Daily

daily@lists.cert.at

1 participants
3138 discussions

Tageszusammenfassung - 24.09.2024
by Daily end-of-shift report 24 Sep '24

24 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 23-09-2024 18:00 − Dienstag 24-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackerangriff hier, Hackerangriff da? Nein. ∗∗∗ --------------------------------------------- Ein Kommentar zur aktuellen Berichterstattung rund um DDoS-Angriffe gegen die Webseiten politischer Parteien in Österreich. --------------------------------------------- https://datenrausch.substack.com/p/hackerangriff-hier-hackerangriff ∗∗∗ New Mallox ransomware Linux variant based on leaked Kryptina code ∗∗∗ --------------------------------------------- An affiliate of the Mallox ransomware operation, also known as TargetCompany, was spotted using a slightly modified version of the Kryptina ransomware to attack Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-… ∗∗∗ New Octo Android malware version impersonates NordVPN, Google Chrome ∗∗∗ --------------------------------------------- A new version of the Octo Android malware, named "Octo2," has been seen spreading across Europe under the guise of NordVPN, Google Chrome, and an app called Europe Enterprise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-octo-android-malware-ver… ∗∗∗ Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120, (Tue, Sep 24th) ∗∗∗ --------------------------------------------- Late in July, a researcher using the alias "NETSECFISH" published a blog post revealing a vulnerability in RASIECOM gateway devices [1]. The vulnerability affects the "vpn/list_base_Config.php" endpoint and allows for unauthenticated remote code execution. According to Shodan, about 25,000 vulnerable devices are exposed to the internet. With a simple proof of concept available, it is no surprise that we aseethe vulnerability exploited. --------------------------------------------- https://isc.sans.edu/diary/rss/31292 ∗∗∗ Untersuchung von Solaris / SunOS - Persistenz mit Systemprozessen ∗∗∗ --------------------------------------------- Im Vergleich zu Windows oder sogar Linux ist das öffentliche Wissen und die Anleitung zur digitalen Forensik für Solaris / SunOS eher dünn. Während dieses Einsatzes haben wir unser Wissen über Solaris erheblich erweitert und es auf verschiedene Angreifertechniken hin untersucht. In diesem Blog-Beitrag möchten wir unsere Erfahrungen mit der Untersuchung potenzieller Persistenz durch Systemprozesse im Zusammenhang mit der MITRE ATT&CK-Technik T1543 teilen. --------------------------------------------- https://sec-consult.com/de/blog/detail/investigating-solaris-sunos-persiste… ∗∗∗ Deloitte Says No Threat to Sensitive Data After Hacker Claims Server Breach ∗∗∗ --------------------------------------------- A notorious hacker has announced the theft of data from an improperly protected server allegedly belonging to Deloitte. {..] Deloitte says no sensitive data exposed after a notorious hacker leaked what he claimed to be internal communications. --------------------------------------------- https://www.securityweek.com/deloitte-says-no-threat-to-sensitive-data-afte… ∗∗∗ Kirchenaustritt nicht über kirchenaustritt-digital-beantragen.at beantragen ∗∗∗ --------------------------------------------- Wer Informationen zum Kirchenaustritt sucht, landet schnell bei kirchenaustritt-digital-beantragen.at. Wir raten jedoch davon ab, über diesen kostenpflichtigen Dienst den Austritt zu beantragen. Beschwerden zufolge wird die Kündigung trotz Bezahlung nicht an die Kirche übermittelt. Außerdem werden sehr viele Daten und eine Ausweiskopie verlangt. Wir raten generell davon ab, Kündigungen usw. über Drittanbieter abzuwickeln. --------------------------------------------- https://www.watchlist-internet.at/news/kirchenaustritt/ ∗∗∗ Inside SnipBot: The Latest RomCom Malware Variant ∗∗∗ --------------------------------------------- We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain. --------------------------------------------- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ ∗∗∗ Hacker Leaks 12,000 Alleged Twilio Call Records with Audio Recordings ∗∗∗ --------------------------------------------- A hacker has leaked 12,000 alleged Twilio call records, including phone numbers and audio recordings. The breach exposes personal data, creating significant privacy risks for businesses and individuals using the service. --------------------------------------------- https://hackread.com/hacker-leaks-twilio-call-records-audio-recordings/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Vulnerabilities Expose Riello UPSs to Hacking: Security Firm ∗∗∗ --------------------------------------------- Hackers can take control of Riello UPS devices by exploiting vulnerabilities that likely remain unpatched, according to CyberDanube, an Austria-based firm specializing in industrial cybersecurity. --------------------------------------------- https://www.securityweek.com/unpatched-vulnerabilities-expose-riello-upss-t… ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-24-268-01 OPW Fuel Management Systems SiteSentinel, ICSA-24-268-02 Alisonic Sibylla, ICSA-24-268-03 Franklin Fueling Systems TS-550 EVO, ICSA-24-268-04 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE, ICSA-24-268-05 Moxa MXview One, ICSA-24-268-06 OMNTEC Proteus Tank Monitoring, ICSA-24-156-01 Uniview NVR301-04S2-P4 (Update A), ICSA-19-274-01 Interpeak IPnet TCP/IP Stack (Update E) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-releases-eight-indu… ∗∗∗ Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions ∗∗∗ --------------------------------------------- Zyxel has released patches for some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions affected by post-authentication memory corruption vulnerabilities. Users are advised to install them for optimal protection. (CVE-2024-38266 CVE-2024-38267 CVE-2024-38268 CVE-2024-38269) --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Critical Vulnerabilities Discovered in Automated Tank Gauge Systems ∗∗∗ --------------------------------------------- In this blogpost, we will explore the ATG systems, their inherent risk when exposed to the Internet and the several critical vulnerabilities uncovered by Bitsight TRACE. By understanding these vulnerabilities, we hope that the reader can better appreciate the urgent need for enhanced security measures and the steps that need to be taken to protect these systems from exploitation. --------------------------------------------- https://www.bitsight.com/blog/critical-vulnerabilities-discovered-automated… ∗∗∗ Xen Security Advisory CVE-2024-45817 / XSA-462 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-462.html ∗∗∗ Keycloak Security Update Advisory (CVE-2024-8698) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83325/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2024
by Daily end-of-shift report 23 Sep '24

23 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-09-2024 18:00 − Montag 23-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hyper-V und VMware: Schwachstellen, Patches, PoCs ∗∗∗ --------------------------------------------- In Hyper-V wurde kürzlich eine Schwachstelle gepatcht – jetzt gibt es einen Proof of Concept (PoC) für diese Schwachstelle. Und bei VMware gibt es ebenfalls Schwachstellen sowie Infos, wie sich aus der VM ausbrechen lässt. --------------------------------------------- https://www.borncity.com/blog/2024/09/23/hyper-v-und-vmware-schwachstellen-… ∗∗∗ Android malware Necro infects 11 million devices via Google Play ∗∗∗ --------------------------------------------- A new version of the Necro Trojan malware for Android was installed on 11 million devices through Google Play in malicious SDK supply chain attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-necro-infect… ∗∗∗ Global infostealer malware operation targets crypto users, gamers ∗∗∗ --------------------------------------------- A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo." --------------------------------------------- https://www.bleepingcomputer.com/news/security/global-infostealer-malware-o… ∗∗∗ Phishing links with @ sign and the need for effective security awareness building, (Mon, Sep 23rd) ∗∗∗ --------------------------------------------- While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or because it used some completely new technique, but rather because its authors took advantage of one of the less commonly misused aspects of the URI format – the ability to specify information about a user in the URI before its "host" part (domain or IP address). --------------------------------------------- https://isc.sans.edu/diary/rss/31288 ∗∗∗ Staying a Step Ahead: Mitigating the DPRK IT Worker Threat ∗∗∗ --------------------------------------------- This report aims to increase awareness of the DPRK's efforts to obtain employment as IT workers and shed light on their operational tactics for obtaining employment and maintaining access to corporate systems. Understanding these methods can help organizations better detect these sorts of suspicious behaviors earlier in the hiring process. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it… ∗∗∗ Why Do Criminals Love Phishing-as-a-Service Platforms? ∗∗∗ --------------------------------------------- Phishing-as-a-Service (PaaS) platforms have become the go-to tool for cybercriminals, to launch sophisticated phishing campaigns targeting the general public and businesses, especially in the financial services sector. [..] In this blog, we’ll explore the key features offered by PaaS platforms, highlight the major platforms Trustwave SpiderLabs has recently observed, and cover effective phishing mitigation strategies. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/why-do-crim… ∗∗∗ CISA boss: Makers of insecure software are enablers of the real villains ∗∗∗ --------------------------------------------- Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued. "The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/20/cisa_sloppy_… ∗∗∗ Proxy Detection: Comparing Detection Services with the Truth ∗∗∗ --------------------------------------------- In our previous blog post, we looked at different (free and paid) solutions to detect the use of anonymity tools during attacks executed on our Remote Desktop Protocol (RDP) honeypots. Confronted with inconclusive outcomes, this blog post aims to evaluate the different proxy detector tools by analyzing their results with our dataset of Truth. --------------------------------------------- https://gosecure.ai/blog/2024/09/23/proxy-detection-comparing-detection-ser… ∗∗∗ Hackers Claim Second Dell Data Breach in One Week ∗∗∗ --------------------------------------------- Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident. --------------------------------------------- https://hackread.com/dell-hit-by-second-security-breach-in-week/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15). --------------------------------------------- https://lwn.net/Articles/991377/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2024
by Daily end-of-shift report 20 Sep '24

20 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-09-2024 18:00 − Freitag 20-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ever wonder how crooks get the credentials to unlock stolen phones? ∗∗∗ --------------------------------------------- iServer provided a simple service for phishing credentials to unlock phones. --------------------------------------------- https://arstechnica.com/?p=2051165 ∗∗∗ CISA warns of actively exploited Apache HugeGraph-Server bug ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache HugeGraph-Server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-explo… ∗∗∗ macOS Sequoia change breaks networking for VPN, antivirus software ∗∗∗ --------------------------------------------- Users of macOS 15 Sequoia are reporting network connection errors when using certain endpoint detection and response (EDR) or virtual private network (VPN) solutions, and web browsers. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/macos-sequoia-change-breaks-net… ∗∗∗ 1 In 10 Orgs Dumping Their Security Vendors After CrowdStrike Outage ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from The Register: Germanys Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrikes outage in July are dropping their current vendors products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to .. --------------------------------------------- https://it.slashdot.org/story/24/09/19/1721236/1-in-10-orgs-dumping-their-s… ∗∗∗ SAP Hash Cracking Techniques ∗∗∗ --------------------------------------------- Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive data. Hash functions convert input data into a fixed-size string of characters that are both uniform and deterministic, making them an excellent choice for maintaining data security. --------------------------------------------- https://redrays.io/blog/sap-hash-cracking-techniques/ ∗∗∗ This Windows PowerShell Phish Has Scary Potential ∗∗∗ --------------------------------------------- Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While its unlikely that many programmers fell for this .. --------------------------------------------- https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary… ∗∗∗ Ivanti Warns of Second CSA Vulnerability Exploited in Attacks ∗∗∗ --------------------------------------------- In addition to the Ivanti CSA flaw CVE-2024-8190, another vulnerability affecting the same product, tracked as CVE-2024-8963, has been exploited. --------------------------------------------- https://www.securityweek.com/ivanti-warns-of-second-csa-vulnerability-explo… ∗∗∗ Noise Storms: Massive Amounts of Spoofed Web Traffic Linked to China ∗∗∗ --------------------------------------------- GreyNoise has observed millions of spoofed IPs flooding internet providers with web traffic primarily focusing on TCP connections. --------------------------------------------- https://www.securityweek.com/noise-storms-massive-amounts-of-spoofed-web-tr… ∗∗∗ Vorsicht vor gefälschten Gewinnspielen von ÖAMTC und ADAC ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie per E-Mail ein Gewinnspiel für ein Auto-Notfallset erhalten. Kriminelle geben sich als ÖAMTC oder ADAC aus und behaupten, Sie hätten ein Auto-Notfallset gewonnen. Klicken Sie nicht auf den Link, Sie werden in eine Abo-Fall gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-gewinnspiele-oeamtc-adac/ ∗∗∗ Datendiebstahl via Slack, Disney stellt Nutzung des Messenger-Dienstes ein ∗∗∗ --------------------------------------------- Die Hackergruppe Nullbulge konnte Computercode und Details über unveröffentlichte Projekte stehlen und veröffentlichen --------------------------------------------- https://www.derstandard.at/story/3000000237370/datendiebstahl-disney-trennt… ∗∗∗ High-risk vulnerabilities in common enterprise technologies ∗∗∗ --------------------------------------------- Rapid7 is warning customers about high-risk vulnerabilities in Adobe ColdFusion, Broadcom VMware vCenter Server, and Ivanti Endpoint Manager (EPM). These CVEs are likely attack targets for APT and/or financially motivated adversaries. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/19/etr-high-risk-vulnerabilities-i… ∗∗∗ Jugendherbergen offenbar Opfer von Ransomware-Bande Hunters ∗∗∗ --------------------------------------------- Ende August kam es zu Störungen bei rund 450 deutschen Jugendherbergen. Die Ursache war unklar. Offenbar ist eine Ransomware-Attacke schuld. --------------------------------------------- https://heise.de/-9938226 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5773-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00186.html ∗∗∗ OpenSSH 9.9 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/991028/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2024
by Daily end-of-shift report 19 Sep '24

19 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-09-2024 18:00 − Donnerstag 19-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Clever GitHub Scanner campaign abusing repos to push malware ∗∗∗ --------------------------------------------- A clever threat campaign is abusing GitHub repositories to distribute the Lumma Stealer password-stealing malware targeting users who frequent an open source project repository or are subscribed to email notifications from it. [..] The domain, github-scanner[.]com is not affiliated with GitHub and is being used to deliver malware to visitors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clever-github-scanner-campai… ∗∗∗ Sicherheitsexperte: Müssen uns nicht vor explodierenden Handys fürchten ∗∗∗ --------------------------------------------- Nach Explosionswellen im Libanon sorgen sich manche nun um die eigenen Smartphones. Cyberexperte Joe Pichelmayr sieht da aber wenig Gefahr. --------------------------------------------- https://futurezone.at/digital-life/sicherheitsexperte-handys-smartphone-exp… ∗∗∗ Google Cloud Document AI flaw (still) allows data theft despite bounty payout ∗∗∗ --------------------------------------------- Overly permissive settings in Google Cloud's Document AI service could be abused by data thieves to break into Cloud Storage buckets and steal sensitive information. [..] A Google spokesperson has told us in response to the above: [..] We developed a fix and are actively working to roll it out. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/17/google_cloud… ∗∗∗ Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware ∗∗∗ --------------------------------------------- In this blog, we’ll examine the mechanics of AsyncRAT, how it spreads by masquerading as cracked software, and the steps you can take to protect yourself from this increasingly common cyber threat. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cracked-software-or-cy… ∗∗∗ Solar Cybersecurity And The Nuances Of Renewable Energy Integration ∗∗∗ --------------------------------------------- The modern age of renewable energy has seen a surge in solar panels and wind turbines. While these systems enhance sustainability, their digital technologies carry risks. Cybersecurity professionals must know the relevant nuances when integrating renewable systems. --------------------------------------------- https://www.tripwire.com/state-of-security/solar-cybersecurity-and-nuances-… ∗∗∗ Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool ∗∗∗ --------------------------------------------- Discover Splinter, a new post-exploitation tool with advanced features like command execution and file manipulation, detected by Unit 42 researchers. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/ ∗∗∗ Betrugsfall mit tegut teo-App und fiktiver Mitarbeiternummer ∗∗∗ --------------------------------------------- Im Prozess sagte der Angeklagte: "Ich war zu der Zeit arbeitslos. Für die Märkte gibt es eine App und da konnte man bei Bezahlungsmitteln die Mitarbeiternummer als Karte hinterlegen. Ich habe es einfach mit einer zufälligen Zahl probiert, und es hat direkt geklappt. --------------------------------------------- https://www.borncity.com/blog/2024/09/19/betrugsfall-mit-tegut-teo-app-und-… ∗∗∗ Aktuelle Phishing-Masche: Terminwunsch für Telefonat mit angeblicher Sparkasse ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt vor einer aktuellen Phishing-Masche. Angeblich will die Sparkasse einen Termin für ein Telefonat. --------------------------------------------- https://heise.de/-9909574 ∗∗∗ Discord startet Ende-zu-Ende-Verschlüsselung für Audio- und Video-Chats ∗∗∗ --------------------------------------------- Um die Privatsphäre zu wahren, verschlüsselt der Onlinedienst Discord ab sofort bestimmte Formen des Nachrichtenaustauschs Ende-zu-Ende. --------------------------------------------- https://heise.de/-9909594 ===================== = Vulnerabilities = ===================== ∗∗∗ VU#138043: A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server ∗∗∗ --------------------------------------------- CVE-2024-7490 There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution. --------------------------------------------- https://kb.cert.org/vuls/id/138043 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat and tinyproxy), Fedora (frr, microcode_ctl, python3.10, python3.12, python3.6, and ruby), Oracle (expat, fence-agents, firefox, ghostscript, java-1.8.0-openjdk, kernel, and thunderbird), Red Hat (firefox, openssl, ruby:3.3, and thunderbird), SUSE (clamav, ffmpeg-4, kernel, libmfx, python3, python312, runc, ucode-intel, and wireshark), and Ubuntu (apache2, git, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle). --------------------------------------------- https://lwn.net/Articles/990877/ ∗∗∗ GitLab Patches Critical Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- GitLab has patched a critical-severity SAML authentication bypass affecting both Community Edition (CE) and Enterprise Edition (EE) instances. [..] The issue, tracked as CVE-2024-45409 (CVSS score of 10/10), only affects GitLab CE/EE instances that have been configured to use SAML-based authentication. --------------------------------------------- https://www.securityweek.com/gitlab-patches-critical-authentication-bypass-… ∗∗∗ DSA-5772-1 libreoffice - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00185.html ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 9, 2024 to September 15, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ MegaSys Computer Technologies Telenium Online Web Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-04 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-02 ∗∗∗ Kastle Systems Access Control System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-05 ∗∗∗ IDEC CORPORATION WindLDR and WindO/I-NV4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-03 ∗∗∗ Rockwell Automation RSLogix 5 and RSLogix 500 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2024
by Daily end-of-shift report 18 Sep '24

18 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-09-2024 18:00 − Mittwoch 18-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Construction firms breached in brute force attacks on accounting software ∗∗∗ --------------------------------------------- Hackers are brute-forcing passwords for highly privileged accounts on exposed Foundation accounting servers, widely used in the construction industry, to breach corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/construction-firms-breached-… ∗∗∗ Temu denies breach after hacker claims theft of 87 million data records ∗∗∗ --------------------------------------------- Temu denies it was hacked or suffered a data breach after a threat actor claimed to be selling a stolen database containing 87 million records of customer information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/temu-denies-breach-after-hac… ∗∗∗ Sandbox scores are not an antivirus replacement ∗∗∗ --------------------------------------------- Automatic sandbox services should not be treated like "antivirus scanners" to determine maliciousness for samples. That’s not their intended use, and they perform poorly in that role. Unfortunately, providing an "overall score" or "verdict" is misleading. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/09/38031-sandbox-scores-are-not-an-… ∗∗∗ Vanir Locker: Deutsche Polizei übernimmt Tor-Seite einer Hackergruppe ∗∗∗ --------------------------------------------- Wer die Datenleckseite der Ransomwaregruppe Vanir Locker aufruft, findet dort nun eine Meldung des LKA vor. Die Seite wurde beschlagnahmt. --------------------------------------------- https://www.golem.de/news/lka-baden-wuerttemberg-polizei-uebernimmt-leak-se… ∗∗∗ Python Infostealer Patching Windows Exodus App, (Wed, Sep 18th) ∗∗∗ --------------------------------------------- A few months ago, I wrote a diary about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic applications that may handle sensitive information. Cryptocurrency wallets are another category of applications .. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Infostealer+Patching+Windows+Exodu… ∗∗∗ VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation ∗∗∗ --------------------------------------------- Bug reports made in China Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation. --------------------------------------------- https://www.theregister.com/2024/09/17/vmware_vcenter_patch/ ∗∗∗ Australian Police conducted supply chain attack on criminal collaborationware ∗∗∗ --------------------------------------------- Sting led to cuffing of alleged operator behind Ghost – an app for drug trafficking, money laundering, and violence-as-a-service Australias Federal Police (AFP) yesterday arrested and charged a man with creating and administering an app named Ghost that was allegedly "a dedicated encrypted communication platform … built solely for the criminal underworld" and .. --------------------------------------------- https://www.theregister.com/2024/09/18/afp_operation_kraken_ghost_crimeware… ∗∗∗ Did a Chinese University Hacking Competition Target a Real Victim? ∗∗∗ --------------------------------------------- Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there. --------------------------------------------- https://www.wired.com/story/china-hacking-competition-real-victim/ ∗∗∗ Scam ‘Funeral Streaming’ Groups Thrive on Facebook ∗∗∗ --------------------------------------------- Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any .. --------------------------------------------- https://krebsonsecurity.com/2024/09/scam-funeral-streaming-groups-thrive-on… ∗∗∗ Russian Security Firm Doctor Web Hacked ∗∗∗ --------------------------------------------- Antimalware company Doctor Web was recently targeted in a cyberattack that prompted it to disconnect all resources from its networks. --------------------------------------------- https://www.securityweek.com/russian-security-firm-doctor-web-discloses-tar… ∗∗∗ North Korean Hackers Lure Critical Infrastructure Employees With Fake Jobs ∗∗∗ --------------------------------------------- A North Korean group tracked as UNC2970 has been spotted trying to deliver new malware to people in the aerospace and energy industries. --------------------------------------------- https://www.securityweek.com/north-korean-hackers-lure-critical-infrastruct… ∗∗∗ Cyber threats to shipping explained ∗∗∗ --------------------------------------------- TL;DR Modern vessels are becoming increasingly connected. While it is unlikely that hackers could fully control a container ship remotely, they may be able to disrupt systems such as the […]The post Cyber threats to shipping explained first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-threats-to-shipping-exp… ∗∗∗ Vulnerabilities in Cellular Packet Cores Part IV: Authentication ∗∗∗ --------------------------------------------- Our research reveals two significant vulnerabilities in Microsoft Azure Private 5G Core (AP5GC). The first vulnerability (CVE-2024-20685) allows a crafted signaling message to crash the control plane, leading to potential service outages. The second (ZDI-CAN-23960) disconnects and replaces attached base stations, disrupting network operations. While these .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-… ∗∗∗ RAMBO Attack: Electromagnetic Waves Steal Data from Air-Gapped Systems ∗∗∗ --------------------------------------------- Air-gapped systems, once considered immune to attacks, are now vulnerable. Learn about a groundbreaking new method that .. --------------------------------------------- https://hackread.com/rambo-attack-electromagnetic-waves-data-air-gapped-sys… ∗∗∗ CISA KEV performance in the Financial Sector ∗∗∗ --------------------------------------------- I’ve had a number of requests to examine the finance sector in more detail including breakdowns of exactly what kind of financial organizations are experiencing greater risk and who is remediating more quickly. Heres some answers. --------------------------------------------- https://www.bitsight.com/blog/cisa-kev-performance-financial-sector ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce" ∗∗∗ --------------------------------------------- WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN19766555/ ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/18/apple-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2024
by Daily end-of-shift report 17 Sep '24

17 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-09-2024 18:00 − Dienstag 17-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploit code released for critical Ivanti RCE flaw, patch now ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, is now publicly released, making it crucial to update devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-code-released-for-cr… ∗∗∗ Emergency Accounts: Last Call! ∗∗∗ --------------------------------------------- Even if you have been out of office for the last couple of months, you should be aware that starting October 15th you will need to provide Multi Factor Authentication (MFA) to logon to Azure portal, Entra admin center and Intune admin center. This will be enforced to all users accessing these resources regardless of their role or permission level. [..] With Microsoft’s new MFA enforcement, you need a different approach for emergency accounts. --------------------------------------------- https://blog.nviso.eu/2024/09/17/emergency-accounts-last-call/ ∗∗∗ Secure Boot-neutering PKfail debacle is more prevalent than anyone knew ∗∗∗ --------------------------------------------- A supply chain failure that compromises Secure Boot protections on computing devices from across the device-making industry extends to a much larger number of models than previously known, including those used in ATMs, point-of-sale terminals, and voting machines. --------------------------------------------- https://arstechnica.com/?p=2050182 ∗∗∗ Check24 und Verivox: Sensible Daten von Kreditnehmern leicht zugänglich im Netz ∗∗∗ --------------------------------------------- Bei zwei namhaften Vergleichsportalen hat ein Experte Sicherheitslücken entdeckt. Dadurch sollen Kreditangebote mit sensiblen Daten frei abrufbar gewesen sein. [..] Genannt wurden Daten wie Namen und Adressen sowie Angaben zum jeweiligen Arbeitsverhältnis, Einkommen und die Anzahl der Kinder. --------------------------------------------- https://www.golem.de/news/check24-und-verivox-sensible-daten-von-kreditnehm… ∗∗∗ What to Do With Products Without SSO? ∗∗∗ --------------------------------------------- Let’s start with the role that SSO plays in modern defense architecture, and then cover how to implement similar security measures without such a centralized mechanism. --------------------------------------------- https://zeltser.com/products-without-sso/ ∗∗∗ Cyber predators target vulnerable victims: Hackers blackmail hospitals, trade patient data and find partners through darknet ads ∗∗∗ --------------------------------------------- According to data from Check Point Research (CPR), from January – September 2024, the global weekly average number of attacks per organization within the healthcare industry was 2,018, representing a 32% increase, compared to the same period last year. --------------------------------------------- https://blog.checkpoint.com/research/cyber-predators-target-vulnerable-vict… ∗∗∗ ‘Clipper’ malware is being used to steal crypto, Binance warns ∗∗∗ --------------------------------------------- Binance is warning customers that malware is being used to manipulate withdrawal addresses in order to steal cryptocurrency, in a campaign that has led to “significant financial losses for victims.” --------------------------------------------- https://therecord.media/clipper-malware-binance-stealing-crypto ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-twig and pymongo), Fedora (linux-firmware, microcode_ctl, and python3.13), Mageia (clamav, microcode, postgresql13 and postgresql15, python3-webob, suricata, tcpreplay, tgt, and wireshark), Oracle (httpd, kernel, and linux-kernel), Red Hat (firefox, kernel, kernel-rt, pcs, and thunderbird), SUSE (389-ds, chromium, golang-github-prometheus-prometheus, htmldoc, kernel, SUSE Manager Client Tools, and wireshark), and Ubuntu (clamav, curl, dcmtk, dovecot, nginx, openssh, and python3.10, python3.12, python3.8). --------------------------------------------- https://lwn.net/Articles/990588/ ∗∗∗ Apple Patches Major Security Flaws With iOS 18 Refresh ∗∗∗ --------------------------------------------- Apple warns that attackers can use Siri to access sensitive user data, control nearby devices, or view recent photos without authentication. According to a bulletin from Cupertino, iOS 18 has been fitted with fixes for vulnerabilities in core components including accessibility features, Bluetooth, Control Center, and Wi-Fi, with several flaws allowing unauthorized access to sensitive data or full device control. --------------------------------------------- https://www.securityweek.com/apple-patches-major-security-flaws-with-ios-18… ∗∗∗ Sicherheitspatch: Hintertür in einigen D-Link-Routern erlaubt unbefugte Zugriffe ∗∗∗ --------------------------------------------- Angreifer können bestimmte Router-Modelle von D-Link attackieren und kompromittieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-9870648 ∗∗∗ MISP 2.4.198 released with many bugs fixed, security fixes and improvements. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/09/17/MISP.2.4.198.released.html/ ∗∗∗ Yokogawa Dual-redundant Platform for Computer (PC2CKM) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-03 ∗∗∗ Millbeck Communications Proroute H685t-w ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2024
by Daily end-of-shift report 16 Sep '24

16 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-09-2024 18:00 − Montag 16-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 1.3 million Android-based TV boxes backdoored; researchers still don’t know how ∗∗∗ --------------------------------------------- Infection corrals devices running AOSP-based firmware into a botnet. --------------------------------------------- https://arstechnica.com/?p=2049773 ∗∗∗ Malware locks browser in kiosk mode to steal Google credentials ∗∗∗ --------------------------------------------- A malware campaign uses the unusual method of locking users in their browsers kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kio… ∗∗∗ Nach Cyberangriff: Hacker stellen Daten von Kawasaki ins Darknet ∗∗∗ --------------------------------------------- Kawasaki selbst behauptet, der Cyberangriff sei "nicht erfolgreich" gewesen. Dennoch sind im Darknet fast 500 GBytes an Unternehmensdaten aufgetaucht. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-stellen-daten-von-kawasa… ∗∗∗ Australia Threatens to Force Companies to Break Encryption ∗∗∗ --------------------------------------------- In 2018, Australia passed the Assistance and Access Act, which - among other things - gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include: Technical Assistance .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/09/australia-threatens-to-force… ∗∗∗ Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users credentials."Unlike other phishing webpage .. --------------------------------------------- https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.h… ∗∗∗ Prison just got rougher as band of heinously violent cybercrims sentenced to lengthy stints ∗∗∗ --------------------------------------------- Orchestrators of abductions, torture, crypto thefts, and more get their comeuppance One cybercriminal of the most violent kind will spend his best years behind bars, as will 11 of his thug pals for a string of cryptocurrency robberies in the US. --------------------------------------------- https://www.theregister.com/2024/09/16/prison_just_got_rougher_as/ ∗∗∗ Germany’s CDU still struggling to restore data months after June cyberattack ∗∗∗ --------------------------------------------- Putting a spanner in work for plans of opposition party to launch a comeback during next years elections One of Germanys major political parties is still struggling to restore member data more than three months after a June cyberattack targeting its systems. --------------------------------------------- https://www.theregister.com/2024/09/16/nein_luck_for_germanys_cdu/ ∗∗∗ Acquiring Malicious Browser Extension Samples on a Shoestring Budget ∗∗∗ --------------------------------------------- A friend of mine sent me a link to an article on malicious browser extensions that worked around Google Chrome Manifest V3 and asked if I had or could acquire a sample. In the process of getting a sample, I thought, if I was someone who didn’t have the paid resources that an enterprise might have, how would .. --------------------------------------------- https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-gene… ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit kurzem sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/ddos-angriffe-september-2024 ∗∗∗ German radio station forced to broadcast emergency tape following cyberattack ∗∗∗ --------------------------------------------- Radio Geretsried, a local station in Germany, has blamed “unknown attackers from Russia” after an apparent ransomware incident left it broadcasting music from emergency backups. --------------------------------------------- https://therecord.media/germany-cyberattack-radio-geretsried ∗∗∗ Small Devices, Big Threats: The Dark Side of Removable Devices ∗∗∗ --------------------------------------------- Our new article highlights the security risks of removable devices like USB drives and SD cards, exploring real-world threats and offering key cybersecurity tips to protect sensitive data. --------------------------------------------- https://www.emsisoft.com/en/blog/45977/small-devices-big-threats-the-dark-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git, nodejs, and ring), Fedora (apr, bubblewrap, chromium, clamav, flatpak, mingw-expat, python3-docs, python3.12, and thunderbird), Mageia (assimp, botan2, python-tqdm, and radare2), Slackware (libarchive), and SUSE (curl). --------------------------------------------- https://lwn.net/Articles/990455/ ∗∗∗ MISP 2.4.198 released with bug and security fixes. ∗∗∗ --------------------------------------------- Based on a set of fixes including a security fix, we are pleased to announce the immediate availability of MISP 2.4.198. You can find a list of the detailed changes along with new features further below. As with any security release, we highly encourage everyone to update their instance as soon as .. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.198 ∗∗∗ ZDI-24-1226: mySCADA myPRO Hard-Coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1226/ ∗∗∗ ZDI-24-1225: SolarWinds Access Rights Manager Hard-Coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1225/ ∗∗∗ ZDI-24-1224: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1224/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2024
by Daily end-of-shift report 13 Sep '24

13 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-09-2024 18:00 − Freitag 13-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media ∗∗∗ --------------------------------------------- With the US election on the horizon, it’s a good time to explore the concept of social media weaponization and its use in asymmetrically manipulating public opinion through bots, automation, AI, and shady new tools in what Trustwave SpiderLabs has dubbed the Distributed Denial of Truth (DDoT). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/distributed… ∗∗∗ Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data ∗∗∗ --------------------------------------------- A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online. [..] Fortinet has now published a blog post addressing the incident, which only affected less than 0.3% of its customers. --------------------------------------------- https://hackread.com/fortinet-confirms-data-breach-hacker-data-leak/ ∗∗∗ Nach CrowdStrike: Microsoft plant Security-Lösungen aus dem Windows-Kernel zu entfernen ∗∗∗ --------------------------------------------- Microsoft hat erste Pläne skizziert, wie sich Windows-Systeme so absichern lassen, dass ein kaputtes Update einer Endpunkt-Sicherheitslösung nicht das ganze Betriebssystem in den Abgrund reißt. --------------------------------------------- https://www.borncity.com/blog/2024/09/13/nach-crowdstrike-microsoft-plant-s… ∗∗∗ I stole 20 GB of data from Capgemini – and now Im leaking it, says cybercrook ∗∗∗ --------------------------------------------- A miscreant claims to have broken into Capgemini and leaked a large amount of sensitive data stolen from the technology services giant – including source code, credentials, and T-Mobile's virtual machine logs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/12/capgemini_br… ∗∗∗ 1.3 Million Android TV Boxes Infected by Vo1d Malware ∗∗∗ --------------------------------------------- Doctor Web warns of the new Vo1d Android malware infecting roughly 1.3 million TV boxes running older OS versions. --------------------------------------------- https://www.securityweek.com/1-3-million-android-tv-boxes-infected-by-vo1d-… ∗∗∗ CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. --------------------------------------------- https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-di… ∗∗∗ The Dark Nexus Between Harm Groups and ‘The Com’ ∗∗∗ --------------------------------------------- A cyberattack that shut down two of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023. It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others. --------------------------------------------- https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-… ∗∗∗ Woo Skimmer Uses Style Tags and Image Extension to Steal Card Details ∗∗∗ --------------------------------------------- This post starts the same way many others do on this blog, and it will be familiar to those who keep up with website security: A client came to us having been notified by their payment processor that credit cards were being stolen from the checkout page of their eCommerce website. The question of course was how? During this investigation we uncovered a very interesting (and in fact, creative) way that threat actors were pilfering credit card details from this compromised website. --------------------------------------------- https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-exten… ∗∗∗ We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders ∗∗∗ --------------------------------------------- I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-12-2024/ ∗∗∗ FBI and CISA Release Joint PSA, Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections ∗∗∗ --------------------------------------------- As observed through multiple election cycles, foreign actors and cybercriminals continue to spread false information through various platforms to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions. The FBI and CISA continue to work closely with federal, state, local, and territorial election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of the U.S. elections. --------------------------------------------- https://www.cisa.gov/news-events/news/fbi-and-cisa-release-joint-psa-just-s… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2024
by Daily end-of-shift report 12 Sep '24

12 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-09-2024 18:00 − Donnerstag 12-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitLab warns of critical pipeline execution vulnerability ∗∗∗ --------------------------------------------- GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pip… ∗∗∗ Sicherheitspaket: CCC droht mit Anleitungen zur Überwachungssabotage ∗∗∗ --------------------------------------------- Zivilgesellschaftliche Verbände sind empört über das Sicherheitspaket der Bundesregierung. Der "billige Populismus" spiele Rechtsextremen in die Hände. --------------------------------------------- https://www.golem.de/news/sicherheitspaket-ccc-droht-mit-anleitungen-zur-ue… ∗∗∗ SiteCheck Remote Website Scanner — Mid-Year 2024 Report ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote website scanners may not provide as comprehensive of a scan as server-side scanners, .. --------------------------------------------- https://blog.sucuri.net/2024/09/sitecheck-remote-website-scanner-mid-year-2… ∗∗∗ DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe ∗∗∗ --------------------------------------------- A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.The black hat SEO .. --------------------------------------------- https://thehackernews.com/2024/09/dragonrank-black-hat-seo-campaign.html ∗∗∗ Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking ∗∗∗ --------------------------------------------- Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns."Selenium Grid is a server that facilitates running test cases in parallel .. --------------------------------------------- https://thehackernews.com/2024/09/exposed-selenium-grid-servers-targeted.ht… ∗∗∗ Transport for London confirms 5,000 user bank data exposed, pulls large chunks of IT infra offline ∗∗∗ --------------------------------------------- Hauling in 30,000 staff IN PERSON to do password resets Breaking Transport for Londons ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees passwords will need to be reset via in-person appointments. --------------------------------------------- https://www.theregister.com/2024/09/12/transport_for_londons_cyber_attack/ ∗∗∗ Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey ∗∗∗ --------------------------------------------- Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to .. --------------------------------------------- https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detail… ∗∗∗ Living off the land, GPO style ∗∗∗ --------------------------------------------- TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog .. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ ∗∗∗ Ransomware: Attacks Once More Nearing Peak Levels ∗∗∗ --------------------------------------------- Attacks surge again in second quarter of 2024 as attackers bounce back from disruption. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Introduction to Third-Party Risk Management ∗∗∗ --------------------------------------------- In today’s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations. This way of working, in addition to the digitalization era we’re in, can have great advantages such as being able to offer new services quickly while relying on other’s expertise or cutting costs on already existing processes. --------------------------------------------- https://blog.nviso.eu/2024/09/12/introduction-to-third-party-risk-managemen… ∗∗∗ Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API ∗∗∗ --------------------------------------------- CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-sept-11-2024/ ∗∗∗ Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities ∗∗∗ --------------------------------------------- In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html ∗∗∗ Hadooken Malware Targets Weblogic Applications ∗∗∗ --------------------------------------------- Aqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls itself Hadooken which we think is referring to the attack “surge fist” in the Street Fighter series. When Hadooken is executed, .. --------------------------------------------- https://blog.aquasec.com/hadooken-malware-targets-weblogic-applications-1 ∗∗∗ Microsoft Office: ActiveX wird abgedreht ∗∗∗ --------------------------------------------- Länger war es still darum, aber ActiveX gibt es noch. Kommende Microsoft Office-Versionen schalten die Unterstützung endlich ab. Zumindest fast. --------------------------------------------- https://heise.de/-9865690 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Routed Passive Optical Network Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2024
by Daily end-of-shift report 11 Sep '24

11 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2024 18:00 − Mittwoch 11-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New PIXHELL acoustic attack leaks secrets from LCD screen noise ∗∗∗ --------------------------------------------- A novel acoustic attack named PIXHELL can leak secrets from air-gapped and audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-… ∗∗∗ Air-Gapped-Systeme: Malware nutzt LCD-Pixelmuster für Datenausleitung per Schall ∗∗∗ --------------------------------------------- Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-nutzt-lcd-pixelmuster-… ∗∗∗ Python Libraries Used for Malicious Purposes ∗∗∗ --------------------------------------------- Since I'm interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don't want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Libraries+Used+for+Malicious+Purpo… ∗∗∗ Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments."The new samples were tracked to GitHub projects that .. --------------------------------------------- https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html ∗∗∗ Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack ∗∗∗ --------------------------------------------- CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address. --------------------------------------------- https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/ ∗∗∗ So you paid a ransom demand … and now the decryptor doesnt work ∗∗∗ --------------------------------------------- A really big oh sh*t moment, for sure For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life. --------------------------------------------- https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/ ∗∗∗ Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin ∗∗∗ --------------------------------------------- On August 14th, 2024, we received a submission for a Privilege Escalation vulnerability in Post Grid and Gutenberg Blocks, a WordPress plugin with over 40,000 active installations. This vulnerability can be leveraged by attackers with minimal authenticated access to set their role to administrator utilizing the form submission functionality. --------------------------------------------- https://www.wordfence.com/blog/2024/09/over-40000-wordpress-sites-affected-… ∗∗∗ ADCS Attack Paths in BloodHound — Part 3 ∗∗∗ --------------------------------------------- In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates .. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb008… ∗∗∗ Phishing Pages Delivered Through Refresh HTTP Response Header ∗∗∗ --------------------------------------------- We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refr… ∗∗∗ The September 2024 Security Update Review ∗∗∗ --------------------------------------------- We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from .. --------------------------------------------- https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-re… ∗∗∗ SBOMs and the importance of inventory ∗∗∗ --------------------------------------------- Can a Software Bill of Materials (SBOM) provide organisations with better insight into their supply chains? --------------------------------------------- https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory ∗∗∗ We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI ∗∗∗ --------------------------------------------- Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.SummaryWhat started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel .. --------------------------------------------- https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-beca… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311). --------------------------------------------- https://lwn.net/Articles/989772/ ∗∗∗ Cisco Releases Security Updates for Cisco Smart Licensing Utility ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/cisco-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily