re booking your well-earned vacation. --------------------------------------------- https://www.welivesecurity.com/en/scams/common-bookingcom-scams/ ∗∗∗ Senate leader demands answers from CISA on Ivanti-enabled hack of sensitive systems ∗∗∗ --------------------------------------------- Sen. Charles Grassley (R-IA) on Wednesday sent Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly a stern letter seeking documentation and answers relating to a January hack of the agency’s Chemical Security Assessment Tool (CSAT) along with the breach of a second sensitive system. Grassley noted that the cyberattack led to “malicious activity” potentially compromising some of the country’s most sensitive industrial and critical infrastructure information. --------------------------------------------- https://therecord.media/senator-grassley-cisa-letter-hack ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds, c-ares, container-tools, cups, fontforge, go-toolset, iperf3, less, libreoffice, libuv, nghttp2, openldap, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, qemu-kvm, and xmlrpc-c), Debian (znc), Fedora (firmitas and libnbd), Mageia (dcmtk, krb5, libcdio, and openssh), Oracle (golang, openssh, pki-core, and qemu-kvm), Red Hat (openssh), SUSE (apache2-mod_auth_openidc, emacs, go1.21, go1.22, krb5, openCryptoki, and openssh), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-nvidia-6.5, linux-raspi, linux, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-xilinx-zynqmp, linux, linux-ibm, linux-lowlatency, linux-nvidia, linux-raspi, linux-aws, linux-aws-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure, linux-azure-6.5, linux-bluefield, linux-iot, linux-gcp, linux-intel, linux-hwe-5.15, and php7.0 and php7.2). --------------------------------------------- https://lwn.net/Articles/980755/ ∗∗∗ Citrix: Cloud Software Group Security Advisory for CVE-2024-6387 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX678072/cloud-software-group-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2024
by Daily end-of-shift report 03 Jul '24

03 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-07-2024 18:00 − Mittwoch 03-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Europol takes down 593 Cobalt Strike servers used by cybercriminals ∗∗∗ --------------------------------------------- Europol coordinated a joint law enforcement action known as Operation Morpheus, which led to the takedown of almost 600 Cobalt Strike servers used by cybercriminals to infiltrate victims networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/europol-takes-down-593-cobal… ∗∗∗ Cyberangriff: Hacker erbeuten Daten von TÜV Rheinland ∗∗∗ --------------------------------------------- Einer Ransomwarebande ist es gelungen, in ein Schulungsnetzwerk des TÜV Rheinland einzudringen. Dabei sind womöglich Zugangsdaten abgeflossen. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-erbeuten-daten-von-tuev-rhein… ∗∗∗ South Korean ERP Vendors Server Hacked to Spread Xctdoor Malware ∗∗∗ --------------------------------------------- An unnamed South Korean enterprise resource planning (ERP) vendors product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor.The AhnLab Security Intelligence Center (ASEC), which identified .. --------------------------------------------- https://thehackernews.com/2024/07/south-korean-erp-vendors-server-hacked.ht… ∗∗∗ Hijacked: How hacked YouTube channels spread scams and malware ∗∗∗ --------------------------------------------- Here's how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform. --------------------------------------------- https://www.welivesecurity.com/en/scams/hijacked-hacked-youtube-channels-sc… ∗∗∗ LockBit claims cyberattack on Croatia’s largest hospital ∗∗∗ --------------------------------------------- The LockBit ransomware gang has claimed responsibility for a cyberattack on Croatia’s largest hospital, which forced it to shut down IT systems for a day. The group claims to have gained access to patient and employee information, medical records, organ and donor data and contracts signed with external companies. --------------------------------------------- https://therecord.media/lockbit-claims-cyberattack-croatia-hospital ∗∗∗ Wurde der Blog von Qualys gehackt? (2. Juli 2024) ∗∗∗ --------------------------------------------- Kurze Information zu Qualys, ein Technologieunternehmen mit Dienstleistungsangeboten im Bereich Cloud-Sicherheit und Compliance. Es steht die Frage im Raum, ob die mit ihrem Blog womöglich gehackt wurden. --------------------------------------------- https://www.borncity.com/blog/2024/07/03/wurde-der-blog-von-qualys-gehackt-… ∗∗∗ Cisco NX-OS: Update gegen seit April angegriffene Sicherheitslücke ∗∗∗ --------------------------------------------- Im Cisco NX-OS mehrerer Nexus- und MDS-Switches wird eine Sicherheitslücke bereits seit April angegriffen. Jetzt stellt Cisco ein Update bereit. --------------------------------------------- https://heise.de/-9787532 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities in PanelView Plus devices could lead to remote code execution ∗∗∗ --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/02/vulnerabilities-in… ∗∗∗ Unpatched RCE Vulnerabilities in Gogs: Argument Injection in the Built-In SSH Server ∗∗∗ --------------------------------------------- https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vu… ∗∗∗ Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Tenable Identity Exposure Version 3.59.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2024
by Daily end-of-shift report 02 Jul '24

02 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 01-07-2024 18:00 − Dienstag 02-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Latest Intel CPUs impacted by new Indirector side-channel attack ∗∗∗ --------------------------------------------- Modern Intel processors, including chips from the Raptor Lake and the Alder Lake generations are susceptible to a new type of a high-precision Branch Target Injection (BTI) attack dubbed Indirector, which could be used to steal sensitive information from the CPU. --------------------------------------------- https://www.bleepingcomputer.com/news/security/latest-intel-cpus-impacted-b… ∗∗∗ Zahlungsaufforderung von Tecom für Erotikdienstleistungen ignorieren ∗∗∗ --------------------------------------------- In letzter Zeit werden uns vermehrt SMS-Nachrichten von Tecom gemeldet. Darin werden 90 Euro für Erotikdienstleistungen gefordert. Der Betrag soll auf ein tschechisches Konto überwiesen oder in bar per Einschreiben bezahlt werden. Bezahlen Sie nicht, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/zahlungsaufforderung-von-tecom-fuer-… ∗∗∗ Getting Unauthenticated Remote Code Execution on the Logsign Unified SecOps Platform ∗∗∗ --------------------------------------------- This blog looks at two separate vulnerabilities that can be combined to achieve remote, unauthenticated code execution on the web server via HTTP requests. [..] Logsign patched these and other vulnerabilities with version 6.4.8. --------------------------------------------- https://www.thezdi.com/blog/2024/7/1/getting-unauthenticated-remote-code-ex… ∗∗∗ The End of Passwords? Embrace the Future with Passkeys. ∗∗∗ --------------------------------------------- Passkeys will become the new norm in a few years. Users will realize that passkeys simplify their lives, and companies and users alike will appreciate the reduced risk of breaches from phishing or brute-force attacks. However, building user trust in passkeys remains a challenge, like the adoption of password managers. --------------------------------------------- https://blog.nviso.eu/2024/07/02/the-end-of-passwords-embrace-the-future-wi… ∗∗∗ Modern Cryptographic Attacks: A Guide for the Perplexed ∗∗∗ --------------------------------------------- In this write-up, we lay out in simple terms: “Classic Flavor” modern cryptanalysis (e.g. meet-in-the-middle attacks, Birthday Attack on CBC) [..] Side Channel Attacks (e.g. Timing Attacks, an honorable mention for SPECTRE) [..] Attacks on RSA (e.g. Bleichenbacher’s attack, related message attacks, Coppersmith’s method) --------------------------------------------- https://research.checkpoint.com/2024/modern-cryptographic-attacks-a-guide-f… ∗∗∗ CocoaPods: Anfällig für Supply-Chain-Angriffe in "zahllosen" Mac- und iOS-Apps ∗∗∗ --------------------------------------------- Der Dependency-Manager auf Open-Source-Basis steckt in Millionen von Swift- und Objective-C-Programmen. [..] Eva Security fand heraus, dass CocoaPods bereits im Jahr 2014 alle Pods auf einen neuen "Trunk Server" auf GitHub migriert hat. Dabei wurden die Autoren jeder Bibliothek einfach zurückgesetzt. CocoaPods forderte die Entwickler dann auf, ihre jeweilige Bibliothek zu "claimen". Allerdings taten dies nicht alle. --------------------------------------------- https://heise.de/-9786099 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. [..} To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. [..] In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. [..] CVE-2024-20399 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd:2.4/httpd), Arch Linux (openssh), Fedora (cups, emacs, and python-urllib3), Gentoo (OpenSSH), Mageia (ffmpeg, gdb, openssl, python-idna, and python-imageio), Red Hat (golang and kernel), SUSE (booth, libreoffice, openssl-1_1-livepatches, podman, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, python-Js2Py, python310, python39, and squid), and Ubuntu (cups and netplan.io). --------------------------------------------- https://lwn.net/Articles/980393/ ∗∗∗ QNAP: Vulnerability in OpenSSH ∗∗∗ --------------------------------------------- A remote code execution (RCE) vulnerability in OpenSSH has been reported to affect QTS 5.2.0 Release Candidate and QuTS hero h5.2. [..] QNAP is actively investigating this issue and working on a solution. We will fix the issue in the official releases of QTS 5.2.0 and QuTS hero h5.2.0. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-31 ∗∗∗ Juniper: Notfall-Update für Junos OS auf SRX-Baureihe ∗∗∗ --------------------------------------------- Juniper Networks schließt eine als hochriskant eingestufte DoS-Lücke im Juniper OS der SRX-Geräte mit einem Update außer der Reihe. [..] Nachdem bereits am Freitag Notfall-Updates von Juniper Networks für Session Smart Router nötig waren, legt das Unternehmen nun mit einem Update außer der Reihe für das Junos OS auf Geräten der SRX-Baureihe nach. Sie dichten eine Denial-of-Service-Sicherheitslücke ab. [..] CVE-2024-21586 --------------------------------------------- https://heise.de/-9785970 ∗∗∗ Android: Google schließt teils kritische Lücken am Juli-Patchday ∗∗∗ --------------------------------------------- Google hat Updates für Android 12, 12L, 13 und 14 im Rahmen des Juli-Patchdays veröffentlicht. Sie schließen Rechteausweitungs-Lücken. [..] Wie immer müssen sich Smartphone-Besitzer etwas gedulden, bis die Android-Aktualisierungen sich als Firmware-Updates für ihr eingesetztes Gerät materialisieren. Selbst für Googles hauseigene Pixel-Smartphones steht das Juli-Update zum Meldungszeitpunkt noch aus. --------------------------------------------- https://heise.de/-9786995 ∗∗∗ Splunk Security Advisories 2024-07-01 ∗∗∗ --------------------------------------------- https://advisory.splunk.com/advisories ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03 ∗∗∗ Johnson Controls Kantech Door Controllers ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-01 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2024
by Daily end-of-shift report 01 Jul '24

01 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-06-2024 18:00 − Montag 01-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Roles in Cybersecurity: CSIRTs / LE / others ∗∗∗ --------------------------------------------- Back in January 2024, I was asked by the Belgian EU Presidency to moderate a panel during their high-level conference on cyber security in Brussels. The topic was the relationship between cyber security and law enforcement: how do CSIRTs and the police / public prosecutors cooperate, what works here and where are the fault lines in this collaboration. As the moderator, I wasn’t in the position to really present my own view on some of the issues, so I’m using this blogpost to document my thinking regarding the CSIRT/LE division of labour. From that starting point, this text kind of turned into a rant on what’s wrong with IT Security. --------------------------------------------- https://www.cert.at/en/blog/2024/7/csirt-le-military ∗∗∗ NIS2 - Implementing Acts ∗∗∗ --------------------------------------------- Es liegen endlich Entwürfe für die Implementing Acts zur NIS 2 Richtline vor, die Umsetzungsdetails regeln werden. Genauer gesagt: es geht um Kriterien, wann ein Vorfall meldepflichtig wird und Maßnahmen zum Risikomanagement. Seitens der EU gibt es ein öffentliches Konsultationsverfahren dazu, das bis zum 25. Juli offen ist. Die Entwürfe sind auch über diese Webseite abrufbar. --------------------------------------------- https://www.cert.at/de/blog/2024/6/nis2-implementing-acts ∗∗∗ Vorsicht vor gefälschten Gewinnspielen zur UEFA EURO 2024 ∗∗∗ --------------------------------------------- Kriminelle verbreiten per E-Mail gefälschte Gewinnspiele zur UEFA EURO 2024. In der E-Mail heißt es, dass man eine UEFA EURO 2024 Mystery Box gewinnen kann, wenn man auf den Link klickt und an einer kurzen Umfrage teilnimmt. Vorsicht: Kriminelle stehlen Ihre Daten und Sie tappen in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-gewinnspie… ∗∗∗ Hackers exploit critical D-Link DIR-859 router flaw to steal passwords ∗∗∗ --------------------------------------------- Hackers are exploiting a critical vulnerability that affects all D-Link DIR-859 WiFi routers to collect account information from the device, including passwords. The security issue was disclosed in January and is currently tracked as CVE-2024-0769 (9.8 severity score) - a path traversal flaw that leads to information disclosure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-d-l… ∗∗∗ Dev rejects CVE severity, makes his GitHub repo read-only ∗∗∗ --------------------------------------------- The popular open source project, ip had its GitHub repository archived, or made "read-only" by its developer as a result of a dubious CVE report filed for his project. Unfortunately, open-source developers have recently been met with an uptick in debatable or outright bogus CVEs filed for their projects. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-mak… ∗∗∗ Fake IT support sites push malicious PowerShell scripts as Windows fixes ∗∗∗ --------------------------------------------- Fake IT support sites promote malicious PowerShell "fixes" for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-m… ∗∗∗ Router makers support portal responds with MetaMask phishing ∗∗∗ --------------------------------------------- BleepingComputer has verified that the helpdesk portal of a router manufacturer is currently sending MetaMask phishing emails in response to newly filed support tickets, in what appears to be a compromise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/router-makers-support-portal… ∗∗∗ Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data ∗∗∗ --------------------------------------------- [..] threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension thats designed to steal sensitive information as part of an ongoing intelligence collection effort. --------------------------------------------- https://thehackernews.com/2024/06/kimsuky-using-translatext-chrome.html ∗∗∗ CapraRAT Spyware Disguised as Popular Apps Threatens Android Users ∗∗∗ --------------------------------------------- The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. [..] The list of new malicious APK files identified by SentinelOne is as follows - Crazy Game, Sexy Videos, TikToks, Weapons --------------------------------------------- https://thehackernews.com/2024/07/caprarat-spyware-disguised-as-popular.html ∗∗∗ Unveiling Qilin/Agenda Ransomware - A Deep Dive into Modern Cyber Threats ∗∗∗ --------------------------------------------- Agenda ransomware, also known as 'Qilin,' first emerged in July 2022. Written in Golang, Agenda supports multiple encryption modes, all controlled by its operators. The Agenda ransomware actors use double extortion tactics, demanding payment for both a decryptor and the non-release of stolen data. This ransomware primarily targets large enterprises and high-value organizations, focusing particularly on the healthcare and education sectors in Africa and Asia. --------------------------------------------- https://sec-consult.com/blog/detail/unveiling-qilin-agenda-ransomware-a-dee… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dcmtk, edk2, emacs, glibc, gunicorn, libmojolicious-perl, openssh, org-mode, pdns-recursor, tryton-client, and tryton-server), Fedora (freeipa, kitty, libreswan, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-poppler, and mingw-python-urllib3), Gentoo (cpio, cryptography, GNU Emacs, Org Mode, GStreamer, GStreamer Plugins, Liferea, Pixman, SDL_ttf, SSSD, and Zsh), Oracle (pki-core), Red Hat (httpd:2.4, libreswan, and pki-core), SUSE (glib2 and kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t), and Ubuntu (espeak-ng, libcdio, and openssh). --------------------------------------------- https://lwn.net/Articles/980252/ ∗∗∗ regreSSHion: Remote Unauthenticated Code Execution Vulnerability (CVE-2024-6387) in OpenSSH server ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle (CVE-2024-6387) wurde im OpenSSH Server (sshd) auf glibc-basierten Linux-Systemen getestet. Diese Sicherheitslücke ermöglicht es einem nicht authentifizierten Angreifer potentiell, über eine Race-Condition im Signalhandler beliebigen Code als root auf dem betroffenen System auszuführen. OpenBSD-basierte Systeme sind nicht betroffen. Obwohl die Schwachstelle als Remote Code Execution (RCE) eingestuft wird, ist ihre Ausnutzung äußerst komplex. [..] Betroffen sind OpenSSH-Versionen früher als 4.4p1, es sei denn, sie wurden gegen die Schwachstellen CVE-2006-5051 und CVE-2008-4109 gepatcht, sowie OpenSSH-Versionen von 8.5p1 bis einschließlich 9.8p1. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/7/regresshion-remote-unauthenticated-… ∗∗∗ IP-Telefonie: Avaya IP Office stopft kritische Sicherheitslecks ∗∗∗ --------------------------------------------- Updates für Avaya IP Office dichten Sicherheitslecks in der Software ab. Angreifer können dadurch Schadcode einschleusen. --------------------------------------------- https://heise.de/-9784229 ∗∗∗ ABB: 2024-07-01: Cyber Security Advisory -ASPECT system operating with default credentials while exposed to the Internet ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&Lan… ∗∗∗ Kubernetes: Invalid entry in vulnerability feed ∗∗∗ --------------------------------------------- https://github.com/kubernetes/website/issues/47003 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2024
by Daily end-of-shift report 28 Jun '24

28 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-06-2024 18:00 − Freitag 28-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Unfurling Hemlock threat actor floods systems with malware ∗∗∗ --------------------------------------------- A threat actor tracked as Unfurling Hemlock has been infecting target systems with up to ten pieces of malware at the same time in campaigns that distribute hundreds of thousands of malicious files .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unfurling-hemlock-threat… ∗∗∗ BlackSuit ransomware gang claims attack on KADOKAWA corporation ∗∗∗ --------------------------------------------- The BlackSuit ransomware gang claimed a recent cyberattack on KADOKAWA corporation and is now threatening to publish stolen data if a ransom is not paid. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blacksuit-ransomware-gang-cl… ∗∗∗ Teamviewer gehackt: Cyberangriff trifft populäre Fernwartungssoftware ∗∗∗ --------------------------------------------- Teamviewer hat bestätigt, dass es einen Sicherheitsvorfall gegeben hat. Erste Hinweise deuten darauf hin, dass die Hackergruppe Midnight Blizzard dahinterstecken könnte. --------------------------------------------- https://www.golem.de/news/teamviewer-gehackt-cyberangriff-trifft-populaere-… ∗∗∗ Support of SSL 2.0 on web servers in 2024 ∗∗∗ --------------------------------------------- We last discussed SSLv2 support on internet-exposed web servers about a year ago, when we discovered that there were still about 450 thousand web servers that supported this protocol left on the internet. We also found that a significant portion of these servers was located in Kazakhstan, Tunisia .. --------------------------------------------- https://isc.sans.edu/diary/Support+of+SSL+20+on+web+servers+in+2024/31044 ∗∗∗ Microsoft Informs Customers that Russian Hackers Spied on Emails ∗∗∗ --------------------------------------------- Russian hackers who broke into Microsofts systems and spied on staff inboxes earlier this year also stole emails from its customers, the tech giant said on Thursday, around six months after it first disclosed the intrusion. Reuters: The disclosure underscores the breadth of the breach as Microsoft faces increasing regulatory scrutiny .. --------------------------------------------- https://yro.slashdot.org/story/24/06/28/1319219/microsoft-informs-customers… ∗∗∗ Google cuts ties with Entrust in Chrome over trust issues ∗∗∗ --------------------------------------------- Move comes weeks after Mozilla blasted certificate authority for failings Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements. --------------------------------------------- https://www.theregister.com/2024/06/28/google_axes_entrust_over_six/ ∗∗∗ An Inside Look at The Malware and Techniques Used in the WordPress.org Supply Chain Attack ∗∗∗ --------------------------------------------- On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin .. --------------------------------------------- https://www.wordfence.com/blog/2024/06/an-inside-look-at-the-malware-and-te… ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit heute Morgen sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/akute-welle-an-ddos-angriffen-gegen… ∗∗∗ SVR Cyber Actors Adapt Tactics for Initial Cloud Access ∗∗∗ --------------------------------------------- This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a ∗∗∗ Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz ∗∗∗ --------------------------------------------- On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the suspicious behavior was emanating from the installation of .. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/27/supply-chain-compromise-leads-t… ∗∗∗ Juniper: Kritische Lücke erlaubt Angreifern Übernahme von Session Smart Router ∗∗∗ --------------------------------------------- Juniper Networks liefert außerplanmäßige Updates gegen eine kritische Sicherheitslücke in Session Smart Router, -Conductor und WAN Assurance Router. --------------------------------------------- https://heise.de/-9781931 ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others ∗∗∗ --------------------------------------------- https://thehackernews.com/2024/06/gitlab-releases-patch-for-critical-cicd.h… ∗∗∗ 2024-06: Out-Of-Cycle Security Bulletin: Session Smart Router(SSR): On redundant router deployments API authentication can be bypassed (CVE-2024-2973) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-B… ∗∗∗ OMSA-2024-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/OMSA-2024-0001.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2024
by Daily end-of-shift report 27 Jun '24

27 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-06-2024 18:00 − Donnerstag 27-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released ∗∗∗ --------------------------------------------- The Fortra FileCatalyst Workflow is vulnerable to an SQL injection vulnerability that could allow remote unauthenticated attackers to create rogue admin users and manipulate data on the application database. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-critical-fortra-… ∗∗∗ Sicherheitslücke: Ungeschützte API liefert sensible Daten deutscher Häftlinge ∗∗∗ --------------------------------------------- Welcher Häftling wann mit seinem Anwalt oder Therapeuten telefoniert hat, ist aufgrund der Sicherheitslücke für jedermann einsehbar gewesen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-ungeschuetzte-api-liefert-sensi… ∗∗∗ What Setting Live Traps for Cybercriminals Taught Me About Security [Guest Diary], (Wed, Jun 26th) ∗∗∗ --------------------------------------------- For anyone who doesn’t know what a honeypot is, it is a server created specifically for the purpose of gathering information about unauthorized users that connect to it. A honeypot is usually vulnerable by design and often designed to be enticing to trap unsuspecting criminals into spending more time with it. I named my honeypot “Winnie.” --------------------------------------------- https://isc.sans.edu/diary/rss/31038 ∗∗∗ Rust-Based P2PInfect Botnet Evolves with Miner and Ransomware Payloads ∗∗∗ --------------------------------------------- The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners. --------------------------------------------- https://thehackernews.com/2024/06/rust-based-p2pinfect-botnet-evolves.html ∗∗∗ Warnung vor Fake Finanzamt-SMS ∗∗∗ --------------------------------------------- Es häufen sich Berichte über eine erneute Smishing-Welle, bei der Kriminelle versuchen, ahnungslose Bürger:innen mit gefälschten SMS-Nachrichten im Namen des Finanzamtes hereinzulegen. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-finanzamt-sms/ ∗∗∗ Rabbit R1: Verrissenes KI-Gadget erweist sich auch als Sicherheitsalbtraum ∗∗∗ --------------------------------------------- Hacker demonstrieren, dass sie auf jede an R1-Geräte geschickte Antwort zugreifen können. Zudem lassen sich die Geräte auf diesem Weg beschädigen und Antworten manipulieren. --------------------------------------------- https://www.derstandard.at/story/3000000226115/rabbit-r1-verrissenes-ki-gad… ∗∗∗ Snowflake isn’t an outlier, it’s the canary in the coal mine ∗∗∗ --------------------------------------------- Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform. --------------------------------------------- https://blog.talosintelligence.com/infostealer-landscape-facilitates-breach… ∗∗∗ MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems ∗∗∗ --------------------------------------------- FortiGuard Labs uncovers MerkSpy, a new spyware exploiting CVE-2021-40444 to steal keystrokes and sensitive data. --------------------------------------------- https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-4… ∗∗∗ The Growing Threat of Malware Concealed Behind Cloud Services ∗∗∗ --------------------------------------------- Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers. --------------------------------------------- https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-con… ===================== = Vulnerabilities = ===================== ∗∗∗ Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack ∗∗∗ --------------------------------------------- Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites. --------------------------------------------- https://thehackernews.com/2024/06/over-110000-websites-affected-by.html ∗∗∗ Prompt Injection Flaw in Vanna AI Exposes Databases to RCE Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a high-severity security flaw in the Vanna.AI library that could be exploited to achieve remote code execution vulnerability via prompt injection techniques. --------------------------------------------- https://thehackernews.com/2024/06/prompt-injection-flaw-in-vanna-ai.html ∗∗∗ GitLab Security Updates Patch 14 Vulnerabilities ∗∗∗ --------------------------------------------- GitLab CE and EE updates resolve 14 vulnerabilities, including a critical- and three high-severity bugs. --------------------------------------------- https://www.securityweek.com/gitlab-security-updates-patch-14-vulnerabiliti… ∗∗∗ Multiple vulnerabilities in TP-Link Omada system could lead to root access ∗∗∗ --------------------------------------------- Affected devices could include wireless access points, routers, switches and VPNs. --------------------------------------------- https://blog.talosintelligence.com/multiple-vulnerabilities-in-tp-link-omad… ∗∗∗ TELSAT marKoni FM Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-07 ∗∗∗ SDG Technologies PnPSCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-05 ∗∗∗ Yokogawa FAST/TOOLS and CI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-03 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06 ∗∗∗ Local Privilege Escalation über MSI Installer in SoftMaker Office / FreeOffice ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2024
by Daily end-of-shift report 26 Jun '24

26 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-06-2024 18:00 − Mittwoch 26-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Medusa Android Trojan Targets Banking Users Across 7 Countries ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. --------------------------------------------- https://thehackernews.com/2024/06/new-medusa-android-trojan-targets.html ∗∗∗ New Credit Card Skimmer Targets WordPress, Magento, and OpenCart Sites ∗∗∗ --------------------------------------------- Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer. --------------------------------------------- https://thehackernews.com/2024/06/new-credit-card-skimmer-targets.html ∗∗∗ Vorsicht vor Jobbetrug auf dm-supermall.com ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie für Ihren neuen Job, bei dm-supermall.com einkaufen müssen. Diese Plattform ist Teil einer Betrugsmasche. Der neue Job, bei dem Sie Online-Shops oder Dienstleistungen testen, ist betrügerisch. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobbetrug-auf-dm-superm… ∗∗∗ Attackers Exploiting Public Cobalt Strike Profiles ∗∗∗ --------------------------------------------- Unit 42 researchers examine how attackers use publicly available Malleable C2 profiles, examining their structure to reveal evasive techniques. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-… ∗∗∗ Buying a VPN? Here’s what to know and look for ∗∗∗ --------------------------------------------- VPNs are not all created equal – make sure to choose the right provider that will help keep your data safe from prying eyes. --------------------------------------------- https://www.welivesecurity.com/en/privacy/buying-vpn-what-know-look-for/ ===================== = Vulnerabilities = ===================== ∗∗∗ Snowblind malware abuses Android security feature to bypass security ∗∗∗ --------------------------------------------- A novel Android attack vector from a piece of malware tracked as Snowblind is abusing a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/snowblind-malware-abuses-and… ∗∗∗ A Novel DoS Vulnerability affecting WebRTC Media Servers ∗∗∗ --------------------------------------------- A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. --------------------------------------------- https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-med… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, python3.11, and python3.9), Debian (chromium, emacs, git, linux-5.10, and org-mode), Fedora (libopenmpt, nginx-mod-modsecurity, and thunderbird), Mageia (emacs, python-ansible-core, and python-authlib), Oracle (git, python3.11, and python3.9), Red Hat (kernel, kernel-rt, and samba), and Ubuntu (ansible, cups, google-guest-agent, google-osconfig-agent, libheif, openvpn, roundcube, and salt). --------------------------------------------- https://lwn.net/Articles/979740/ ∗∗∗ Supply-Chain-Angriff gegen polyfill.js ∗∗∗ --------------------------------------------- Die populäre Javascript-Bibliothek polyfill.js, welche von Entwickler:innen verwendet wird, um alte Browserversionen zu unterstützen, wurde Opfer eines Supply-Chain-Angriffes beziehungsweise für einen solchen missbraucht. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/supply-chain-angriff-gegen-polyfill… ∗∗∗ Jetzt patchen! Progress-MOVEit-Sicherheitslücken werden bereits angegriffen ∗∗∗ --------------------------------------------- Progress hat zwei kritische Lücken in MOVEit Gateway und Transfer gestopft. Eine davon missbrauchen Cyberkriminelle bereits. --------------------------------------------- https://heise.de/-9778266 ∗∗∗ Sicherheitslücke: Apple stoppt Bluetooth-Übernahme von AirPods und Beats-Geräten ∗∗∗ --------------------------------------------- Apple hat eine neue Firmware für verschiedene Kopfhörermodelle veröffentlicht, die eine problematische Lücke schließt. Das Update ist allerdings nicht einfach. --------------------------------------------- https://heise.de/-9778924 ∗∗∗ ZDI-24-882: VMware vCenter Server Appliance License Server Uncontrolled Memory Allocation Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-882/ ∗∗∗ Multiple Vulnerabilities in Siemens Power Automation Products (CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2024
by Daily end-of-shift report 25 Jun '24

25 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 24-06-2024 18:00 − Dienstag 25-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ NISG 2024 im Innenausschuss ∗∗∗ --------------------------------------------- Ich wurde eingeladen, am 19. Juni im Innenausschuss des Parlaments als Experte in einem Hearing zum NISG 2024 aufzutreten. Das war keine Vorladung zu einem Untersuchungsausschuss, die man kaum ausschlagen kann, sondern ein wirklich freiwilliger Termin. Ich war schon öfters beruflich im Parlament, aber bisher immer auf Einladung der Parlamentsdirektion: das hier war der erste Termin mit Mandataren. Die Illusion, mit diesem Auftritt irgendwas bewirken zu können, hatte ich nie. [..] In diesem Blogpost will ich kurz erklären, was ich kommunizieren wollte. --------------------------------------------- https://www.cert.at/de/blog/2024/6/nisg-2024-im-innenausschuss ∗∗∗ New attack uses MSC files and Windows XSS flaw to breach networks ∗∗∗ --------------------------------------------- A novel command execution technique dubbed GrimResource uses specially crafted MSC (Microsoft Saved Console) and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-grimresource-attack-uses… ∗∗∗ Kurioser Fehlalarm: Microsoft Defender stuft harmlose Textdatei als Trojaner ein ∗∗∗ --------------------------------------------- Der Microsoft Defender erkannte demnach eine einfache Textdatei mit dem Inhalt "This content is no longer available." (auf Deutsch: "Dieser Inhalt ist nicht mehr verfügbar.") als Trojaner – genauer gesagt als Trojan:Win32/Casdet!rfn. [..] wurde der Fehlalarm angeblich dadurch ausgelöst, dass jemand eine Textdatei mit dem bereits genannten Inhalt in die Malwaredatenbank von Microsoft aufgenommen hat. Inzwischen scheint der Konzern das Problem aber behoben zu haben ... --------------------------------------------- https://www.golem.de/news/kurioser-fehlalarm-microsoft-defender-stuft-harml… ∗∗∗ Atlas Oil: The Consequences of a Ransomware Attack ∗∗∗ --------------------------------------------- Overview Atlas Oil, a major player in the oil and fuel distribution industry, fell victim to a ransomware attack orchestrated by the Black Basta group. This attack not only compromised sensitive company data but also exposed a variety of documents that could potentially harm the company’s operations and reputation. Overall, Black Basta claims to have exfiltrated approximately 730 GB of data. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/atlas-oil-t… ∗∗∗ New Cyberthreat Boolka Deploying BMANAGER Trojan via SQLi Attacks ∗∗∗ --------------------------------------------- A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER. --------------------------------------------- https://thehackernews.com/2024/06/new-cyberthreat-boolka-deploying.html ∗∗∗ Recent Zyxel NAS Vulnerability Exploited by Botnet ∗∗∗ --------------------------------------------- A Mirai-like botnet has started exploiting a critical-severity vulnerability in discontinued Zyxel NAS products. Tracked as CVE-2024-29973, the issue is described as a code injection flaw that can be exploited remotely without authentication. It was introduced last year, when Zyxel patched CVE-2023-27992, a similar code injection bug. --------------------------------------------- https://www.securityweek.com/recent-zyxel-nas-vulnerability-exploited-by-bo… ∗∗∗ Falscher Ryanair-Support auf X ∗∗∗ --------------------------------------------- Wenn Sie Probleme mit Ihrem Ryanair-Flug haben, gibt es verschiedene Möglichkeiten, den Kundenservice zu erreichen. Eine Möglichkeit ist X (früher Twitter). Achten Sie bei der Kontaktaufnahme über X jedoch darauf, dass Sie eine Anfrage an das richtige Profil senden. Immer häufiger geben sich Kriminelle mit gefälschten Profilen als Ryanair Support aus, um Geld und Daten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/falscher-ryanair-support-auf-x/ ∗∗∗ Betrügerische Finanz-Online-SMS ∗∗∗ --------------------------------------------- Derzeit versenden Kriminelle wieder vermehrt gefälschte Nachrichten im Namen des Finanzamtes. Darin wird behauptet, dass Ihre Registrierung für die Finanz-Online ID abläuft und Sie Ihre Daten über einen Link erneuern sollen. Klicken Sie nicht auf den Link, Kriminelle stehlen Ihre persönlichen Daten! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-finanz-online-sms/ ∗∗∗ Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806) ∗∗∗ --------------------------------------------- Many sysadmins may remember last year’s CVE-2023-34362, a cataclysmic vulnerability in Progress MOVEit Transfer that sent ripples through the industry, claiming such high-profile victims as the BBC and FBI. [..] Today (25th June 2024), Progress un-embargoed an authentication bypass vulnerability in Progress MOVEit Transfer. --------------------------------------------- https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-mov… ∗∗∗ Grazer Lauschangriff braucht bloß TCP/IP - weder Malware noch Sicherheitslücke ∗∗∗ --------------------------------------------- Der SnailLoad genannte Lauschangriff gründet darauf, dass Downloads verschiedener Dateien Schwankungen der Paketlaufzeiten aufweisen (Round Trip Times, RTTs), und dass diese Schwankungen individuell sind, sofern dieselbe Datei vom selben Server auf demselben Netzwerkweg geladen wird. [..] Damit lässt sich ermitteln, welches Video oder welche Webseite ein User abruft. [..] Die Angriffe lassen sich von beliebigen Positionen im Internet führen, von denen aus sich IP-Pakete an das Opfer schicken lassen. --------------------------------------------- https://heise.de/-9775311 ∗∗∗ Wordpress: Fünf Plug-ins mit Malware unterwandert ∗∗∗ --------------------------------------------- In fünf Wordpress-Plug-ins haben IT-Sicherheitsforscher dieselbe eingeschleuste Malware entdeckt. --------------------------------------------- https://heise.de/-9777207 ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress 6.5.5 Security Release – What You Need to Know ∗∗∗ --------------------------------------------- WordPress Core 6.5.5 was released yesterday, on June 24, 2023. Contained within this release are three security fixes addressing two Cross-Site Scripting (XSS) vulnerabilities and one Windows-specific Directory Traversal vulnerability. Despite these vulnerabilities being medium-severity, the worst of them (specifically, the XSS vulnerabilities) can allow for site takeover by an authenticated, contributor-level user if successfully exploited. --------------------------------------------- https://www.wordfence.com/blog/2024/06/wordpress-6-5-5-security-release-wha… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.11), Debian (composer), Fedora (thunderbird), Mageia (chromium-browser-stable, python-aiohttp, python-gunicorn, python-werkzeug, and virtualbox), Oracle (libreswan and python3.11), Red Hat (git, kpatch-patch, python3.11, python3.9, and thunderbird), and SUSE (avahi, ghostscript, grafana and mybatis, hdf5, kernel, openssl-1_1-livepatches, python-docker, and wget). --------------------------------------------- https://lwn.net/Articles/979606/ ∗∗∗ Cloud Software Group Security Advisory for CVE-2024-3661 ∗∗∗ --------------------------------------------- This vulnerability may allow an attacker on the same local network as the victim to read, disrupt, or modify network traffic expected to be protected by the VPN. [..] CTX677069 NewCloud Software Group Security Advisory for CVE-2024-3661 [..] Applicable Products : NetScaler, NetScaler Gateway --------------------------------------------- https://support.citrix.com/article/CTX677069/cloud-software-group-security-… ∗∗∗ ABB: 2024-06-25: Cyber Security Advisory -ABB PCM600 Installer Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002251&Language… ∗∗∗ ABB Ability System 800xA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-177-01 ∗∗∗ PTC Creo Elements/Direct License Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-177-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily