=====================
= End-of-Day report =
=====================
Timeframe: Freitag 20-09-2024 18:00 − Montag 23-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Hyper-V und VMware: Schwachstellen, Patches, PoCs ∗∗∗
---------------------------------------------
In Hyper-V wurde kürzlich eine Schwachstelle gepatcht – jetzt gibt es einen Proof of Concept (PoC) für diese Schwachstelle. Und bei VMware gibt es ebenfalls Schwachstellen sowie Infos, wie sich aus der VM ausbrechen lässt.
---------------------------------------------
https://www.borncity.com/blog/2024/09/23/hyper-v-und-vmware-schwachstellen-…
∗∗∗ Android malware Necro infects 11 million devices via Google Play ∗∗∗
---------------------------------------------
A new version of the Necro Trojan malware for Android was installed on 11 million devices through Google Play in malicious SDK supply chain attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-malware-necro-infect…
∗∗∗ Global infostealer malware operation targets crypto users, gamers ∗∗∗
---------------------------------------------
A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo."
---------------------------------------------
https://www.bleepingcomputer.com/news/security/global-infostealer-malware-o…
∗∗∗ Phishing links with @ sign and the need for effective security awareness building, (Mon, Sep 23rd) ∗∗∗
---------------------------------------------
While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or because it used some completely new technique, but rather because its authors took advantage of one of the less commonly misused aspects of the URI format – the ability to specify information about a user in the URI before its "host" part (domain or IP address).
---------------------------------------------
https://isc.sans.edu/diary/rss/31288
∗∗∗ Staying a Step Ahead: Mitigating the DPRK IT Worker Threat ∗∗∗
---------------------------------------------
This report aims to increase awareness of the DPRK's efforts to obtain employment as IT workers and shed light on their operational tactics for obtaining employment and maintaining access to corporate systems. Understanding these methods can help organizations better detect these sorts of suspicious behaviors earlier in the hiring process.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it…
∗∗∗ Why Do Criminals Love Phishing-as-a-Service Platforms? ∗∗∗
---------------------------------------------
Phishing-as-a-Service (PaaS) platforms have become the go-to tool for cybercriminals, to launch sophisticated phishing campaigns targeting the general public and businesses, especially in the financial services sector. [..] In this blog, we’ll explore the key features offered by PaaS platforms, highlight the major platforms Trustwave SpiderLabs has recently observed, and cover effective phishing mitigation strategies.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/why-do-crim…
∗∗∗ CISA boss: Makers of insecure software are enablers of the real villains ∗∗∗
---------------------------------------------
Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued. "The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/09/20/cisa_sloppy_…
∗∗∗ Proxy Detection: Comparing Detection Services with the Truth ∗∗∗
---------------------------------------------
In our previous blog post, we looked at different (free and paid) solutions to detect the use of anonymity tools during attacks executed on our Remote Desktop Protocol (RDP) honeypots. Confronted with inconclusive outcomes, this blog post aims to evaluate the different proxy detector tools by analyzing their results with our dataset of Truth.
---------------------------------------------
https://gosecure.ai/blog/2024/09/23/proxy-detection-comparing-detection-ser…
∗∗∗ Hackers Claim Second Dell Data Breach in One Week ∗∗∗
---------------------------------------------
Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident.
---------------------------------------------
https://hackread.com/dell-hit-by-second-security-breach-in-week/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15).
---------------------------------------------
https://lwn.net/Articles/991377/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 19-09-2024 18:00 − Freitag 20-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Ever wonder how crooks get the credentials to unlock stolen phones? ∗∗∗
---------------------------------------------
iServer provided a simple service for phishing credentials to unlock phones.
---------------------------------------------
https://arstechnica.com/?p=2051165
∗∗∗ CISA warns of actively exploited Apache HugeGraph-Server bug ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache HugeGraph-Server.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-explo…
∗∗∗ macOS Sequoia change breaks networking for VPN, antivirus software ∗∗∗
---------------------------------------------
Users of macOS 15 Sequoia are reporting network connection errors when using certain endpoint detection and response (EDR) or virtual private network (VPN) solutions, and web browsers.
---------------------------------------------
https://www.bleepingcomputer.com/news/apple/macos-sequoia-change-breaks-net…
∗∗∗ 1 In 10 Orgs Dumping Their Security Vendors After CrowdStrike Outage ∗∗∗
---------------------------------------------
An anonymous reader quotes a report from The Register: Germanys Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrikes outage in July are dropping their current vendors products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to ..
---------------------------------------------
https://it.slashdot.org/story/24/09/19/1721236/1-in-10-orgs-dumping-their-s…
∗∗∗ SAP Hash Cracking Techniques ∗∗∗
---------------------------------------------
Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive data. Hash functions convert input data into a fixed-size string of characters that are both uniform and deterministic, making them an excellent choice for maintaining data security.
---------------------------------------------
https://redrays.io/blog/sap-hash-cracking-techniques/
∗∗∗ This Windows PowerShell Phish Has Scary Potential ∗∗∗
---------------------------------------------
Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While its unlikely that many programmers fell for this ..
---------------------------------------------
https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary…
∗∗∗ Ivanti Warns of Second CSA Vulnerability Exploited in Attacks ∗∗∗
---------------------------------------------
In addition to the Ivanti CSA flaw CVE-2024-8190, another vulnerability affecting the same product, tracked as CVE-2024-8963, has been exploited.
---------------------------------------------
https://www.securityweek.com/ivanti-warns-of-second-csa-vulnerability-explo…
∗∗∗ Noise Storms: Massive Amounts of Spoofed Web Traffic Linked to China ∗∗∗
---------------------------------------------
GreyNoise has observed millions of spoofed IPs flooding internet providers with web traffic primarily focusing on TCP connections.
---------------------------------------------
https://www.securityweek.com/noise-storms-massive-amounts-of-spoofed-web-tr…
∗∗∗ Vorsicht vor gefälschten Gewinnspielen von ÖAMTC und ADAC ∗∗∗
---------------------------------------------
Vorsicht, wenn Sie per E-Mail ein Gewinnspiel für ein Auto-Notfallset erhalten. Kriminelle geben sich als ÖAMTC oder ADAC aus und behaupten, Sie hätten ein Auto-Notfallset gewonnen. Klicken Sie nicht auf den Link, Sie werden in eine Abo-Fall gelockt!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-gewinnspiele-oeamtc-adac/
∗∗∗ Datendiebstahl via Slack, Disney stellt Nutzung des Messenger-Dienstes ein ∗∗∗
---------------------------------------------
Die Hackergruppe Nullbulge konnte Computercode und Details über unveröffentlichte Projekte stehlen und veröffentlichen
---------------------------------------------
https://www.derstandard.at/story/3000000237370/datendiebstahl-disney-trennt…
∗∗∗ High-risk vulnerabilities in common enterprise technologies ∗∗∗
---------------------------------------------
Rapid7 is warning customers about high-risk vulnerabilities in Adobe ColdFusion, Broadcom VMware vCenter Server, and Ivanti Endpoint Manager (EPM). These CVEs are likely attack targets for APT and/or financially motivated adversaries.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/09/19/etr-high-risk-vulnerabilities-i…
∗∗∗ Jugendherbergen offenbar Opfer von Ransomware-Bande Hunters ∗∗∗
---------------------------------------------
Ende August kam es zu Störungen bei rund 450 deutschen Jugendherbergen. Die Ursache war unklar. Offenbar ist eine Ransomware-Attacke schuld.
---------------------------------------------
https://heise.de/-9938226
=====================
= Vulnerabilities =
=====================
∗∗∗ DSA-5773-1 chromium - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00186.html
∗∗∗ OpenSSH 9.9 released ∗∗∗
---------------------------------------------
https://lwn.net/Articles/991028/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 18-09-2024 18:00 − Donnerstag 19-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Clever GitHub Scanner campaign abusing repos to push malware ∗∗∗
---------------------------------------------
A clever threat campaign is abusing GitHub repositories to distribute the Lumma Stealer password-stealing malware targeting users who frequent an open source project repository or are subscribed to email notifications from it. [..] The domain, github-scanner[.]com is not affiliated with GitHub and is being used to deliver malware to visitors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/clever-github-scanner-campai…
∗∗∗ Sicherheitsexperte: Müssen uns nicht vor explodierenden Handys fürchten ∗∗∗
---------------------------------------------
Nach Explosionswellen im Libanon sorgen sich manche nun um die eigenen Smartphones. Cyberexperte Joe Pichelmayr sieht da aber wenig Gefahr.
---------------------------------------------
https://futurezone.at/digital-life/sicherheitsexperte-handys-smartphone-exp…
∗∗∗ Google Cloud Document AI flaw (still) allows data theft despite bounty payout ∗∗∗
---------------------------------------------
Overly permissive settings in Google Cloud's Document AI service could be abused by data thieves to break into Cloud Storage buckets and steal sensitive information. [..] A Google spokesperson has told us in response to the above: [..] We developed a fix and are actively working to roll it out.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/09/17/google_cloud…
∗∗∗ Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware ∗∗∗
---------------------------------------------
In this blog, we’ll examine the mechanics of AsyncRAT, how it spreads by masquerading as cracked software, and the steps you can take to protect yourself from this increasingly common cyber threat.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cracked-software-or-cy…
∗∗∗ Solar Cybersecurity And The Nuances Of Renewable Energy Integration ∗∗∗
---------------------------------------------
The modern age of renewable energy has seen a surge in solar panels and wind turbines. While these systems enhance sustainability, their digital technologies carry risks. Cybersecurity professionals must know the relevant nuances when integrating renewable systems.
---------------------------------------------
https://www.tripwire.com/state-of-security/solar-cybersecurity-and-nuances-…
∗∗∗ Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool ∗∗∗
---------------------------------------------
Discover Splinter, a new post-exploitation tool with advanced features like command execution and file manipulation, detected by Unit 42 researchers.
---------------------------------------------
https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/
∗∗∗ Betrugsfall mit tegut teo-App und fiktiver Mitarbeiternummer ∗∗∗
---------------------------------------------
Im Prozess sagte der Angeklagte: "Ich war zu der Zeit arbeitslos. Für die Märkte gibt es eine App und da konnte man bei Bezahlungsmitteln die Mitarbeiternummer als Karte hinterlegen. Ich habe es einfach mit einer zufälligen Zahl probiert, und es hat direkt geklappt.
---------------------------------------------
https://www.borncity.com/blog/2024/09/19/betrugsfall-mit-tegut-teo-app-und-…
∗∗∗ Aktuelle Phishing-Masche: Terminwunsch für Telefonat mit angeblicher Sparkasse ∗∗∗
---------------------------------------------
Die Verbraucherzentrale NRW warnt vor einer aktuellen Phishing-Masche. Angeblich will die Sparkasse einen Termin für ein Telefonat.
---------------------------------------------
https://heise.de/-9909574
∗∗∗ Discord startet Ende-zu-Ende-Verschlüsselung für Audio- und Video-Chats ∗∗∗
---------------------------------------------
Um die Privatsphäre zu wahren, verschlüsselt der Onlinedienst Discord ab sofort bestimmte Formen des Nachrichtenaustauschs Ende-zu-Ende.
---------------------------------------------
https://heise.de/-9909594
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#138043: A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server ∗∗∗
---------------------------------------------
CVE-2024-7490 There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution.
---------------------------------------------
https://kb.cert.org/vuls/id/138043
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (expat and tinyproxy), Fedora (frr, microcode_ctl, python3.10, python3.12, python3.6, and ruby), Oracle (expat, fence-agents, firefox, ghostscript, java-1.8.0-openjdk, kernel, and thunderbird), Red Hat (firefox, openssl, ruby:3.3, and thunderbird), SUSE (clamav, ffmpeg-4, kernel, libmfx, python3, python312, runc, ucode-intel, and wireshark), and Ubuntu (apache2, git, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle).
---------------------------------------------
https://lwn.net/Articles/990877/
∗∗∗ GitLab Patches Critical Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
GitLab has patched a critical-severity SAML authentication bypass affecting both Community Edition (CE) and Enterprise Edition (EE) instances. [..] The issue, tracked as CVE-2024-45409 (CVSS score of 10/10), only affects GitLab CE/EE instances that have been configured to use SAML-based authentication.
---------------------------------------------
https://www.securityweek.com/gitlab-patches-critical-authentication-bypass-…
∗∗∗ DSA-5772-1 libreoffice - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00185.html
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 9, 2024 to September 15, 2024) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr…
∗∗∗ MegaSys Computer Technologies Telenium Online Web Application ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-04
∗∗∗ IDEC PLCs ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-02
∗∗∗ Kastle Systems Access Control System ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-05
∗∗∗ IDEC CORPORATION WindLDR and WindO/I-NV4 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-03
∗∗∗ Rockwell Automation RSLogix 5 and RSLogix 500 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 17-09-2024 18:00 − Mittwoch 18-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Construction firms breached in brute force attacks on accounting software ∗∗∗
---------------------------------------------
Hackers are brute-forcing passwords for highly privileged accounts on exposed Foundation accounting servers, widely used in the construction industry, to breach corporate networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/construction-firms-breached-…
∗∗∗ Temu denies breach after hacker claims theft of 87 million data records ∗∗∗
---------------------------------------------
Temu denies it was hacked or suffered a data breach after a threat actor claimed to be selling a stolen database containing 87 million records of customer information.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/temu-denies-breach-after-hac…
∗∗∗ Sandbox scores are not an antivirus replacement ∗∗∗
---------------------------------------------
Automatic sandbox services should not be treated like "antivirus scanners" to determine maliciousness for samples. That’s not their intended use, and they perform poorly in that role. Unfortunately, providing an "overall score" or "verdict" is misleading.
---------------------------------------------
https://www.gdatasoftware.com/blog/2024/09/38031-sandbox-scores-are-not-an-…
∗∗∗ Vanir Locker: Deutsche Polizei übernimmt Tor-Seite einer Hackergruppe ∗∗∗
---------------------------------------------
Wer die Datenleckseite der Ransomwaregruppe Vanir Locker aufruft, findet dort nun eine Meldung des LKA vor. Die Seite wurde beschlagnahmt.
---------------------------------------------
https://www.golem.de/news/lka-baden-wuerttemberg-polizei-uebernimmt-leak-se…
∗∗∗ Python Infostealer Patching Windows Exodus App, (Wed, Sep 18th) ∗∗∗
---------------------------------------------
A few months ago, I wrote a diary about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic applications that may handle sensitive information. Cryptocurrency wallets are another category of applications ..
---------------------------------------------
https://isc.sans.edu/forums/diary/Python+Infostealer+Patching+Windows+Exodu…
∗∗∗ VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation ∗∗∗
---------------------------------------------
Bug reports made in China Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation.
---------------------------------------------
https://www.theregister.com/2024/09/17/vmware_vcenter_patch/
∗∗∗ Australian Police conducted supply chain attack on criminal collaborationware ∗∗∗
---------------------------------------------
Sting led to cuffing of alleged operator behind Ghost – an app for drug trafficking, money laundering, and violence-as-a-service Australias Federal Police (AFP) yesterday arrested and charged a man with creating and administering an app named Ghost that was allegedly "a dedicated encrypted communication platform … built solely for the criminal underworld" and ..
---------------------------------------------
https://www.theregister.com/2024/09/18/afp_operation_kraken_ghost_crimeware…
∗∗∗ Did a Chinese University Hacking Competition Target a Real Victim? ∗∗∗
---------------------------------------------
Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there.
---------------------------------------------
https://www.wired.com/story/china-hacking-competition-real-victim/
∗∗∗ Scam ‘Funeral Streaming’ Groups Thrive on Facebook ∗∗∗
---------------------------------------------
Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any ..
---------------------------------------------
https://krebsonsecurity.com/2024/09/scam-funeral-streaming-groups-thrive-on…
∗∗∗ Russian Security Firm Doctor Web Hacked ∗∗∗
---------------------------------------------
Antimalware company Doctor Web was recently targeted in a cyberattack that prompted it to disconnect all resources from its networks.
---------------------------------------------
https://www.securityweek.com/russian-security-firm-doctor-web-discloses-tar…
∗∗∗ North Korean Hackers Lure Critical Infrastructure Employees With Fake Jobs ∗∗∗
---------------------------------------------
A North Korean group tracked as UNC2970 has been spotted trying to deliver new malware to people in the aerospace and energy industries.
---------------------------------------------
https://www.securityweek.com/north-korean-hackers-lure-critical-infrastruct…
∗∗∗ Cyber threats to shipping explained ∗∗∗
---------------------------------------------
TL;DR Modern vessels are becoming increasingly connected. While it is unlikely that hackers could fully control a container ship remotely, they may be able to disrupt systems such as the […]The post Cyber threats to shipping explained first appeared on Pen Test Partners.
---------------------------------------------
https://www.pentestpartners.com/security-blog/cyber-threats-to-shipping-exp…
∗∗∗ Vulnerabilities in Cellular Packet Cores Part IV: Authentication ∗∗∗
---------------------------------------------
Our research reveals two significant vulnerabilities in Microsoft Azure Private 5G Core (AP5GC). The first vulnerability (CVE-2024-20685) allows a crafted signaling message to crash the control plane, leading to potential service outages. The second (ZDI-CAN-23960) disconnects and replaces attached base stations, disrupting network operations. While these ..
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-…
∗∗∗ RAMBO Attack: Electromagnetic Waves Steal Data from Air-Gapped Systems ∗∗∗
---------------------------------------------
Air-gapped systems, once considered immune to attacks, are now vulnerable. Learn about a groundbreaking new method that ..
---------------------------------------------
https://hackread.com/rambo-attack-electromagnetic-waves-data-air-gapped-sys…
∗∗∗ CISA KEV performance in the Financial Sector ∗∗∗
---------------------------------------------
I’ve had a number of requests to examine the finance sector in more detail including breakdowns of exactly what kind of financial organizations are experiencing greater risk and who is remediating more quickly. Heres some answers.
---------------------------------------------
https://www.bitsight.com/blog/cisa-kev-performance-financial-sector
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce" ∗∗∗
---------------------------------------------
WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities.
---------------------------------------------
https://jvn.jp/en/jp/JVN19766555/
∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/09/18/apple-releases-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 16-09-2024 18:00 − Dienstag 17-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Exploit code released for critical Ivanti RCE flaw, patch now ∗∗∗
---------------------------------------------
A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, is now publicly released, making it crucial to update devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-code-released-for-cr…
∗∗∗ Emergency Accounts: Last Call! ∗∗∗
---------------------------------------------
Even if you have been out of office for the last couple of months, you should be aware that starting October 15th you will need to provide Multi Factor Authentication (MFA) to logon to Azure portal, Entra admin center and Intune admin center. This will be enforced to all users accessing these resources regardless of their role or permission level. [..] With Microsoft’s new MFA enforcement, you need a different approach for emergency accounts.
---------------------------------------------
https://blog.nviso.eu/2024/09/17/emergency-accounts-last-call/
∗∗∗ Secure Boot-neutering PKfail debacle is more prevalent than anyone knew ∗∗∗
---------------------------------------------
A supply chain failure that compromises Secure Boot protections on computing devices from across the device-making industry extends to a much larger number of models than previously known, including those used in ATMs, point-of-sale terminals, and voting machines.
---------------------------------------------
https://arstechnica.com/?p=2050182
∗∗∗ Check24 und Verivox: Sensible Daten von Kreditnehmern leicht zugänglich im Netz ∗∗∗
---------------------------------------------
Bei zwei namhaften Vergleichsportalen hat ein Experte Sicherheitslücken entdeckt. Dadurch sollen Kreditangebote mit sensiblen Daten frei abrufbar gewesen sein. [..] Genannt wurden Daten wie Namen und Adressen sowie Angaben zum jeweiligen Arbeitsverhältnis, Einkommen und die Anzahl der Kinder.
---------------------------------------------
https://www.golem.de/news/check24-und-verivox-sensible-daten-von-kreditnehm…
∗∗∗ What to Do With Products Without SSO? ∗∗∗
---------------------------------------------
Let’s start with the role that SSO plays in modern defense architecture, and then cover how to implement similar security measures without such a centralized mechanism.
---------------------------------------------
https://zeltser.com/products-without-sso/
∗∗∗ Cyber predators target vulnerable victims: Hackers blackmail hospitals, trade patient data and find partners through darknet ads ∗∗∗
---------------------------------------------
According to data from Check Point Research (CPR), from January – September 2024, the global weekly average number of attacks per organization within the healthcare industry was 2,018, representing a 32% increase, compared to the same period last year.
---------------------------------------------
https://blog.checkpoint.com/research/cyber-predators-target-vulnerable-vict…
∗∗∗ ‘Clipper’ malware is being used to steal crypto, Binance warns ∗∗∗
---------------------------------------------
Binance is warning customers that malware is being used to manipulate withdrawal addresses in order to steal cryptocurrency, in a campaign that has led to “significant financial losses for victims.”
---------------------------------------------
https://therecord.media/clipper-malware-binance-stealing-crypto
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (php-twig and pymongo), Fedora (linux-firmware, microcode_ctl, and python3.13), Mageia (clamav, microcode, postgresql13 and postgresql15, python3-webob, suricata, tcpreplay, tgt, and wireshark), Oracle (httpd, kernel, and linux-kernel), Red Hat (firefox, kernel, kernel-rt, pcs, and thunderbird), SUSE (389-ds, chromium, golang-github-prometheus-prometheus, htmldoc, kernel, SUSE Manager Client Tools, and wireshark), and Ubuntu (clamav, curl, dcmtk, dovecot, nginx, openssh, and python3.10, python3.12, python3.8).
---------------------------------------------
https://lwn.net/Articles/990588/
∗∗∗ Apple Patches Major Security Flaws With iOS 18 Refresh ∗∗∗
---------------------------------------------
Apple warns that attackers can use Siri to access sensitive user data, control nearby devices, or view recent photos without authentication. According to a bulletin from Cupertino, iOS 18 has been fitted with fixes for vulnerabilities in core components including accessibility features, Bluetooth, Control Center, and Wi-Fi, with several flaws allowing unauthorized access to sensitive data or full device control.
---------------------------------------------
https://www.securityweek.com/apple-patches-major-security-flaws-with-ios-18…
∗∗∗ Sicherheitspatch: Hintertür in einigen D-Link-Routern erlaubt unbefugte Zugriffe ∗∗∗
---------------------------------------------
Angreifer können bestimmte Router-Modelle von D-Link attackieren und kompromittieren. Sicherheitsupdates stehen zum Download bereit.
---------------------------------------------
https://heise.de/-9870648
∗∗∗ MISP 2.4.198 released with many bugs fixed, security fixes and improvements. ∗∗∗
---------------------------------------------
https://www.misp-project.org/2024/09/17/MISP.2.4.198.released.html/
∗∗∗ Yokogawa Dual-redundant Platform for Computer (PC2CKM) ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-03
∗∗∗ Millbeck Communications Proroute H685t-w ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 13-09-2024 18:00 − Montag 16-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ 1.3 million Android-based TV boxes backdoored; researchers still don’t know how ∗∗∗
---------------------------------------------
Infection corrals devices running AOSP-based firmware into a botnet.
---------------------------------------------
https://arstechnica.com/?p=2049773
∗∗∗ Malware locks browser in kiosk mode to steal Google credentials ∗∗∗
---------------------------------------------
A malware campaign uses the unusual method of locking users in their browsers kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kio…
∗∗∗ Nach Cyberangriff: Hacker stellen Daten von Kawasaki ins Darknet ∗∗∗
---------------------------------------------
Kawasaki selbst behauptet, der Cyberangriff sei "nicht erfolgreich" gewesen. Dennoch sind im Darknet fast 500 GBytes an Unternehmensdaten aufgetaucht.
---------------------------------------------
https://www.golem.de/news/nach-cyberangriff-hacker-stellen-daten-von-kawasa…
∗∗∗ Australia Threatens to Force Companies to Break Encryption ∗∗∗
---------------------------------------------
In 2018, Australia passed the Assistance and Access Act, which - among other things - gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include: Technical Assistance ..
---------------------------------------------
https://www.schneier.com/blog/archives/2024/09/australia-threatens-to-force…
∗∗∗ Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users credentials."Unlike other phishing webpage ..
---------------------------------------------
https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.h…
∗∗∗ Prison just got rougher as band of heinously violent cybercrims sentenced to lengthy stints ∗∗∗
---------------------------------------------
Orchestrators of abductions, torture, crypto thefts, and more get their comeuppance One cybercriminal of the most violent kind will spend his best years behind bars, as will 11 of his thug pals for a string of cryptocurrency robberies in the US.
---------------------------------------------
https://www.theregister.com/2024/09/16/prison_just_got_rougher_as/
∗∗∗ Germany’s CDU still struggling to restore data months after June cyberattack ∗∗∗
---------------------------------------------
Putting a spanner in work for plans of opposition party to launch a comeback during next years elections One of Germanys major political parties is still struggling to restore member data more than three months after a June cyberattack targeting its systems.
---------------------------------------------
https://www.theregister.com/2024/09/16/nein_luck_for_germanys_cdu/
∗∗∗ Acquiring Malicious Browser Extension Samples on a Shoestring Budget ∗∗∗
---------------------------------------------
A friend of mine sent me a link to an article on malicious browser extensions that worked around Google Chrome Manifest V3 and asked if I had or could acquire a sample. In the process of getting a sample, I thought, if I was someone who didn’t have the paid resources that an enterprise might have, how would ..
---------------------------------------------
https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-gene…
∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗
---------------------------------------------
Seit kurzem sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir ..
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/9/ddos-angriffe-september-2024
∗∗∗ German radio station forced to broadcast emergency tape following cyberattack ∗∗∗
---------------------------------------------
Radio Geretsried, a local station in Germany, has blamed “unknown attackers from Russia” after an apparent ransomware incident left it broadcasting music from emergency backups.
---------------------------------------------
https://therecord.media/germany-cyberattack-radio-geretsried
∗∗∗ Small Devices, Big Threats: The Dark Side of Removable Devices ∗∗∗
---------------------------------------------
Our new article highlights the security risks of removable devices like USB drives and SD cards, exploring real-world threats and offering key cybersecurity tips to protect sensitive data.
---------------------------------------------
https://www.emsisoft.com/en/blog/45977/small-devices-big-threats-the-dark-s…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (git, nodejs, and ring), Fedora (apr, bubblewrap, chromium, clamav, flatpak, mingw-expat, python3-docs, python3.12, and thunderbird), Mageia (assimp, botan2, python-tqdm, and radare2), Slackware (libarchive), and SUSE (curl).
---------------------------------------------
https://lwn.net/Articles/990455/
∗∗∗ MISP 2.4.198 released with bug and security fixes. ∗∗∗
---------------------------------------------
Based on a set of fixes including a security fix, we are pleased to announce the immediate availability of MISP 2.4.198. You can find a list of the detailed changes along with new features further below. As with any security release, we highly encourage everyone to update their instance as soon as ..
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.198
∗∗∗ ZDI-24-1226: mySCADA myPRO Hard-Coded Credentials Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1226/
∗∗∗ ZDI-24-1225: SolarWinds Access Rights Manager Hard-Coded Credentials Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1225/
∗∗∗ ZDI-24-1224: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1224/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 12-09-2024 18:00 − Freitag 13-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media ∗∗∗
---------------------------------------------
With the US election on the horizon, it’s a good time to explore the concept of social media weaponization and its use in asymmetrically manipulating public opinion through bots, automation, AI, and shady new tools in what Trustwave SpiderLabs has dubbed the Distributed Denial of Truth (DDoT).
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/distributed…
∗∗∗ Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data ∗∗∗
---------------------------------------------
A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online. [..] Fortinet has now published a blog post addressing the incident, which only affected less than 0.3% of its customers.
---------------------------------------------
https://hackread.com/fortinet-confirms-data-breach-hacker-data-leak/
∗∗∗ Nach CrowdStrike: Microsoft plant Security-Lösungen aus dem Windows-Kernel zu entfernen ∗∗∗
---------------------------------------------
Microsoft hat erste Pläne skizziert, wie sich Windows-Systeme so absichern lassen, dass ein kaputtes Update einer Endpunkt-Sicherheitslösung nicht das ganze Betriebssystem in den Abgrund reißt.
---------------------------------------------
https://www.borncity.com/blog/2024/09/13/nach-crowdstrike-microsoft-plant-s…
∗∗∗ I stole 20 GB of data from Capgemini – and now Im leaking it, says cybercrook ∗∗∗
---------------------------------------------
A miscreant claims to have broken into Capgemini and leaked a large amount of sensitive data stolen from the technology services giant – including source code, credentials, and T-Mobile's virtual machine logs.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/09/12/capgemini_br…
∗∗∗ 1.3 Million Android TV Boxes Infected by Vo1d Malware ∗∗∗
---------------------------------------------
Doctor Web warns of the new Vo1d Android malware infecting roughly 1.3 million TV boxes running older OS versions.
---------------------------------------------
https://www.securityweek.com/1-3-million-android-tv-boxes-infected-by-vo1d-…
∗∗∗ CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability.
---------------------------------------------
https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-di…
∗∗∗ The Dark Nexus Between Harm Groups and ‘The Com’ ∗∗∗
---------------------------------------------
A cyberattack that shut down two of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023. It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.
---------------------------------------------
https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-…
∗∗∗ Woo Skimmer Uses Style Tags and Image Extension to Steal Card Details ∗∗∗
---------------------------------------------
This post starts the same way many others do on this blog, and it will be familiar to those who keep up with website security: A client came to us having been notified by their payment processor that credit cards were being stolen from the checkout page of their eCommerce website. The question of course was how? During this investigation we uncovered a very interesting (and in fact, creative) way that threat actors were pilfering credit card details from this compromised website.
---------------------------------------------
https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-exten…
∗∗∗ We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders ∗∗∗
---------------------------------------------
I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again.
---------------------------------------------
https://blog.talosintelligence.com/threat-source-newsletter-sept-12-2024/
∗∗∗ FBI and CISA Release Joint PSA, Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections ∗∗∗
---------------------------------------------
As observed through multiple election cycles, foreign actors and cybercriminals continue to spread false information through various platforms to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions. The FBI and CISA continue to work closely with federal, state, local, and territorial election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of the U.S. elections.
---------------------------------------------
https://www.cisa.gov/news-events/news/fbi-and-cisa-release-joint-psa-just-s…
=====================
= Vulnerabilities =
=====================
NTR
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 11-09-2024 18:00 − Donnerstag 12-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ GitLab warns of critical pipeline execution vulnerability ∗∗∗
---------------------------------------------
GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pip…
∗∗∗ Sicherheitspaket: CCC droht mit Anleitungen zur Überwachungssabotage ∗∗∗
---------------------------------------------
Zivilgesellschaftliche Verbände sind empört über das Sicherheitspaket der Bundesregierung. Der "billige Populismus" spiele Rechtsextremen in die Hände.
---------------------------------------------
https://www.golem.de/news/sicherheitspaket-ccc-droht-mit-anleitungen-zur-ue…
∗∗∗ SiteCheck Remote Website Scanner — Mid-Year 2024 Report ∗∗∗
---------------------------------------------
Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote website scanners may not provide as comprehensive of a scan as server-side scanners, ..
---------------------------------------------
https://blog.sucuri.net/2024/09/sitecheck-remote-website-scanner-mid-year-2…
∗∗∗ DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe ∗∗∗
---------------------------------------------
A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.The black hat SEO ..
---------------------------------------------
https://thehackernews.com/2024/09/dragonrank-black-hat-seo-campaign.html
∗∗∗ Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking ∗∗∗
---------------------------------------------
Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns."Selenium Grid is a server that facilitates running test cases in parallel ..
---------------------------------------------
https://thehackernews.com/2024/09/exposed-selenium-grid-servers-targeted.ht…
∗∗∗ Transport for London confirms 5,000 user bank data exposed, pulls large chunks of IT infra offline ∗∗∗
---------------------------------------------
Hauling in 30,000 staff IN PERSON to do password resets Breaking Transport for Londons ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees passwords will need to be reset via in-person appointments.
---------------------------------------------
https://www.theregister.com/2024/09/12/transport_for_londons_cyber_attack/
∗∗∗ Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey ∗∗∗
---------------------------------------------
Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to ..
---------------------------------------------
https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detail…
∗∗∗ Living off the land, GPO style ∗∗∗
---------------------------------------------
TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
∗∗∗ Ransomware: Attacks Once More Nearing Peak Levels ∗∗∗
---------------------------------------------
Attacks surge again in second quarter of 2024 as attackers bounce back from disruption.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa…
∗∗∗ Introduction to Third-Party Risk Management ∗∗∗
---------------------------------------------
In today’s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations. This way of working, in addition to the digitalization era we’re in, can have great advantages such as being able to offer new services quickly while relying on other’s expertise or cutting costs on already existing processes.
---------------------------------------------
https://blog.nviso.eu/2024/09/12/introduction-to-third-party-risk-managemen…
∗∗∗ Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API ∗∗∗
---------------------------------------------
CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-roundup-sept-11-2024/
∗∗∗ Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities ∗∗∗
---------------------------------------------
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html
∗∗∗ Hadooken Malware Targets Weblogic Applications ∗∗∗
---------------------------------------------
Aqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls itself Hadooken which we think is referring to the attack “surge fist” in the Street Fighter series. When Hadooken is executed, ..
---------------------------------------------
https://blog.aquasec.com/hadooken-malware-targets-weblogic-applications-1
∗∗∗ Microsoft Office: ActiveX wird abgedreht ∗∗∗
---------------------------------------------
Länger war es still darum, aber ActiveX gibt es noch. Kommende Microsoft Office-Versionen schalten die Unterstützung endlich ab. Zumindest fast.
---------------------------------------------
https://heise.de/-9865690
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Routed Passive Optical Network Controller Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XR Software CLI Arbitrary File Read Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XR Software CLI Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 10-09-2024 18:00 − Mittwoch 11-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New PIXHELL acoustic attack leaks secrets from LCD screen noise ∗∗∗
---------------------------------------------
A novel acoustic attack named PIXHELL can leak secrets from air-gapped and audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-…
∗∗∗ Air-Gapped-Systeme: Malware nutzt LCD-Pixelmuster für Datenausleitung per Schall ∗∗∗
---------------------------------------------
Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter.
---------------------------------------------
https://www.golem.de/news/air-gapped-systeme-malware-nutzt-lcd-pixelmuster-…
∗∗∗ Python Libraries Used for Malicious Purposes ∗∗∗
---------------------------------------------
Since I'm interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don't want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities.
---------------------------------------------
https://isc.sans.edu/forums/diary/Python+Libraries+Used+for+Malicious+Purpo…
∗∗∗ Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments."The new samples were tracked to GitHub projects that ..
---------------------------------------------
https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html
∗∗∗ Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack ∗∗∗
---------------------------------------------
CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address.
---------------------------------------------
https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/
∗∗∗ So you paid a ransom demand … and now the decryptor doesnt work ∗∗∗
---------------------------------------------
A really big oh sh*t moment, for sure For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life.
---------------------------------------------
https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/
∗∗∗ Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin ∗∗∗
---------------------------------------------
On August 14th, 2024, we received a submission for a Privilege Escalation vulnerability in Post Grid and Gutenberg Blocks, a WordPress plugin with over 40,000 active installations. This vulnerability can be leveraged by attackers with minimal authenticated access to set their role to administrator utilizing the form submission functionality.
---------------------------------------------
https://www.wordfence.com/blog/2024/09/over-40000-wordpress-sites-affected-…
∗∗∗ ADCS Attack Paths in BloodHound — Part 3 ∗∗∗
---------------------------------------------
In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates ..
---------------------------------------------
https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb008…
∗∗∗ Phishing Pages Delivered Through Refresh HTTP Response Header ∗∗∗
---------------------------------------------
We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors.
---------------------------------------------
https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refr…
∗∗∗ The September 2024 Security Update Review ∗∗∗
---------------------------------------------
We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from ..
---------------------------------------------
https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-re…
∗∗∗ SBOMs and the importance of inventory ∗∗∗
---------------------------------------------
Can a Software Bill of Materials (SBOM) provide organisations with better insight into their supply chains?
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory
∗∗∗ We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI ∗∗∗
---------------------------------------------
Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.SummaryWhat started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel ..
---------------------------------------------
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-beca…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311).
---------------------------------------------
https://lwn.net/Articles/989772/
∗∗∗ Cisco Releases Security Updates for Cisco Smart Licensing Utility ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/09/10/cisco-releases-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 09-09-2024 18:00 − Dienstag 10-09-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Quad7 botnet targets more SOHO and VPN routers, media servers ∗∗∗
---------------------------------------------
The Quad7 botnet is expanding its targeting scope with the addition of new clusters and custom implants that now also target Zyxel VPN appliances and Ruckus wireless routers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/quad7-botnet-targets-more-so…
∗∗∗ NoName ransomware gang deploying RansomHub malware in recent attacks ∗∗∗
---------------------------------------------
The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deplo…
∗∗∗ Trustwave SpiderLabs Research: 20% of Ransomware Attacks in Financial Services Target Banking Institutions ∗∗∗
---------------------------------------------
The 2024 Trustwave Risk Radar Report: Financial Services Sector underscores the escalating threat landscape facing the industry.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-s…
∗∗∗ Russias top-secret military unit reportedly plots undersea cable sabotage ∗∗∗
---------------------------------------------
US alarmed by heightened Kremlin naval activity worldwide Russias naval activity near undersea cables is reportedly drawing the scrutiny of US officials, further sparking concerns that the Kremlin may be plotting to "sabotage" underwater infrastructure via a secretive, dedicated military unit called the General Staff Main Directorate for Deep Sea Research (GUGI).
---------------------------------------------
https://www.theregister.com/2024/09/09/russia_readies_submarine_cable_sabot…
∗∗∗ Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics ∗∗∗
---------------------------------------------
Introduction Following the 2024 ThreatLabz Phishing Report, Zscaler ThreatLabz has been closely tracking domains associated with typosquatting and brand impersonation - common techniques used by threat actors to proliferate phishing campaigns. Typosquatting involves registering domains with misspelled versions of popular websites or ..
---------------------------------------------
https://www.zscaler.com/blogs/security-research/phishing-typosquatting-and-…
∗∗∗ Slim CD Data Breach Impacts 1.7 Million Individuals ∗∗∗
---------------------------------------------
Slim CD says the personal and credit card information of 1.7 million was compromised in a ten-month-long data breach.
---------------------------------------------
https://www.securityweek.com/slim-cd-data-breach-impacts-1-7-million-indivi…
∗∗∗ Study Finds Excessive Use of Remote Access Tools in OT Environments ∗∗∗
---------------------------------------------
The excessive use of remote access tools in OT environments can increase the attack surface, complicate identity management, and hinder visibility.
---------------------------------------------
https://www.securityweek.com/study-finds-excessive-use-of-remote-access-too…
∗∗∗ Smart home security advice. Ring, SimpliSafe, Swann, and Yale ∗∗∗
---------------------------------------------
Introduction This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you’re looking to monitor your property remotely, enhance your home’s security, or ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/smart-home-security-advice-ri…
∗∗∗ Firmen überschätzen eigene Abwehrbereitschaft gegen Hacker ∗∗∗
---------------------------------------------
Laut einer aktuellen Studie zahlten 86 Prozent der befragten Firmen im vergangenen Jahr "Lösegeld", nachdem ihre Systeme infiziert wurden
---------------------------------------------
https://www.derstandard.at/story/3000000235958/firmen-ueberschaetzen-eigene…
∗∗∗ Threat Assessment: North Korean Threat Groups ∗∗∗
---------------------------------------------
Explore Unit 42s review of North Korean APT groups and their impact, detailing the top 10 malware and tools weve seen from these threat actors.
---------------------------------------------
https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-g…
∗∗∗ Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware ∗∗∗
---------------------------------------------
Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomwar…
∗∗∗ August 2024’s Most Wanted Malware: RansomHub Reigns Supreme While Meow Ransomware Surges ∗∗∗
---------------------------------------------
Check Point’s latest threat index reveals RansomHub’s continued dominance and Meow ransomware’s rise with novel tactics and significant impact. Check Point’s Global Threat Index for August 2024 revealed ransomware remains a dominant force, with RansomHub sustaining its position as the top ransomware group. This Ransomware-as-a-Service (RaaS) ..
---------------------------------------------
https://blog.checkpoint.com/research/august-2024s-most-wanted-malware-ranso…
∗∗∗ CISA says SonicWall bug being exploited as experts warn of ransomware gang use ∗∗∗
---------------------------------------------
Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month.
---------------------------------------------
https://therecord.media/cisa-orders-patching-of-sonicwall-bug-ransomware
∗∗∗ CISA Releases Election Security Focused Checklists for Both Cybersecurity and Physical Security ∗∗∗
---------------------------------------------
Today, the Cybersecurity and Infrastructure Security Agency (CISA) released two election security checklists as part of the comprehensive suite of resources available for election officials, the Physical Security Checklist for Election Offices and Election Infrastructure Cybersecurity Readiness and Resilience Checklist. These checklists are tools to quickly review existing practices and take steps to enhance physical and cyber resilience in preparation for election day.
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-releases-election-security-focus…
∗∗∗ Do We Need Yet Another Vulnerability Scoring System? If it’s SSVC that’s a resounding YASS ∗∗∗
---------------------------------------------
Want to know about Yet Another Vulnerability Scoring System (YASS)? Ben Edwards breaks down Stakeholder Specific Vulnerability Categorization and how to make it work.
---------------------------------------------
https://www.bitsight.com/blog/do-we-need-yet-another-vulnerability-scoring-…
∗∗∗ Wegen US-Verbannung: Kaspersky-Kunden erhalten UltraAV von Pango ∗∗∗
---------------------------------------------
Nach dem Bann in den USA stellt das Unternehmen Kunden nun auf UltraAV um, bestätigt Kaspersky gegenüber heise online.
---------------------------------------------
https://heise.de/-9862992
=====================
= Vulnerabilities =
=====================
∗∗∗ Citrix Releases Security Updates for Citrix Workspace App for Windows ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/09/10/citrix-releases-security…
∗∗∗ September 2024 Security Update ∗∗∗
---------------------------------------------
https://www.ivanti.com/blog/september-2024-security-update
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily