Daily

daily@lists.cert.at

1 participants
3154 discussions

Tageszusammenfassung - 16.10.2024
by Daily end-of-shift report 16 Oct '24

16 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-10-2024 18:00 − Mittwoch 16-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ASEC and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat. --------------------------------------------- https://asec.ahnlab.com/en/83877/ ∗∗∗ Exfiltration over Telegram Bots: Skidding Infostealer Logs ∗∗∗ --------------------------------------------- Bitsight’s visibility over infostealer malware which exfiltrates over Telegram suggests that the most infected countries are the USA, Turkey, and Russia, followed by India and Germany. --------------------------------------------- https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-info… ∗∗∗ EDRSilencer red team tool used in attacks to bypass security ∗∗∗ --------------------------------------------- A tool for red-team operations called EDRSilencer has been observed in malicious incidents attempting to identify security tools and mute their alerts to management consoles. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-us… ∗∗∗ Mehrere Dienste betroffen: Microsoft warnt Kunden vor Datenverlust beim Logging ∗∗∗ --------------------------------------------- Durch einen Softwarefehler hat Microsoft einige für seine Kunden wichtige Protokolldaten verloren. Betroffen sind mehrere Clouddienste des Konzerns. --------------------------------------------- https://www.golem.de/news/mehrere-dienste-betroffen-microsoft-warnt-kunden-… ∗∗∗ New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists ∗∗∗ --------------------------------------------- The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said. --------------------------------------------- https://thehackernews.com/2024/10/new-linux-variant-of-fastcash-malware.html ∗∗∗ Windows 11 24H2: Probleme mit VPN-Verbindungen, Direct Access … ∗∗∗ --------------------------------------------- Seit Microsoft Windows 11 24H2 allgemein freigegeben hat, sind mir Meldungen zu Problemen rund um das Thema VPN-Verbindungen (CheckPoint VPN, WireGuard, Direct Access) untergekommen. Ich fasse mal einige dieser Meldungen in einem Beitrag zusammen, auch um ein Bild zu bekommen, ob es nur Einzelfälle sind oder ob mehr Leute betroffen sind. --------------------------------------------- https://www.borncity.com/blog/2024/10/15/windows-11-24h2-probleme-mit-vpn-v… ∗∗∗ Windows 11 24H2: Recall nicht deinstallierbar … ∗∗∗ --------------------------------------------- Trotz gegenteiliger Zusicherungen stellt sich momentan heraus, dass Microsofts umstrittene Funktion Recall sich nicht [ohne Kollateralschäden] unter Windows 11 24H2 deinstallieren lässt – das Ganze ist aktuell aber wohl noch im Fluss. --------------------------------------------- https://www.borncity.com/blog/2024/10/16/windows-11-24h2-recall-nicht-deins… ∗∗∗ Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data ∗∗∗ --------------------------------------------- This article uncovers a Golang ransomware abusing AWS S3 for data theft, and masking as LockBit to further pressure victims. The discovery of hard-coded AWS credentials in these samples led to AWS account suspensions. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ran… ∗∗∗ Comparing AI Against Traditional Static Analysis Tools to Highlight Buffer Overflows ∗∗∗ --------------------------------------------- The idea of this blog post is to use open-source software tools to analyze unknown binaries for buffer overflows. In particular we are focusing on using Ollama3 to access multiple large language models. Ollama is a platform designed to simplify the deployment and usage of LLMs on local machines.This enables private data to be held locally instead of being sent to a cloud for processing. --------------------------------------------- https://www.nccgroup.com/us/research-blog/comparing-ai-against-traditional-… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2024 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2024.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim). --------------------------------------------- https://lwn.net/Articles/994436/ ∗∗∗ HP-DesignJet-Drucker: Angreifer können SMTP-Server-Logins abgreifen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, ist die Schwachstelle (CVE-2024-5749) mit dem Bedrohungsgrad "hoch" eingestuft. Klappen Attacken, sind SMTP-Server-Zugangsdaten einsehbar. Wie so ein Angriff ablaufen könnte, führen die HP-Entwickler derzeit nicht aus. Konkret davon betroffen sind die DesignJet-Modelle T730 und T830. --------------------------------------------- https://heise.de/-9983364 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 131.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/ ∗∗∗ Synology-SA-24:14 Synology Photos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_14 ∗∗∗ Synology-SA-24:13 BeePhotos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_13 ∗∗∗ Bosch: Unrestricted resource consumption in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-162032-bt.html ∗∗∗ F5: K000141463: Multiple Angular JS vulnerabilities CVE-2019-10768, CVE-2023-26116, CVE-2023-26117, and CVE-2023-26118 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141463 ∗∗∗ F5: K000141459: Angular JS vulnerabilities CVE-2019-14863 and CVE-2022-25869 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141459 ∗∗∗ F5: K000141302: Quarterly Security Notification (October 2024) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141302 ∗∗∗ F5: K000140061: BIG-IP monitors vulnerability CVE-2024-45844 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140061 ∗∗∗ F5: K000141080: BIG-IQ vulnerability CVE-2024-47139 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2024
by Daily end-of-shift report 15 Oct '24

15 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 14-10-2024 18:00 − Dienstag 15-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TrickMo malware steals Android PINs using fake lock screen ∗∗∗ --------------------------------------------- Forty new variants of the TrickMo Android banking trojan have been identified in the wild, linked to 16 droppers and 22 distinct command and control (C2) infrastructures, with new features designed to steal Android PINs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickmo-malware-steals-andro… ∗∗∗ New FIDO proposal lets you securely move passkeys across platforms ∗∗∗ --------------------------------------------- The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fido-proposal-lets-you-s… ∗∗∗ BEC-ware the phish (part 1). Investigating incidents in M365 ∗∗∗ --------------------------------------------- This blog post is the first of three, that look at the key steps for an effective investigation, response, and remediation to email-based threats in M365. Part two covers response actions as well as short- and long-term remediations to prevent attackers getting back in. Part three considers the native detection and prevention options in M365. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-inv… ∗∗∗ Vorsicht vor Anrufen vom „Bankbetrugssystem Österreich“ ∗∗∗ --------------------------------------------- Derzeit werden uns wieder vermehrt Tonbandanrufe gemeldet. Eine computergenerierte Stimme gibt sich als Bankbetrugssystem Österreich aus und behauptet, dass eine Zahlung von 1500 Euro abgelehnt wurde und Ihr Konto möglicherweise gehackt wurde. Sie werden aufgefordert, die Taste „1“ zu drücken, um mit einer echten Person verbunden zu werden. Legen Sie auf, das ist Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-vom-bankbetrugs… ∗∗∗ New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users ∗∗∗ --------------------------------------------- ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers. --------------------------------------------- https://hackread.com/telekopye-scam-toolkit-hit-booking-com-airbnb-users/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability, CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability, CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-ex… ∗∗∗ Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 ∗∗∗ --------------------------------------------- Today wed like to share a recent journey into (yet another) SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinets FortiGate devices. It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild. --------------------------------------------- https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-comple… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2024-10-14 ∗∗∗ --------------------------------------------- Splunk released 12 security advisories: 4x high, 8x medium --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Kritische Schwachstellen in Industrieroutern mbNET ∗∗∗ --------------------------------------------- In industriellen Fernwartungsgateways und Industrieroutern mbNET wurden mehrere, teils schwerwiegende Sicherheitsschwachstellen identifiziert. Sie ermöglichen es, das Gerät vollständig zu kompromittieren sowie verschlüsselte Konfigurationen zu entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstellen-in-industrieroute… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (packages and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3). --------------------------------------------- https://lwn.net/Articles/994268/ ∗∗∗ WordPress plugin Jetpack fixes nearly decade-old critical security flaw ∗∗∗ --------------------------------------------- The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites. [..] The flaw, which is not believed to have been exploited, was found in the plugin’s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve. --------------------------------------------- https://therecord.media/wordpress-jetpack-plugin-fixes-flaw ∗∗∗ ZDI-24-1382: QEMU SCSI Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1382/ ∗∗∗ Zahlreiche Schwachstellen im Rittal IoT Interface & CMC III Processing Unit ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83868/ ∗∗∗ Kubernetes: CVE-2024-9594 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128007 ∗∗∗ Kubernetes: CVE-2024-9486 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2024
by Daily end-of-shift report 14 Oct '24

14 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-10-2024 18:00 − Montag 14-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server ∗∗∗ --------------------------------------------- Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-a… ∗∗∗ Google warns uBlock Origin and other extensions may be disabled soon ∗∗∗ --------------------------------------------- Googles Chrome Web Store is now warning that the uBlock Origin ad blocker and other extensions may soon be blocked as part of the companys deprecation of the Manifest V2 extension specification. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-warns-ublock-origin-and… ∗∗∗ Microsoft’s guidance to help mitigate Kerberoasting ∗∗∗ --------------------------------------------- Kerberoasting, a well-known Active Directory (AD) attack vector, enables threat actors to steal credentials and navigate through devices and networks. Microsoft is sharing recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidanc… ∗∗∗ Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration ∗∗∗ --------------------------------------------- A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users. --------------------------------------------- https://thehackernews.com/2024/10/nation-state-attackers-exploiting.html ∗∗∗ Chatbot Traps: How to Avoid Job Scams ∗∗∗ --------------------------------------------- While the strategies outlined here can help you detect AI-powered scams, it is important to recognise that AI technology is advancing rapidly. Many current weaknesses—such as difficulties with complex questions or live conversations—may diminish as AI continues to improve. --------------------------------------------- https://connect.geant.org/2024/10/14/chatbot-traps-how-to-avoid-job-scams ∗∗∗ Casio says ransomware attack exposed info of employees, customers and business partners ∗∗∗ --------------------------------------------- Japanese electronics manufacturer Casio confirmed on Friday that a cyber incident announced earlier this week was a ransomware attack that potentially exposed the information of employees, customers, business partners and affiliates. --------------------------------------------- https://therecord.media/casio-ransomware-attack-exposed-emplyee-customer-da… ∗∗∗ Achtung: Neue textbasierte QR-Code-Phishing-Varianten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Barracuda sind auf eine neue Variante zur Gestaltung von Phishing-Nachrichten gestoßen. Diese verwenden QR-Codes aus textbasierten ASCII/Unicode-Zeichen, statt wie üblich aus statischen Bildern erstellt zu werden, um herkömmliche Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://www.borncity.com/blog/2024/10/13/achtung-neue-textbasierte-qr-code-… ∗∗∗ Sicherheitslücke in Ecovacs-Saugrobotern erlaubt Remote-Steuerung durch Hacker ∗∗∗ --------------------------------------------- In den USA häufen sich Fälle, in denen gehackte Saugroboter offenbar fremdgesteuert Beleidigungen zurufen und Bilder über die interne Kamera übertragen. --------------------------------------------- https://heise.de/-9979104 ===================== = Vulnerabilities = ===================== ∗∗∗ Notfall-Update: Tor-Nutzer über kritische Firefox-Lücke attackiert ∗∗∗ --------------------------------------------- Eine kritische Firefox-Schwachstelle betrifft auch den Tor-Browser und Thunderbird. Patches stehen bereit, kommen für einige Tor-Nutzer aber zu spät. --------------------------------------------- https://www.golem.de/news/notfall-update-tor-nutzer-ueber-kritische-firefox… ∗∗∗ Moxa: Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances ∗∗∗ --------------------------------------------- The first vulnerability, CVE-2024-9137, allows attackers to manipulate device configurations without authentication. The second vulnerability, CVE-2024-9139, permits OS command injection through improperly restricted commands, potentially enabling attackers to execute arbitrary codes. --------------------------------------------- https://www.moxa.com/en/support/product-support/security-advisory/mpsa-2411… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io, libreoffice, node-dompurify, python-reportlab, and thunderbird), Fedora (buildah, chromium, kernel, kernel-headers, libgsf, mosquitto, p7zip, podman, python-cramjam, python-virtualenv, redis, rust-async-compression, rust-brotli, rust-brotli-decompressor, rust-libcramjam, rust-libcramjam0.2, rust-nu-command, rust-nu-protocol, rust-redlib, rust-tower-http, thunderbird, and webkit2gtk4.0), Oracle (.NET 6.0, .NET 8.0, e2fsprogs, firefox, golang, openssl, python3-setuptools, systemd, and thunderbird), SUSE (chromium, firefox, java-jwt, libmozjs-128-0, libwireshark18, ntpd-rs, OpenIPMI, thunderbird, and wireshark), and Ubuntu (firefox, python2.7, python3.5, thunderbird, and ubuntu-advantage-desktop-daemon). --------------------------------------------- https://lwn.net/Articles/994080/ ∗∗∗ Sicherheitsupdate: Angreifer können Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- Wireshark ist in einer gegen mögliche Angriffe abgesicherten Version erschienen. Darin haben die Entwickler auch mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9979991 ∗∗∗ ZDI-24-1374: IrfanView SID File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1374/ ∗∗∗ ZDI-24-1369: Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1369/ ∗∗∗ Security Vulnerability fixed in Firefox 131.0.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-53/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2024
by Daily end-of-shift report 11 Oct '24

11 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-10-2024 18:00 − Freitag 11-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Akira and Fog ransomware now exploit critical Veeam RCE flaw ∗∗∗ --------------------------------------------- Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now… ∗∗∗ Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen ∗∗∗ --------------------------------------------- Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien. --------------------------------------------- https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-un… ∗∗∗ Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation ∗∗∗ --------------------------------------------- The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said. --------------------------------------------- https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html ∗∗∗ Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks ∗∗∗ --------------------------------------------- If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.” This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account. --------------------------------------------- https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024) ∗∗∗ --------------------------------------------- Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Lynx Ransomware: A Rebranding of INC Ransomware ∗∗∗ --------------------------------------------- Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model. --------------------------------------------- https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/ ∗∗∗ Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices ∗∗∗ --------------------------------------------- Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. --------------------------------------------- https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/ ∗∗∗ Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies ∗∗∗ --------------------------------------------- CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure… ∗∗∗ EU-Rat bringt Cyber Resilience Act auf den Weg ∗∗∗ --------------------------------------------- Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren. --------------------------------------------- https://heise.de/-9977103 ===================== = Vulnerabilities = ===================== ∗∗∗ New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution ∗∗∗ --------------------------------------------- GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. --------------------------------------------- https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.h… ∗∗∗ Priviledged admin able to view device summary for device in different [FortiManager] ADOM ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-472 ∗∗∗ Aw, Sugar. Critical Vulnerabilities in SugarWOD ∗∗∗ --------------------------------------------- It is possible to: * Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses * Extract all Gyms join passwords [..] * Bypass user-chosen privacy settings --------------------------------------------- https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8). --------------------------------------------- https://lwn.net/Articles/993778/ ∗∗∗ Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 ∗∗∗ --------------------------------------------- * CVE-2024-9680: Use-after-free in Animation timeline --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/ ∗∗∗ Livewire Security Update Advisory (CVE-2024-47823) ∗∗∗ --------------------------------------------- The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a “.php” file with a valid MIME type. --------------------------------------------- https://asec.ahnlab.com/en/83775/ ∗∗∗ Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561) ∗∗∗ --------------------------------------------- * CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows) * CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded) --------------------------------------------- https://asec.ahnlab.com/en/83776/ ∗∗∗ Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher. --------------------------------------------- https://heise.de/-9977905 ∗∗∗ baserCMS plugin "BurgerEditor" vulnerable to directory listing ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN54676967/ ∗∗∗ ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2024
by Daily end-of-shift report 10 Oct '24

10 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-10-2024 18:00 − Donnerstag 10-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Firefox Zero-Day Under Attack: Update Your Browser Immediately ∗∗∗ --------------------------------------------- Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild.The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug in the Animation timeline component. --------------------------------------------- https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.h… ∗∗∗ CISA says critical Fortinet RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-… ∗∗∗ Benutzt hier jemand ein Smartphone mit Qualcomm-SOC? ∗∗∗ --------------------------------------------- Für viele Android-Geräte da draußen ist die Antwort: Ja.The zero-day vulnerability, officially designated CVE-2024-43047, “may be under limited, targeted exploitation,” according to Qualcomm, citing unspecified “indications” from Google’s Threat Analysis Group, the company’s research unit that investigates government hacking threats. --------------------------------------------- http://blog.fefe.de/?ts=99f9d232 ∗∗∗ Magenta ID wurde deaktiviert: Vorsicht vor täuschend echter Phishing-Mail ∗∗∗ --------------------------------------------- Ein sehr gut gefälschtes Magenta-Mail ist gerade in Österreich in Umlauf. Wer genau hinsieht, kann es entlarven. --------------------------------------------- https://futurezone.at/digital-life/magenta-id-wurde-deaktiviert-mail-phishi… ∗∗∗ Malware by the (Bit)Bucket: Unveiling AsyncRAT ∗∗∗ --------------------------------------------- Recently, we uncovered a sophisticated attack campaign employing a multi-stage approach to deliver AsyncRAT via a legitimate platform called Bitbucket. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/10/38043-asyncrat-bitbucket ∗∗∗ File hosting services misused for identity phishing ∗∗∗ --------------------------------------------- Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-servi… ∗∗∗ Technical Analysis of DarkVision RAT ∗∗∗ --------------------------------------------- IntroductionDarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. The RAT’s capabilities include keylogging, taking screenshots, file manipulation, process injection, remote code execution, and password theft. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-darkvisi… ∗∗∗ Ransom & Dark Web Issues Week 2, October 2024 ∗∗∗ --------------------------------------------- * New Target of KillSec Ransomware Attack: South Korean Commercial Property Content Provider * Dark Web Market Bohemia/Cannabia Shut Down by Law Enforcement, Two Administrators Arrested * New Ransomware Gang Sarcoma: Conducted Attacks on a Total of 30 Companies --------------------------------------------- https://asec.ahnlab.com/en/83739/ ∗∗∗ Internet Archive unter Beschuss: Über 30 Millionen Nutzerdaten gestohlen ∗∗∗ --------------------------------------------- Bislang Unbekannte vergriffen sich mehrfach am Internet Archive. Bereits im September wurden Nutzerdaten und Passwort-Hashes abgezogen. --------------------------------------------- https://heise.de/-9975986 ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab warns of critical arbitrary branch pipeline execution flaw ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arb… ∗∗∗ Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems ∗∗∗ --------------------------------------------- Cybersecurity security researchers are warning about an unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could allow for the execution of arbitrary operating system (OS) commands.The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS score of 9.8 out of a maximum of 10.0, according to VulnCheck. --------------------------------------------- https://thehackernews.com/2024/10/experts-warn-of-critical-unpatched.html ∗∗∗ wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049 ∗∗∗ --------------------------------------------- Project: wkhtmltopdfDate: 2024-October-09Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: UnsupportedAffected versions: *Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupportedSol…: If you use this project, --------------------------------------------- https://www.drupal.org/sa-contrib-2024-049 ∗∗∗ Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047 ∗∗∗ --------------------------------------------- Project: FacetsDate: 2024-October-09Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: Description: This module enables you to to easily create and manage faceted search interfaces.The module doesnt sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.Solution: Install the latest version:If you use the Facets module, upgrade to Facets --------------------------------------------- https://www.drupal.org/sa-contrib-2024-047 ∗∗∗ Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046 ∗∗∗ --------------------------------------------- Project: Block permissionsDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=1.0.0 Description: This module enables you to manage blocks from specific modules in the specific themes.The module doesnt sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route --------------------------------------------- https://www.drupal.org/sa-contrib-2024-046 ∗∗∗ Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045 ∗∗∗ --------------------------------------------- Project: Monster MenusDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass, Information DisclosureAffected versions: Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this --------------------------------------------- https://www.drupal.org/sa-contrib-2024-045 ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: =3.0.0 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.This vulnerability is mitigated by the fact that the tricked user needs to have an --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ VMSA-2024-0020:VMware NSX updates address multiple vulnerabilities (CVE-2024-38818, CVE-2024-38817, CVE-2024-38815) ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware NSX were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit). --------------------------------------------- https://lwn.net/Articles/993595/ ∗∗∗ Redis Vulnerability Security Update Advisory (CVE-2024-31449) ∗∗∗ --------------------------------------------- An update has been released to address vulnerabilities in Redis. Users of the affected versions are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83704/ ∗∗∗ Ivanti Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-9380, CVE-2024-9381: Ivanti Cloud Services Appliance (CSA) versions: ~ 5.0.1 (inclusive) * CVE-2024-7612: Ivanti EPMM (Core) versions: ~ 12.1.0.3 (inclusive) * CVE-2024-9167: Velocity License Server versions: 5.1 (inclusive) ~ 5.1.2 (inclusive) --------------------------------------------- https://asec.ahnlab.com/en/83706/ ∗∗∗ Adobe Family October 2024 Routine Security Update Advisory ∗∗∗ --------------------------------------------- Adobe has released a security update that addresses a vulnerability in its supplied products. Users of affected systems are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83710/ ∗∗∗ SAP Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-37179: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 420, 430, 2025, Enterprise clienttools 420 * CVE-2024-41730: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 430, 440 * CVE-2024-39592: SAP PDCE, S4CORE 102, S4CORE 103, S4COREOP 104, S4COREOP 105, S4COREOP 106, S4COREOP 107, S4COREOP 108 --------------------------------------------- https://asec.ahnlab.com/en/83736/ ∗∗∗ SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- 1) CVE-2024-45315 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Denial-of-Service Vulnerability 2) CVE-2024-45316 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Local Privilege Escalation Vulnerability 3) CVE-2024-45317 - Unauthenticated SMA1000 12.4.x Server-Side Request Forgery (SSRF) Vulnerability --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0017 ∗∗∗ CISA Releases Twenty-One Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-24-284-01 Siemens SIMATIC S7-1500 and S7-1200 CPUs * ICSA-24-284-02 Siemens Simcenter Nastran * ICSA-24-284-03 Siemens Teamcenter Visualization and JT2Go * ICSA-24-284-04 Siemens SENTRON PAC3200 Devices * ICSA-24-284-05 Siemens Questa and ModelSim * ICSA-24-284-06 Siemens SINEC Security Monitor * ICSA-24-284-07 Siemens JT2Go * ICSA-24-284-08 Siemens HiMed Cockpit * ICSA-24-284-09 Siemens PSS SINCAL * ICSA-24-284-10 Siemens SIMATIC S7-1500 CPUs * ICSA-24-284-11 Siemens RUGGEDCOM APE1808 * ICSA-24-284-12 Siemens Sentron Powercenter 1000 * ICSA-24-284-13 Siemens Tecnomatix Plant Simulation * ICSA-24-284-14 Schneider Electric Zelio Soft 2 * ICSA-24-284-15 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-16 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-17 Rockwell Automation Verve Asset Manager * ICSA-24-284-18 Rockwell Automation Logix Controllers * ICSA-24-284-19 Rockwell Automation PowerFlex 6000T * ICSA-24-284-20 Rockwell Automation ControlLogix * ICSA-24-284-21 Delta Electronics CNCSoft-G2 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/cisa-releases-twenty-one… ∗∗∗ Synacor Zimbra Collaboration Command Execution Vulnerability ∗∗∗ --------------------------------------------- Threat Actors are exploiting a recently fixed RCE vulnerability in Zimbra email servers, which can be exploited just by sending specially crafted emails to the SMTP server. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/zimbra-collaboration-rce ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ 2024-10-10: Cyber Security Advisory - ABB IRC5 RobotWare – PROFINET Stack Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20337&LanguageCod… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: BGP update message containing aggregator attribute with an ASN value of zero (0) is accepted (CVE-2024-47507) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: A large amount of traffic being processed by ATP Cloud can lead to a PFE crash (CVE-2024-47506) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Specific low privileged CLI commands and SNMP GET requests can trigger a resource leak ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities in OSS component nginx resolved ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5000 Series: Receipt of a specific malformed packet will cause a flowd crash (CVE-2024-47504) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX4600 and SRX5000 Series: Sequence of specific PIM packets causes a flowd crash (CVE-2024-47503) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: TCP session state is not always cleared on the Routing Engine (CVE-2024-47502) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX304, MX with MPC10/11/LC9600, and EX9200 with EX9200-15C: In a VPLS or Junos Fusion scenario specific show commands cause an FPC crash (CVE-2024-47501) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: QFX5000 Series: Configured MAC learning and move limits are not in effect (CVE-2024-47498) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series, QFX Series, MX Series and EX Series: Receiving specific HTTPS traffic causes resource exhaustion (CVE-2024-47497) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX Series: The PFE will crash on running specific command (CVE-2024-47496) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: In a dual-RE scenario a locally authenticated attacker with shell privileges can take over the device (CVE-2024-47495) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Due to a race condition AgentD process causes a memory corruption and FPC reset (CVE-2024-47494) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: J-Web: Multiple vulnerabilities resolved in PHP software. ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5K, SRX4600 and MX Series: Trio-based FPCs: Continuous physical interface flaps causes local FPC to crash (CVE-2024-47493) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Receipt of a specific malformed BGP path attribute leads to an RPD crash (CVE-2024-47491) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX 7000 Series: Receipt of specific transit MPLS packets causes resources to be exhausted (CVE-2024-47490) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Multiple vulnerabilities resolved in c-ares 1.18.1 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX Series: Receipt of specific transit protocol packets is incorrectly processed by the RE (CVE-2024-47489) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: Remote Command Execution (RCE) vulnerability in web application (CVE-2024-39563) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: cRPD: Receipt of crafted TCP traffic can trigger high CPU utilization (CVE-2024-39547) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities resolved in OpenSSL ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Low privileged local user able to view NETCONF traceoptions files (CVE-2024-39544) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Connections to the network and broadcast address accepted (CVE-2024-39534) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: Low privileged user able to access sensitive information on file system (CVE-2024-39527) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: MX Series with MPC10/MPC11/LC9600, MX304, EX9200, PTX Series: Receipt of malformed DHCP packets causes interfaces to stop processing packets (CVE-2024-39526) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP nexthop traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Junos OS and Junos OS Evolved: Receipt of a specifically malformed BGP packet causes RPD crash when segment routing is enabled (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specially crafted BGP update causes RPD crash (CVE-2024-39515) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: OS command injection vulnerability in OpenSSH (CVE-2023-51385) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specifically malformed BGP update causes RPD crash (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ SSA-438590 V1.0: Buffer Overflow Vulnerability in Siveillance Video Camera Drivers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-438590.html ∗∗∗ CVE-2024-9469 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9469 ∗∗∗ CVE-2024-9471 PAN-OS: Privilege Escalation (PE) Vulnerability in XML API (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9471 ∗∗∗ CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9468 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 ∗∗∗ CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9473 ∗∗∗ PAN-SA-2024-0011 Chromium: Monthly Vulnerability Updates (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0011 ∗∗∗ CVE-2024-9470 Cortex XSOAR: Information Disclosure Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9470 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2024
by Daily end-of-shift report 09 Oct '24

09 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-10-2024 18:00 − Mittwoch 09-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Two never-before-seen tools, from same group, infect air-gapped devices ∗∗∗ --------------------------------------------- Its hard enough creating one air-gap-jumping tool. GoldenJackal did it 2x in 5 years. --------------------------------------------- https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-s… ∗∗∗ European govt air-gapped systems breached using custom malware ∗∗∗ --------------------------------------------- An APT hacking group known as GoldenJackal has successfully breached air-gapped government systems in Europe using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-govt-air-gapped-sys… ∗∗∗ New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks ∗∗∗ --------------------------------------------- An automated scanner has been released to help security professionals scan environments for devices vulnerable to the Common Unix Printing System (CUPS) RCE flaw tracked as CVE-2024-47176. --------------------------------------------- https://www.bleepingcomputer.com/news/software/new-scanner-finds-linux-unix… ∗∗∗ Sicherheitslücke: RDP-Server von Windows aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Ein erfolgreicher Angriff erfordert zwar eine gewonnene Race Condition, dafür aber keinerlei Authentifizierung oder Nutzer-Interaktion. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-rdp-server-von-windows-aus-der-… ∗∗∗ Cisco warnt: Kinder erhöhen Cyberrisiko im Homeoffice ∗∗∗ --------------------------------------------- Laut Cisco erlauben rund zwei Drittel aller Eltern im Homeoffice ihren Kindern den Zugriff auf beruflich genutzte Geräte - häufig sogar unbeaufsichtigt. --------------------------------------------- https://www.golem.de/news/cisco-warnt-kinder-erhoehen-cyberrisiko-im-homeof… ∗∗∗ From Perfctl to InfoStealer ∗∗∗ --------------------------------------------- A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I wont repeat what has been already disclosed. I found a .. --------------------------------------------- https://isc.sans.edu/diary/From+Perfctl+to+InfoStealer/31334 ∗∗∗ Ransomware gang Trinity joins pile of scumbags targeting healthcare ∗∗∗ --------------------------------------------- As if hospitals and clinics didnt have enough to worry about At least one US healthcare provider has been infected by Trinity, an emerging cybercrime gang with eponymous ransomware that uses double extortion and other "sophisticated" tactics that make it a "significant threat," according to the feds. --------------------------------------------- https://www.theregister.com/2024/10/09/trinity_ransomware_targets_healthcar… ∗∗∗ Patch Tuesday, October 2024 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes .. --------------------------------------------- https://krebsonsecurity.com/2024/10/patch-tuesday-october-2024-edition/ ∗∗∗ How to handle vulnerability reports in aviation ∗∗∗ --------------------------------------------- TL;DR Always thank researchers for reporting vulnerabilities. Acknowledging their efforts can set the right tone. Lead all communications with researchers. Don’t let legal or PR teams take over. Provide .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-handle-vulnerability-r… ∗∗∗ So stehlen Kriminelle mit gefälschten FinanzOnline-Benachrichtigungen Ihre Bankomatkarte ∗∗∗ --------------------------------------------- Sie werden per SMS über eine Rückerstattung vom Finanzamt informiert und klicken auf den Link. Sie gelangen auf die Webseite des Finanzamts – zumindest sieht es so aus. Sie wählen Ihre Bank aus, um das Geld zu erhalten. Doch plötzlich kommt eine Fehlermeldung von Ihrer Bank. Sie erhalten eine neue Bankomatkarte und müssen die alte zerschneiden und .. --------------------------------------------- https://www.watchlist-internet.at/news/so-stehlen-kriminelle-kartenwechsel-… ∗∗∗ Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware ∗∗∗ --------------------------------------------- Discover how North Korean attackers, posing as recruiters, used an updated downloader and backdoor in a campaign targeting tech job seekers. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-jo… ∗∗∗ Schwachstellen in Intels Sicherheitstechnologie TDX entdeckt ∗∗∗ --------------------------------------------- Wissenschaftler von der Universität zu Lübeck haben Schwachstellen in Intels Trusted Domain Extensions identifiziert. Intel hat eine Lücke bereits geschlossen. --------------------------------------------- https://heise.de/-9974224 ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-24:12 GitLab ∗∗∗ --------------------------------------------- A vulnerability allows remote attacker to bypass authentication via a susceptible version of GitLab. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_12 ∗∗∗ DSA-5729-2 apache2 - regression update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00200.html ∗∗∗ Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2023-07-12 ∗∗∗ Local Privilege Escalation mittels MSI installer in Palo Alto Networks GlobalProtect ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… ∗∗∗ October Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/october-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2024
by Daily end-of-shift report 08 Oct '24

08 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 07-10-2024 18:00 − Dienstag 08-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ ADT discloses second breach in 2 months, hacked via stolen credentials ∗∗∗ --------------------------------------------- Home and small business security company ADT disclosed it suffered a breach after threat actors gained access to its systems using stolen credentials and exfiltrated employee account data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adt-discloses-second-breach-… ∗∗∗ Casio reports IT systems failure after weekend network breach ∗∗∗ --------------------------------------------- Japanese tech giant Casio has suffered a cyberattack after an unauthorized actor accessed its networks on October 5, causing system disruption that impacted some of its services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/casio-reports-it-systems-fai… ∗∗∗ New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that draws its inspiration from the leaked Mirai botnet source code.Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. --------------------------------------------- https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.h… ∗∗∗ Feds reach for sliver of crypto-cash nicked by North Koreas notorious Lazarus Group ∗∗∗ --------------------------------------------- The US government is attempting to claw back more than $2.67 million stolen by North Koreas Lazarus Group, filing two lawsuits to force the forfeiture of millions in Tether and Bitcoin.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/08/us_lazarus_g… ∗∗∗ Shining Light on the Dark Angels Ransomware Group ∗∗∗ --------------------------------------------- The Dark Angels ransomware threat group launched attacks beginning in April 2022, and has since been quietly executing highly targeted attacks. Dark Angels operate with more stealthy and sophisticated strategies than many other ransomware groups. Instead of outsourcing breaches to third-party initial access brokers that target a wide range of victims, Dark Angels launch their own attacks that focus on a limited number of large companies. --------------------------------------------- https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-r… ∗∗∗ 7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin ∗∗∗ --------------------------------------------- On September 17, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for two critical vulnerabilities in the LatePoint plugin, which is estimated to be actively installed on more than 7,000 WordPress websites. --------------------------------------------- https://www.wordfence.com/blog/2024/10/7000-wordpress-sites-affected-by-una… ∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗ --------------------------------------------- In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. --------------------------------------------- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end… ∗∗∗ Ukrainian pleads guilty to running Raccoon Infostealer malware, agrees to pay nearly $1 million ∗∗∗ --------------------------------------------- A Ukrainian national pleaded guilty in U.S. federal court to running the Raccoon Infostealer malware, and agreed to pay victims more than $900,000 as part of the plea deal. --------------------------------------------- https://therecord.media/raccoon-stealer-operator-pleads-guilty ∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗ --------------------------------------------- This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on October 7, 2024. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/ ∗∗∗ Crypto-Stealing Code Lurking in Python Package Dependencies ∗∗∗ --------------------------------------------- On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. --------------------------------------------- https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-d… ∗∗∗ Okta Fixes Critical Vulnerability Allowing Sign-On Policy Bypass ∗∗∗ --------------------------------------------- Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an “unknown” device. Affected users should review system logs. --------------------------------------------- https://hackread.com/okta-fixes-sign-on-policy-bypass-vulnerability/ ∗∗∗ Cyberattack on American Water Shuts Down Customer Portal, Halts Billing ∗∗∗ --------------------------------------------- American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services remain unaffected while cybersecurity experts manage the incident. --------------------------------------------- https://hackread.com/american-water-cyberattack-shuts-down-portal-billing/ ∗∗∗ Storm-1575 Threat Actor Deploys New Login Panels for Phishing Infrastructure ∗∗∗ --------------------------------------------- The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of new login panels, which are part of the threat actor’s ongoing efforts to compromise users’ Microsoft and Google accounts. --------------------------------------------- https://hackread.com/storm-1575-threat-actor-new-login-panels-phishing-infr… ∗∗∗ Lua Malware Targeting Student Gamers via Fake Game Cheats ∗∗∗ --------------------------------------------- Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected. --------------------------------------------- https://hackread.com/lua-malware-hit-student-gamers-fake-game-cheats/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qualcomm patches high-severity zero-day exploited in attacks ∗∗∗ --------------------------------------------- Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severi… ∗∗∗ TYPO3-CORE-SA-2024-012: Information Disclosure in TYPO3 Page Tree ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to information disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-012 ∗∗∗ TYPO3-CORE-SA-2024-011: Denial of Service in TYPO3 Bookmark Toolbar ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to denial of service. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-011 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters). --------------------------------------------- https://lwn.net/Articles/993276/ ∗∗∗ Kritische Sicherheitslücken in Draytek-Geräten erlauben Systemübernahme ∗∗∗ --------------------------------------------- Forscher fanden im Betriebssystem der Vigor-Router vierzehn neue Lücken, betroffen sind zwei Dutzend teilweise veraltete Typen. Patches stehen bereit. --------------------------------------------- https://heise.de/-9973906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2024
by Daily end-of-shift report 07 Oct '24

07 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-10-2024 18:00 − Montag 07-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Russia arrests US-sanctioned Cryptex founder, 95 other linked suspects ∗∗∗ --------------------------------------------- Russian law enforcement detained almost 100 suspects linked to the Cryptex cryptocurrency exchange, the UAPS anonymous payment service, and 33 other online services and platforms used to make illegal payments and sell stolen credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/russia-arrests-us-sanctioned… ∗∗∗ MoneyGram: No evidence ransomware is behind recent cyberattack ∗∗∗ --------------------------------------------- MoneyGram says there is no evidence that ransomware is behind a recent cyberattack that led to a five-day outage in September. --------------------------------------------- https://www.bleepingcomputer.com/news/security/moneygram-no-evidence-ransom… ∗∗∗ Spielzeugmarke: Hack der Lego-Webseite zielt auf Kryptobetrug ab ∗∗∗ --------------------------------------------- Am 4. Oktober 2024 wurde die offizielle Website von Lego Opfer eines Hacks. Unbekannte bewarben eine Kryptowährung namens Lego-Coin. --------------------------------------------- https://www.golem.de/news/spielzeugmarke-hack-der-lego-webseite-zielt-auf-k… ∗∗∗ Nach US-Bann: Kaspersky fliegt weltweit aus dem Google Play Store ∗∗∗ --------------------------------------------- Kaspersky-Software ist seit Tagen nicht mehr im Play Store erhältlich. Ursache ist das US-Verbot des russischen Herstellers - mit globalen Auswirkungen. --------------------------------------------- https://www.golem.de/news/nach-us-bann-kaspersky-fliegt-weltweit-aus-dem-go… ∗∗∗ Awaken Likho is awake: new techniques of an APT group ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new version of the APT Awaken Likho RAT Trojan, which uses AutoIt scripts and the MeshCentral system to target Russian organizations. --------------------------------------------- https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/ ∗∗∗ HUMINT and its Role within Cybersecurity ∗∗∗ --------------------------------------------- This blog explores HUMINTs role in cybersecurity, detailing its implementation, benefits, and potential risks. --------------------------------------------- https://www.sans.org/blog/humint-and-its-role-within-cybersecurity ∗∗∗ Largest Recorded DDoS Attack is 3.8 Tbps ∗∗∗ --------------------------------------------- Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.) --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/largest-recorded-ddos-attack… ∗∗∗ Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.The flaw, tracked as CVE-2024-47561, .. --------------------------------------------- https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html ∗∗∗ Chinesische Hacker stehlen sensible Daten von US-Gerichten ∗∗∗ --------------------------------------------- Via Internetdienstanbieter verschafft sich die "Salt Typhoon"-Kampagne Zugriff zu heiklen Daten. US-Behörden befürchten weitere Angriffe --------------------------------------------- https://www.derstandard.at/story/3000000239609/chinesische-hacker-stehlen-s… ∗∗∗ No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection ∗∗∗ --------------------------------------------- Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more. --------------------------------------------- https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/ ∗∗∗ From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities ∗∗∗ --------------------------------------------- This blog post highlights two additional vulnerabilities in the Autel Maxicharger that were exploited at Pwn2Own Automotive 2024. Details of the patches are also included. --------------------------------------------- https://www.thezdi.com/blog/2024/10/2/from-pwn2own-automotive-more-autel-ma… ∗∗∗ Russian state media company operation disrupted by ‘unprecedented’ cyberattack ∗∗∗ --------------------------------------------- Russian state television and radio broadcasting company VGTRK was hit by a cyberattack on Monday that disrupted its operations, the company confirmed in a statement to local news agencies. --------------------------------------------- https://therecord.media/russian-state-media-company-disrupted-cyberattack ∗∗∗ Engaging with Boards to improve the management of cyber security risk ∗∗∗ --------------------------------------------- How to communicate more effectively with board members to improve cyber security decision making. --------------------------------------------- https://www.ncsc.gov.uk/guidance/board-level-cyber-discussions-communicatin… ∗∗∗ Forensic Readiness in Container Environments ∗∗∗ --------------------------------------------- One of the most frustrating issues that Digital Forensics and Incident Response (DFIR) consultants encounter is a lack of forensic data available for analysis. This article aims to mitigate such situations by providing key considerations for improving forensic readiness. --------------------------------------------- https://www.nccgroup.com/us/research-blog/forensic-readiness-in-container-e… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5785-1 mediawiki - security update ∗∗∗ --------------------------------------------- Dom Walden discovered that the AbuseFilter extension in MediaWiki, a website engine for collaborative work, performed incomplete authorisation checks. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00198.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), .. --------------------------------------------- https://lwn.net/Articles/993160/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2024
by Daily end-of-shift report 04 Oct '24

04 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-10-2024 18:00 − Freitag 04-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps ∗∗∗ --------------------------------------------- During a distributed denial-of-service campaign targeting organizations in the financial services, internet, and telecommunications sectors, volumetric attacks peaked at 3.8 terabits per second, the largest publicly recorded to date. The assault consisted of a "month-long" barrage of more than 100 hyper-volumetric DDoS attacks flood. [..] Many of the attacks aimed at the target’s network infrastructure (network and transport layers L3/4) exceeded two billion packets per second (pps) and three terabits per second (Tbps). [..] The threat actor behind the campaign leveraged multiple types of compromised devices, which included a large number of Asus home routers, Mikrotik systems, DVRs, and web servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-blocks-largest-re… ∗∗∗ Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks ∗∗∗ --------------------------------------------- Approximately 5% of all Adobe Commerce and Magento online stores, or 4,275 in absolute numbers, have been hacked in "CosmicSting" attacks. [..] The CosmicSting vulnerability (CVE-2024-34102) is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc's iconv function, an attacker can achieve remote code execution on the target server. [..] Sansec says that multiple threat actors are now conducting attacks as patching speed is not matching the critical nature of the situation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-adobe-commerce-ma… ∗∗∗ Survey of CUPS exploit attempts, (Fri, Oct 4th) ∗∗∗ --------------------------------------------- It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results. --------------------------------------------- https://isc.sans.edu/diary/rss/31326 ∗∗∗ Apple fixes bug that let VoiceOver shout your passwords ∗∗∗ --------------------------------------------- Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/04/apple_voiceo… ∗∗∗ Sicherheitsupdates: Cisco patcht Lücken in Produkten quer durch die Bank ∗∗∗ --------------------------------------------- Neben einem kritischen Fehler kümmert sich der Netzwerkausrüster auch um einige Lücken mit mittlerem und hohem Risikograd. Patches stehen bereit. --------------------------------------------- https://heise.de/-9961998 ∗∗∗ DRAY:BREAK Breaking Into DreyTek Routers Before Threat Actors Do It Again ∗∗∗ --------------------------------------------- In 2024, routers are a primary target for cybercriminals and state-sponsored attackers – and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks. Our latest research discovered 14 new vulnerabilities in DrayTek routers. --------------------------------------------- https://www.forescout.com/resources/draybreak-draytek-research/ ∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗ --------------------------------------------- Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne… ∗∗∗ Ransomware Groups Demystified: CyberVolk Ransomware ∗∗∗ --------------------------------------------- As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024. --------------------------------------------- https://www.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-c… ∗∗∗ Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks ∗∗∗ --------------------------------------------- Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks. --------------------------------------------- https://thehackernews.com/2024/10/android-14-adds-new-security-features.html ∗∗∗ Portable Hacking Lab: Control The Smallest Kali Linux With a Smartphone ∗∗∗ --------------------------------------------- Running Kali Linux on a Raspberry Pi Zero is a fantastic way to create a portable, powerful testing device. This guide will walk you through setting up Kali Linux Pi-Tail on a headless Raspberry Pi Zero 2 W that is powered and controlled from a smartphone via SSH or VNC that provides a graphical interface to your Pi-Tail. --------------------------------------------- https://www.mobile-hacker.com/2024/10/04/portable-hacking-lab-control-the-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip). --------------------------------------------- https://lwn.net/Articles/992936/ ∗∗∗ Keycloak 26.0.0 released ∗∗∗ --------------------------------------------- CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core, CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect , CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak, CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java --------------------------------------------- https://www.keycloak.org/2024/10/keycloak-2600-released ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2024
by Daily end-of-shift report 03 Oct '24

03 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-10-2024 18:00 − Donnerstag 03-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake browser updates spread updated WarmCookie malware ∗∗∗ --------------------------------------------- A new FakeUpdate campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-browser-updates-spread-… ∗∗∗ FIN7 hackers launch deepfake nude “generator” sites to spread malware ∗∗∗ --------------------------------------------- The notorious APT hacking group known as FIN7 launched a network of fake AI-powered deepnude generator sites to infect visitors with information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-deepfake… ∗∗∗ Weird Zimbra Vulnerability ∗∗∗ --------------------------------------------- Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit.In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/weird-zimbra-vulnerability.h… ∗∗∗ INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa ∗∗∗ --------------------------------------------- INTERPOL has announced the arrest of eight individuals in Côte dIvoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud.Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes .. --------------------------------------------- https://thehackernews.com/2024/10/interpol-arrests-8-in-major-phishing.html ∗∗∗ APT and financial attacks on industrial organizations in Q2 2024 ∗∗∗ --------------------------------------------- This summary provides an overview of the reports of APT and financial attacks on industrial enterprises that were disclosed in Q2 2024, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities. --------------------------------------------- https://ics-cert.kaspersky.com/publications/apt-and-financial-attacks-on-in… ∗∗∗ Experts warn of DDoS attacks using linux printing vulnerability ∗∗∗ --------------------------------------------- A set of bugs that has caused alarm among cybersecurity experts may enable threat actors to launch powerful attacks designed to knock systems offline. --------------------------------------------- https://therecord.media/ddos-attacks-cups-linux-print-vulnerability ∗∗∗ As ransomware attacks surge, UK privacy regulator investigating fewer incidents than ever ∗∗∗ --------------------------------------------- Of the 1,253 incidents reported to the Information Commissioner’s Office (ICO) in 2023, only 87 were investigated — fewer than 7%. The numbers so far for 2024 are similar. --------------------------------------------- https://therecord.media/uk-ico-ransomware-investigations-data ∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗ --------------------------------------------- Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. Intelligence collected by Talos on tools regularly employed by the threat .. --------------------------------------------- https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne… ∗∗∗ perfctl: A Stealthy Malware Targeting Millions of Linux Servers ∗∗∗ --------------------------------------------- In this blog post, Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has actively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you .. --------------------------------------------- https://blog.aquasec.com/perfctl-a-stealthy-malware-targeting-millions-of-l… ∗∗∗ "Alptraum": Daten aller niederländischen Polizisten geklaut – von Drittstaat? ∗∗∗ --------------------------------------------- Hacker haben die Kontaktdaten aller Mitarbeiter der Polizei erbeutet. Nun kommt das Justizministerium mit einer weiteren alarmierenden Nachricht. --------------------------------------------- https://heise.de/-9961529 ∗∗∗ Thailändische Regierung von neuem APT "CeranaKeeper" angegriffen ∗∗∗ --------------------------------------------- Bei Angriffen auf thailändische Behörden erbeuteten Cyberkriminelle Daten, indem sie verschlüsselte Dateien zu Filesharing-Diensten hochluden. --------------------------------------------- https://heise.de/-9961562 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1321: Apple macOS AppleVADriver Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-40841. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1321/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15). --------------------------------------------- https://lwn.net/Articles/992798/ ∗∗∗ Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-043 ∗∗∗ Cisco Nexus Dashboard Fabric Controller Arbitrary Command Execution Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily