Daily

daily@lists.cert.at

1 participants
3083 discussions

Tageszusammenfassung - 24.06.2024
by Daily end-of-shift report 24 Jun '24

24 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-06-2024 18:00 − Montag 24-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ratel RAT targets outdated Android phones in ransomware attacks ∗∗∗ --------------------------------------------- An open-source Android malware named Ratel RAT is widely deployed by multiple cybercriminals to attack outdated devices, some aiming to lock them down with a ransomware module that demands payment on Telegram. [..] As for the targets, Check Point mentions successful targeting of high-profile organizations, including in government and the military sector, with most victims being from the United States, China, and Indonesia. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ratel-rat-targets-outdated-a… ∗∗∗ Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins ∗∗∗ --------------------------------------------- On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team. [..] We then reached out to the WordPress plugins team to alert them about the four additional plugins but have not yet received a response, though it appears the plugins have been delisted. [..] At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. --------------------------------------------- https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org… ∗∗∗ Facebook PrestaShop module exploited to steal credit cards ∗∗∗ --------------------------------------------- Hackers are exploiting a flaw in a premium Facebook module for PrestaShop named pkfacebook to deploy a card skimmer on vulnerable e-commerce sites and steal peoples payment credit card details. [..] Analysts at TouchWeb discovered the flaw on March 30, 2024, but Promokit.eu said the flaw was fixed "a long time ago," without providing any proof. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-prestashop-module-e… ∗∗∗ XZ backdoor: Hook analysis ∗∗∗ --------------------------------------------- In our first article on the XZ backdoor, we analyzed its code from initial infection to the function hooking it performs. As we mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation. In this article, we will focus on the backdoor’s behavior inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. --------------------------------------------- https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/ ∗∗∗ Sysinternals Process Monitor Version 4 Released, (Sat, Jun 22nd) ∗∗∗ --------------------------------------------- These releases bring improvements to performance and the user interface. --------------------------------------------- https://isc.sans.edu/diary/rss/31026 ∗∗∗ Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud security firm Wiz. --------------------------------------------- https://thehackernews.com/2024/06/critical-rce-vulnerability-discovered.html ∗∗∗ Deye Wechselrichter: Cloud Account zeigt fremde Anlagen-/Kundendaten an ∗∗∗ --------------------------------------------- In deutschen Objekten dürften einige Balkonkraftwerke und auch fest installierte Solaranlagen arbeiten, bei denen Wechselrichter des chinesischen Herstellers Deye verwendet werden. [..] Ein Leser hat mich bereits im Mai 2024 mit einem anderen Problem konfrontiert. Er konnte die Anlagendaten einer ihm komplett unbekannten Person einsehen. [..] Der Leser hat die deutsche Dependance kontaktiert [..] Die Reaktion hat den Leser erstaunt, denn als er den Hersteller auf den Bug hinwies, habe dieser das bezweifelt. [..] Generöser Weise bot Deye dem Betroffenen an, zu helfen, die zweite Anlage aus dem Benutzerkonto auszutragen. --------------------------------------------- https://www.borncity.com/blog/2024/06/24/deye-wechselrichter-cloud-account-… ∗∗∗ Horror auf dem Vision Pro: Exploit schleust Spinnen und Fledermäuse in den Raum ∗∗∗ --------------------------------------------- Damit der Angriff gelingt, muss der Vision-Pro-Nutzer lediglich eine präparierte Webseite aufrufen. Der Raum füllt sich daraufhin mit gruseligen Tierchen, inklusive Sound. --------------------------------------------- https://www.golem.de/news/horror-auf-der-vision-pro-exploit-schleust-spinne… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) ∗∗∗ --------------------------------------------- The product WINSelect from Faronics is used to restrict the possible actions of users on a system and can even be used to implement a Kiosk mode. Due to hardcoded credentials and an unfitting application architecture an attacker could decrypt the configuration file and retrieve the password which is used to configure the software. Thus, an attacker could completely disable the software. [..] The vendor provides a patched version 8.30.xx.903 since May 2024 [..] Since the hardcoded password for the encryption is not fixed, we ask if this will be addressed as well. Vendor responds that this will be addressed in a future release. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ipa and libreswan), Debian (netty), Fedora (python-PyMySQL, tomcat, and webkitgtk), Gentoo (Flatpak, GLib, JHead, LZ4, and RDoc), Mageia (thunderbird), Oracle (nghttp2 and thunderbird), Red Hat (dnsmasq, libreswan, pki-core, and python3.11), Slackware (emacs), SUSE (gnome-settings-daemon, libarchive, qpdf, vte, and wget), and Ubuntu (libhibernate3-java). --------------------------------------------- https://lwn.net/Articles/979520/ ∗∗∗ CosmicSting: Schwachstelle CVE-2024-34102 gefährdet Adobe Commerce- und Magento-Shops ∗∗∗ --------------------------------------------- Seit Mitte des Monats ist bekannt, dass in Adobe Commerce- und Magento-Online-Shops die Schwachstelle CVE-2024-34102 existiert. Zusammen mit einer Linux-Schwachstelle lassen sich Tausende Shops durch Angreifer übernehmen. Es gibt seit einigen Tagen einen Fix, aber ein Großteil der Online-Shops läuft noch mit ungepatchten Versionen. --------------------------------------------- https://www.borncity.com/blog/2024/06/24/cosmicsting-schwachstelle-cve-2024… ∗∗∗ Vulnerability Summary for the Week of June 17, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2024
by Daily end-of-shift report 21 Jun '24

21 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-06-2024 18:00 − Freitag 21-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux version of RansomHub ransomware targets VMware ESXi VMs ∗∗∗ --------------------------------------------- The RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-ransomhub-r… ∗∗∗ Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals ∗∗∗ --------------------------------------------- The ransomware gang responsible for a healthcare crisis at London hospitals says it has no regrets about its cyberattack, which was entirely deliberate, it told The Register in an interview. --------------------------------------------- https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/ ∗∗∗ LLMNR – das oft vergessene Einfallstor ins Netzwerk ∗∗∗ --------------------------------------------- LLMNR dient zur Namensauflösung in lokalen Netzwerken, wenn kein Domain Name System (DNS) vorhanden ist – was heutzutage so gut wie nie vorkommt. Da LLMNR keine Sicherheitsmechanismen enthält, lässt es sich sehr leicht für Angriffe missbrauchen. --------------------------------------------- https://www.syss.de/pentest-blog/llmnr-das-oft-vergessene-einfallstor-ins-n… ∗∗∗ Meine Gesundheitsdaten wurden gestohlen. Was nun? ∗∗∗ --------------------------------------------- Gesundheitsdaten bleiben weiterhin ein begehrtes Ziel für Hacker. Gelangen sie – warum auch immer – in fremde Hände, sollten Sie diese Schritte befolgen, um den Schaden zu minimieren. --------------------------------------------- https://www.welivesecurity.com/de/privatsphare/meine-gesundheitsdaten-wurde… ∗∗∗ SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. --------------------------------------------- https://blog.talosintelligence.com/sneakychef-sugarghost-rat/ ∗∗∗ Worldwide 2023 Email Phishing Statistics and Examples ∗∗∗ --------------------------------------------- Explore the need for going beyond built-in Microsoft 365 and Google Workspace™ security based on email threats detected in 2023. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/23/e/worldwide-email-phishing-stats-e… ∗∗∗ CISA Releases Guidance on Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: (SMBs) ∗∗∗ --------------------------------------------- Today, CISA released Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities, a detailed report exploring challenges to SSO adoption by small and medium-sized businesses (SMBs). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/20/cisa-releases-guidance-s… ∗∗∗ Cybercrime: Datenlecks bei Apple und T-Mobile, Gerüchte über Jira-Exploit ∗∗∗ --------------------------------------------- Ein bekannter Cyberkrimineller versucht interne Daten aus Apples und T-Mobiles Beständen sowie Schadcode für Jira zu Geld zu machen. Ein Unternehmen dementiert. --------------------------------------------- https://heise.de/-9771149 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ghostscript and thunderbird), Debian (chromium, composer, libndp, and sendmail), Fedora (composer), Mageia (flatpak and python-scikit-learn), Red Hat (curl, ghostscript, and thunderbird), SUSE (hdf5 and opencc), and Ubuntu (gdb and php7.4, php8.1, php8.2, php8.3). --------------------------------------------- https://lwn.net/Articles/979153/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, ghostscript, idm:DL1, and thunderbird), Debian (php8.2 and putty), Mageia (chromium-browser-stable), Oracle (ghostscript and thunderbird), Red Hat (thunderbird), and SUSE (containerd, kernel, php-composer2, podofo, python-cryptography, and rmt-server). --------------------------------------------- https://lwn.net/Articles/979257/ ∗∗∗ 2024-06-21: Cyber Security Advisory -System 800xA SECURITY Advisory - ABB 800xA Base 6.0.x, 6.1.x CSLib communication DoS vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=7PAA013309&Language… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2024
by Daily end-of-shift report 20 Jun '24

20 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-06-2024 18:00 − Donnerstag 20-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SolarWinds Serv-U path-traversal flaw actively exploited in attacks ∗∗∗ --------------------------------------------- Threat actors are actively exploiting a SolarWinds Serv-U path-traversal vulnerability, leveraging publicly available proof-of-concept (PoC) exploits. [..] The vulnerability, CVE-2024-28995, is a high-severity directory traversal flaw, allowing unauthenticated attackers to read arbitrary files from the filesystem by crafting specific HTTP GET requests. [..] SolarWinds released the 15.4.2 Hotfix 2, version 15.4.2.157, on June 5, 2024, to address this vulnerability by introducing improved validation mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-serv-u-path-trave… ∗∗∗ No Excuses, Free Tools to Help Secure Authentication in Ubuntu Linux [Guest Diary], (Thu, Jun 20th) ∗∗∗ --------------------------------------------- Being in the IT and cybersecurity world it seems the costs of controls keeps going up and up. With all the new flashy tools coming out daily it’s easy to forget that there are tons of free tools that can be just as effective at stopping attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/31024 ∗∗∗ Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the "UEFIcanhazbufferoverflow" vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code. --------------------------------------------- https://thehackernews.com/2024/06/researchers-uncover-uefi-vulnerability.ht… ∗∗∗ Fickle Stealer Distributed via Multiple Attack Chain ∗∗∗ --------------------------------------------- This article summarizes the details of this campaign, roughly dividing the attack chain into three stages: Delivery, Preparatory Work, and Packer and Stealer Payload. --------------------------------------------- https://feeds.fortinet.com/~/899735243/0/fortinet/blogs~Fickle-Stealer-Dist… ∗∗∗ A Traveler’s Guide to Cybersecurity ∗∗∗ --------------------------------------------- In this Q&A with Jonas Walker, a Security Strategist with Fortinet’s FortiGuard Labs, he offers his insight into how to stay safe and avoid attacks from threat actors while traveling in today’s cyber world. --------------------------------------------- https://feeds.fortinet.com/~/701705230/0/fortinet/blogs~A-Traveler%e2%80%99… ∗∗∗ BSI warnt vor angreifbaren Codeschmuggel-Lecks in tausenden Exchange-Servern ∗∗∗ --------------------------------------------- Das BSI schreibt, dass mehr als 18.000 Exchange-Server einen offenen Outlook-Web-Access anbieten und für eine oder sogar mehrere Codeschmuggel-Lücken anfällig seien. --------------------------------------------- https://heise.de/-9770441 ===================== = Vulnerabilities = ===================== ∗∗∗ D-Link: Versteckte Backdoor in 16 Routermodellen entdeckt ∗∗∗ --------------------------------------------- Angreifer können aus der Ferne den Telnet-Dienst betroffener D-Link-Router aktivieren. Auch die Admin-Zugangsdaten sind offenbar in der Firmware hinterlegt. --------------------------------------------- https://www.golem.de/news/d-link-versteckte-backdoor-in-16-routermodellen-e… ∗∗∗ Sicherheitslücken: Attacken auf Atlassian Confluence & Co. möglich ∗∗∗ --------------------------------------------- Sicherheitslücken bedrohen mehrere Anwendungen von Atlassian. Angreifer können Abstürze auslösen oder unbefugt Daten einsehen. [..] Wie aus einer Warnmeldung hervorgeht, haben die Entwickler insgesamt neun Schwachstellen geschlossen, die alle mit dem Bedrohungsgrad "hoch" eingestuft sind. --------------------------------------------- https://heise.de/-9770453 ∗∗∗ Arbitrary File Upload in edu-sharing (metaVentis GmbH) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-in… ∗∗∗ Sonicwall: Heap-based buffer overflow vulnerability in SonicOS SSL-VPN ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0009 ∗∗∗ Sonicwall: Stack-based buffer overflow vulnerability in SonicOS HTTP server ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0008 ∗∗∗ CAREL Boss-Mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-02 ∗∗∗ Westermo L210-F2G ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-03 ∗∗∗ Yokogawa CENTUM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.06.2024
by Daily end-of-shift report 19 Jun '24

19 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-06-2024 18:00 − Mittwoch 19-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ONNX phishing service targets Microsoft 365 accounts at financial firms ∗∗∗ --------------------------------------------- A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts for employees at financial firms using QR codes in PDF attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/onnx-phishing-service-target… ∗∗∗ Re-moo-te Code Execution in Mailcow: Always Sanitize Error Messages ∗∗∗ --------------------------------------------- Mailcow is an easy-to-use email solution that can be set up in minutes. [..] In this blog post, we will cover the code intricacies that led to the vulnerabilities. We will first go over the details of the XSS vulnerability and then explore the Path Traversal flaw. We will also cover how the mailcow maintainers have tackled these issues and give advice on how to avoid such vulnerabilities in your code. [..] They have been fixed in mailcow 2024-04 and seem to have existed for at least three years. --------------------------------------------- https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sa… ∗∗∗ Sicherheitslücke: Phisher können E-Mails im Namen von Microsoft verschicken ∗∗∗ --------------------------------------------- Durch die Schwachstelle lassen sich E-Mails beispielsweise mit security(a)microsoft.com als Absender übermitteln. [..] Wie aus einem Bericht von Techcrunch hervorgeht, funktioniert das Spoofing nur beim Mail-Versand an Outlook-Konten, womit jedoch weltweit mehrere Hundert Millionen Nutzer betroffen sind. [..] Technische Details nannte der Forscher aus Sicherheitsgründen bisher nicht. [..] Wann das Spoofing-Problem behoben sein wird, bleibt jedoch weiterhin offen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-phisher-koennen-e-mails-im-name… ∗∗∗ Vorsicht vor gefälschten BAWAG-Nachrichten ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische SMS-Nachrichten im Namen der BAWAG. Darin wird behauptet, dass eine IP-Adresse aus Schweden Ihre App aktiviert hat. Wenn dies nicht Sie waren, werden Sie aufgefordert, auf einen Link zu klicken. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-bawag-nach… ∗∗∗ IT-Sicherheitsforscher warnen vor neuer Angriffstechnik über die Zwischenablage ∗∗∗ --------------------------------------------- ClearFake ist ein bösartiges JavaScript-Framework, das auf kompromittierten Websites eingesetzt wird, um mittels Drive-by-Download-Technik weitere Malware zu verbreiten. Dabei erhalten die Opfer eine Fehlermeldung, die vorgibt, von einer vertrauenswürdigen Quelle wie dem Betriebssystem zu stammen. Sie suggeriert ein Problem und liefert gleichzeitig eine Lösung in Form eines PowerShell-Befehls, den das Opfer nur noch kopieren und ausführen muss. --------------------------------------------- https://heise.de/-9768750 ∗∗∗ 20 Prozent der Microsoft SQL Server läuft trotz End of Life ∗∗∗ --------------------------------------------- Ein Fünftel der SQL-Server-Instanzen läuft mit veralteten Versionen. Ab nächsten Monat könnten es mit SQL Server 2014 sogar ein Drittel werden. --------------------------------------------- https://heise.de/-9769490 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP8 IF03 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP8 IF03. These issues affect Juniper Networks Juniper Secure Analytics: Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools, firefox, and flatpak), Debian (composer, roundcube, and thunderbird), Fedora (kitty and webkitgtk), Oracle (container-tools and flatpak), Red Hat (flatpak and java-1.8.0-ibm), SUSE (gdcm, gdk-pixbuf, libarchive, libzypp, zypper, ntfs-3g_ntfsprogs, openssl-1_1, openssl-3, podman, python-Werkzeug, and thunderbird), and Ubuntu (git, linux-hwe-6.5, mariadb, mariadb-10.6, and thunderbird). --------------------------------------------- https://lwn.net/Articles/978907/ ∗∗∗ Paradox IP150 Internet Module Cross-Site Request Forgery ∗∗∗ --------------------------------------------- The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method `GET` to introduce changes in the system. [..] We are not aware of a vendor fix yet. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/9b61d7e591aa320b9ecedd6701… ∗∗∗ Multiple vulnerabilities in Ricoh Streamline NX PC Client ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN00442488/ ∗∗∗ Multiple vulnerabilities in ID Link Manager and FUJITSU Software TIME CREATOR ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN65171386/ ∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-… ∗∗∗ Huawei: Security Advisory - Connection Hijacking Vulnerability in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-chvishhr-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2024
by Daily end-of-shift report 18 Jun '24

18 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 17-06-2024 18:02 − Dienstag 18-06-2024 18:02 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hackers use F5 BIG-IP malware to stealthily steal data for years ∗∗∗ --------------------------------------------- A group of suspected Chinese cyberespionage actors named Velvet Ant are deploying custom malware on F5 BIG-IP appliances to gain a persistent connection to the internal network and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malwar… ∗∗∗ Analysis of user password strength ∗∗∗ --------------------------------------------- Kaspersky experts conducted a study of password resistance to attacks that use brute force and smart guessing techniques. --------------------------------------------- https://securelist.com/passworde-brute-force-time/112984/ ∗∗∗ New Malware Targets Exposed Docker APIs for Cryptocurrency Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. --------------------------------------------- https://thehackernews.com/2024/06/new-malware-targets-exposed-docker-apis.h… ∗∗∗ From Clipboard to Compromise: A PowerShell Self-Pwn ∗∗∗ --------------------------------------------- Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powe… ∗∗∗ Exfiltrate sensitive user data from apps on Android 12 and 13 using CVE-2024-0044 vulnerability ∗∗∗ --------------------------------------------- With physical access to Android device with enabled ADB debugging running Android 12 or 13 before receiving March 2024 security patch, it is possible to access internal data of any user installed app by misusing CVE-2024-0044 vulnerability. --------------------------------------------- https://www.mobile-hacker.com/2024/06/17/exfiltrate-sensitive-user-data-fro… ∗∗∗ Achtung Fake: doouglasparfum.com ∗∗∗ --------------------------------------------- In professionell wirkenden Online-Shops von Douglas werden aktuell Markenparfüms um mehr als 50 Prozent billiger angeboten. Sogar die Internetadressen doouglasparfum.com oder dougllas.com erscheinen zunächst plausibel. Wer in diesen Fake-Shops einkauft verliert aber Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-doouglasparfumcom/ ∗∗∗ Attack Paths Into VMs in the Cloud ∗∗∗ --------------------------------------------- Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/ ∗∗∗ Private Microsoft Outlook-Mailkonten sollen besser abgesichert werden ∗∗∗ --------------------------------------------- Microsoft hat vor einigen Tagen eine Ankündigung gemacht, dass man "Outlook für private Nutzer" in Zukunft besser absichern will. --------------------------------------------- https://www.borncity.com/blog/2024/06/18/private-microsoft-outlook-mailkont… ∗∗∗ How are attackers trying to bypass MFA? ∗∗∗ --------------------------------------------- Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their push-spray MFA attacks --------------------------------------------- https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/ ∗∗∗ Malvertising Campaign Leads to Execution of Oyster Backdoor ∗∗∗ --------------------------------------------- Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-… ∗∗∗ Cloaked and Covert: Uncovering UNC3886 Espionage Operations ∗∗∗ --------------------------------------------- Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886… ∗∗∗ CISA and Partners Release Guidance for Modern Approaches to Network Access Security ∗∗∗ --------------------------------------------- Today, CISA, in partnership with the Federal Bureau of Investigation (FBI), released guidance, Modern Approaches to Network Access Security. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/18/cisa-and-partners-releas… ∗∗∗ New Diamorphine rootkit variant seen undetected in the wild ∗∗∗ --------------------------------------------- Diamorphine is a well-known Linux kernel rootkit that supports different Linux kernel versions (2.6.x, 3.x, 4.x, 5.x and 6.x) and processor architectures (x86, x86_64 and ARM64). Briefly stated, when loaded, the module becomes invisible and hides all the files and folders starting with the magic prefix chosen by the attacker at compilation time. --------------------------------------------- https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd). --------------------------------------------- https://lwn.net/Articles/978804/ ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht VMware vCenter Server ∗∗∗ --------------------------------------------- Unter anderem zwei kritische Schwachstelle bedrohen vCenter Server und Cloud Foundation von VMware. --------------------------------------------- https://heise.de/-9767493 ∗∗∗ Python-based exploit in Autodesk Maya software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0011 ∗∗∗ Kritische Schwachstelle CVE-2024-38428 in wget ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/06/18/kritische-schwachstelle-cve-2024-3… ∗∗∗ RAD Data Communications SecFlow-2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-170-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2024
by Daily end-of-shift report 17 Jun '24

17 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-06-2024 18:00 − Montag 17-06-2024 18:02 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Linux malware is controlled through emojis sent from Discord ∗∗∗ --------------------------------------------- The malware is similar to many other backdoors/botnets used in different attacks, allowing threat actors to execute commands, take screenshots, steal files, deploy additional payloads, and search for files. However, its use of Discord and emojis as a command and control (C2) platform makes the malware stand out from others and could allow it to bypass security software that looks for text-based commands. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-is-control… ∗∗∗ New ARM TIKTAG attack impacts Google Chrome, Linux systems ∗∗∗ --------------------------------------------- A new speculative execution attack named "TIKTAG" targets ARMs Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature. [..] Leaking those tags does not directly expose sensitive data such as passwords, encryption keys, or personal information. However, it can theoretically allow attackers to undermine the protections provided by MTE, rendering the security system ineffective against stealthy memory corruption attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-arm-tiktag-attack-impact… ∗∗∗ Ransomware Roundup – Shinra and Limpopo Ransomware ∗∗∗ --------------------------------------------- he Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-shinra-and… ∗∗∗ Ivanti Endpoint Manager: Exploit für kritische Lücke aufgetaucht ∗∗∗ --------------------------------------------- Ende Mai wurden teils kritische Sicherheitslücken in Ivantis Endpoint Manager (EPM) bekannt. Inzwischen haben IT-Sicherheitsforscher einen Proof-of-Concept-Exploit für eine davon veröffentlicht. --------------------------------------------- https://heise.de/-9765685 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, gdk-pixbuf2, gvisor-tap-vsock, libreoffice, podman, python-idna, rpm-ostree, and ruby), Debian (atril, chromium, ffmpeg, libndp, libvpx, nano, plasma-workspace, pymongo, roundcube, sendmail, and thunderbird), Fedora (booth and thunderbird), Mageia (aom, atril, libvpx, nano, nss, firefox, and vte), Red Hat (linux-firmware), SUSE (bind, booth, mariadb, openssl-1_1, php7, php8, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-fde, linux-azure, linux-gke, and linux-nvidia-6.5). --------------------------------------------- https://lwn.net/Articles/978709/ ∗∗∗ Sicherheitsupdates: Angreifer können Asus-Router kompromittieren ∗∗∗ --------------------------------------------- Mehrere WLAN-Router von Asus sind verwundbar und Angreifer können auf sie zugreifen. Updates lösen mehrere Sicherheitsprobleme. [..] Wie aus dem Sicherheitsbereich der Asus-Website hervorgeht, sind von der „kritischen“ Schwachstelle (CVE-2024-3080) die WLAN-Router-Modelle RT-AC68U, RTAC86U, RT-AX57, RT-AX58U, RT-AX88U, XT8_V2 und XT8 betroffen. --------------------------------------------- https://heise.de/-9765067 ∗∗∗ Nextcloud: Angreifer können Zwei-Faktor-Authentifizierung umgehen ∗∗∗ --------------------------------------------- Die Clouddienst-Software Nextcloud ist verwundbar. In aktuellen Versionen haben die Entwickler mehrere Sicherheitslücken geschlossen. [..] Am gefährlichsten gelten zwei Lücken in Nextcloud und Nextcloud Enterprise. An diesen Stellen können Angreifer die Rechte von Freigaben ausweiten (CVE-2024-37882 "hoch") oder die Zwei-Faktor-Authentifizierung umgehen (CVE-2024-37313 "hoch"). Wie solche Attacken ablaufen könnten, führen die Entwickler derzeit nicht aus. --------------------------------------------- https://heise.de/-9766062 ∗∗∗ Vulnerability Summary for the Week of June 10, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-169 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2024
by Daily end-of-shift report 14 Jun '24

14 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-06-2024 18:00 − Freitag 14-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ 2023 Hacked Website & Malware Threat Report ∗∗∗ --------------------------------------------- This year, we’ve included new insights to highlight the most prevalent tactics and techniques observed in compromised web environments and remote scanners. --------------------------------------------- https://blog.sucuri.net/2024/06/2023-hacked-website-malware-threat-report.h… ∗∗∗ How to Write Good Incident Response Reports ∗∗∗ --------------------------------------------- Creating an informative and readable report is among the many challenges of responding to cybersecurity incidents. A good report not only answers its readers questions but also instills confidence in the response and enables the organization to learn from the incident. This blog highlights my advice on writing such incident reports. --------------------------------------------- https://zeltser.com/good-incident-reports/ ∗∗∗ Edge Devices: The New Frontier for Mass Exploitation Attacks ∗∗∗ --------------------------------------------- The increase in mass exploitation involving edge services and devices is likely to worsen. --------------------------------------------- https://www.securityweek.com/edge-devices-the-new-frontier-for-mass-exploit… ∗∗∗ Microsoft president tells lawmakers red lines needed for nation-state attacks ∗∗∗ --------------------------------------------- Microsoft president Brad Smith testified before a congressional committee on Thursday, at times accepting responsibility for the company’s recent cybersecurity mistakes while simultaneously deflecting criticism of the tech giant’s practices. He also called on the government to create "consequences" for nation-state hackers who compromise U.S. systems. --------------------------------------------- https://therecord.media/microsoft-president-brad-smith-lawmakers-cyber ∗∗∗ Windows 11 "Copilot+PC" kommt (vorerst) ohne Recall ∗∗∗ --------------------------------------------- Was für ein PR-Desaster für Microsoft – nächste Woche sollen Geräte mit dem Konzept "Copilot+PC" auf den Markt kommen. Aber die wichtigste Funktion "Windows Recall", die Microsoft noch vor kurzen als den "Stein der KI-Weisen" in den Himmel gelobt hat, wird fehlen. Es gibt den recall von Recall, was als Meme inzwischen durch das Netz geistert. [..] Denn Sicherheit habe bei Microsoft "oberste Priorität" und dieser Rückruf sei im Sinne der Secure Future Initiative (SFI). --------------------------------------------- https://www.borncity.com/blog/2024/06/14/windows-11-copilotpc-kommt-vorerst… ∗∗∗ Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups ∗∗∗ --------------------------------------------- This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/f/noodle-rat-reviewing-the-new… ∗∗∗ UNC3944 Targets SaaS Applications ∗∗∗ --------------------------------------------- UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider," and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-sa… ===================== = Vulnerabilities = ===================== ∗∗∗ Nextcloud Security Advisories 2024-06-14 ∗∗∗ --------------------------------------------- 2x High, 5x Moderate, 5x Low --------------------------------------------- https://github.com/nextcloud/security-advisories/security?page=1 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, bind, bind-dyndb-ldap, and dhcp, firefox, glibc, ipa, less, libreoffice, and thunderbird), Debian (cups), Fedora (chromium and cyrus-imapd), Mageia (golang and poppler), Oracle (bind, bind-dyndb-ldap, and dhcp, gvisor-tap-vsock, python-idna, and ruby), Red Hat (dnsmasq and expat), SUSE (libaom, php8, podman, python-pymongo, python-scikit-learn, and tiff), and Ubuntu (h2database and vte2.91). --------------------------------------------- https://lwn.net/Articles/978418/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-28/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2024
by Daily end-of-shift report 13 Jun '24

13 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-06-2024 18:00 − Donnerstag 13-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Patchday Juni 2024 - CVE-2024-30080, CVE-2024-30078 ∗∗∗ --------------------------------------------- Im Rahmen des aktuellen Patchday hat Microsoft Patches für 58 Sicherheitslücken veröffentlicht. Aus der Liste stechen zwei Schwachstellen besonders hervor: CVE-2024-30080, eine Remote Code Execution in Microsoft Message Queuing (MSMQ) [..] CVE-2024-30078, eine Remote Code Execution in "Windows Wi-Fi Driver". --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/microsoft-patchday-juni-2024-cve-20… ∗∗∗ Kundenservice österreichischer Unternehmen nicht über kunden-support.tel kontaktieren! ∗∗∗ --------------------------------------------- Sie suchen die Kontaktdaten des Kundendienstes Ihrer Bank oder Ihres Mobilfunkanbieters? Sie haben eine Frage an die Österreichische Post oder müssen die Wiener Stadtwerke erreichen? Wenn Sie im Internet nach den Kontaktdaten eines dieser oder vieler anderer Unternehmen suchen, um den Kundensupport anzurufen, könnten Sie auf die Seite kunden-support.tel stoßen. Diese Seite schaltet Werbung auf Google und gibt vor, die Kontaktdaten verschiedener österreichischer Kundendienste aufzulisten. Aber Vorsicht! Dahinter stecken Kriminelle! --------------------------------------------- https://www.watchlist-internet.at/news/kundenservice-oesterreichischer-unte… ∗∗∗ Cinterion EHS5 3G UMTS/HSPA Module Research ∗∗∗ --------------------------------------------- In the course of the modem security analysis, we found seven locally exploited vulnerabilities and one remotely exploited vulnerability. The combination of these vulnerabilities could allow an attacker to completely get control over the modem. [..] All discovered vulnerabilities have been reported to the vendor. Some of them have not been addressed by the vendor so far as the product support discontinued. --------------------------------------------- https://ics-cert.kaspersky.com/publications/cinterion-ehs5-3g-umts-hspa-mod… ∗∗∗ Phishing emails abuse Windows search protocol to push malicious scripts ∗∗∗ --------------------------------------------- A new phishing campaign uses HTML attachments that abuse the Windows search protocol (search-ms URI) to push batch files hosted on remote servers that deliver malware. [..] In June 2022, security researchers devised a potent attack chain that also exploited a Microsoft Office flaw to launch searches directly from Word documents. Trustwave SpiderLabs researchers now report that this technique is used in the wild by threat actors who are using HTML attachments to launch Windows searches on attackers' servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-window… ∗∗∗ Fortinet: CVE 2024-21754: Passwords on a Silver Platter ∗∗∗ --------------------------------------------- Matthias Barkhausen and Hendrik Eckardt have discovered a flaw in the firmware of Fortinet firewalls. This flaw potentially reveals sensitive information to attackers, such as passwords. [..] The flaw has been responsibly disclosed to the vendor. It has been addressed in FortiOS v7.4.4, dated June 11, 2024. [..] Learn more details and read the full story on the blog of G DATA Advanced Analytics. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/01/37834-passwords-on-a-silver-plat… ∗∗∗ Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware ∗∗∗ --------------------------------------------- The nascent malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader, according to findings from cybersecurity firm Intezer. [..] The attack chains typically involve the use of an MSI installer that, when launched, initiates the infection sequence. Specifically, it leads to the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software called 360 Total Security ("MenuEx.dll"). --------------------------------------------- https://thehackernews.com/2024/06/cybercriminals-employ-phantomloader-to.ht… ∗∗∗ New Attack Technique Sleepy Pickle Targets Machine Learning Models ∗∗∗ --------------------------------------------- The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle. [..] While pickle is a widely used serialization format by ML libraries like PyTorch, it can be used to carry out arbitrary code execution attacks simply by loading a pickle file (i.e., during deserialization). --------------------------------------------- https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html ∗∗∗ Digitale Stellenangebote: Job gesucht, Betrug gefunden ∗∗∗ --------------------------------------------- Jahresverdienst von 90.000 Euro, Homeoffice und 30 Tage Urlaub für eine Einstiegsstelle als Junior Data Analyst – das klingt zu gut, um wahr zu sein, oder? Ist es auch: Denn oftmals entpuppen sich solche Stellenangebote als Betrug. --------------------------------------------- https://www.welivesecurity.com/de/scams/digitale-stellenangebote-job-gesuch… ∗∗∗ Watch Out! CISA Warns It Is Being Impersonated By Scammers ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that scammers are impersonating its employees in an attempt to commit fraud. --------------------------------------------- https://www.tripwire.com/state-of-security/watch-out-cisa-warns-it-being-im… ∗∗∗ Malware-Ranking: Androxgh0st-Botnet breitet sich in Deutschland aus ∗∗∗ --------------------------------------------- Die seit April aktive Malware schafft es im Mai bereits auf Platz 2. Lockbit erholt sich von den Maßnahmen der Strafverfolger und macht weltweit wieder 33 Prozent der veröffentlichten Ransomware-Angriffe aus. --------------------------------------------- https://www.zdnet.de/88416444/malware-ranking-androxgh0st-botnet-breitet-si… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Der VLC Media Player ist angreifbar ∗∗∗ --------------------------------------------- Durch einen speziell gestalteten MMS-Stream lässt sich der VLC-Player zum Absturz bringen. Laut VideoLAN ist potenziell auch eine Schadcodeausführung möglich. [..] Anfällig sind alle VLC-Versionen bis einschließlich 3.0.20. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-der-vlc-media-player-ist-angrei… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (nginx-mod-modsecurity, php, and tomcat), Mageia (strongswan), Oracle (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, firefox, gdk-pixbuf2, idm:DL1, ipa, kernel, libreoffice, podman, rpm-ostree, and thunderbird), Red Hat (dnsmasq and nghttp2), Slackware (mozilla), SUSE (curl, firefox, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, openssl-3, and python-Pillow), and Ubuntu (libmatio, libndp, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.5, and virtuoso-opensource). --------------------------------------------- https://lwn.net/Articles/978291/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-32896 Android Pixel Privilege Escalation Vulnerability, CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability, CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/13/cisa-adds-three-known-ex… ∗∗∗ Google fixed an actively exploited zero-day in the Pixel Firmware ∗∗∗ --------------------------------------------- https://securityaffairs.com/164500/security/google-fixed-pixel-firmware-zer… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 3, 2024 to June 9, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/06/wordfence-intelligence-weekly-wordpr… ∗∗∗ Palo Alto: CVE-2024-5908 GlobalProtect App: Encrypted Credential Exposure via Log Files (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5908 ∗∗∗ Palo Alto: CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5909 ∗∗∗ Palo Alto: CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5906 ∗∗∗ Palo Alto: CVE-2024-5907 Cortex XDR Agent: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5907 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-14 ∗∗∗ Rockwell Automation FactoryTalk View SE ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2024
by Daily end-of-shift report 12 Jun '24

12 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-06-2024 18:00 − Mittwoch 12-06-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schwachstelle in Windows: Angreifer können per WLAN Schadcode einschleusen ∗∗∗ --------------------------------------------- Ein Angreifer muss sich lediglich in WLAN-Reichweite zum Zielsystem befinden, um bösartigen Code auszuführen. Betroffen sind alle gängigen Windows-Versionen. --------------------------------------------- https://www.golem.de/news/schwachstelle-in-windows-angreifer-koennen-per-wl… ∗∗∗ JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens ∗∗∗ --------------------------------------------- JetBrains warned customers to patch a critical vulnerability that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jetbrains-warns-of-intellij-… ∗∗∗ New backdoor BadSpace delivered by high-ranking infected websites ∗∗∗ --------------------------------------------- Imagine visiting your favorite website with the same address that you always use and it tells you that your browser needs an update. After downloading and executing the update, theres an unwelcome surprise: the .. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor ∗∗∗ Geheimdienst deckt auf: China-Hacker dringen in 20.000 Fortinet-Systeme ein ∗∗∗ --------------------------------------------- Ziele der Cyberangriffe sind dem niederländischen NCSC zufolge westliche Regierungen, diplomatische Einrichtungen und die Rüstungsindustrie. --------------------------------------------- https://www.golem.de/news/geheimdienst-deckt-auf-china-hacker-dringen-in-20… ∗∗∗ Microsoft Patch Tuesday June 2024, (Tue, Jun 11th) ∗∗∗ --------------------------------------------- Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. Only one vulnerability is rated critical. One of the vulnerabilities had been disclosed before today. --------------------------------------------- https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+June+2024/31000 ∗∗∗ Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw ∗∗∗ --------------------------------------------- Threat actors linked to the Black Basta ransomware may have exploited a recently disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day, according to new findings from .. --------------------------------------------- https://thehackernews.com/2024/06/black-basta-ransomware-may-have.html ∗∗∗ Adobe Plugs Code Execution Holes in After Effects, Illustrator ∗∗∗ --------------------------------------------- Patch Tuesday: Adobe fixes critical flaws and warns of the risk of code execution attacks on Windows and macOS platforms. --------------------------------------------- https://www.securityweek.com/adobe-plugs-code-execution-holes-in-after-effe… ∗∗∗ Betrifft iOS und MacOS: Angreifer können per Mail Facetime-Anrufe einleiten ∗∗∗ --------------------------------------------- Der Entdecker der Schwachstelle behauptet, sie lasse sich sehr einfach ausnutzen. Selbst ein aktiver Lockdown-Modus könne die unerwünschten Anrufe nicht blockieren. --------------------------------------------- https://www.golem.de/news/betrifft-ios-und-macos-angreifer-koennen-per-mail… ∗∗∗ Ransomware Group Exploits PHP Vulnerability Days After Disclosure ∗∗∗ --------------------------------------------- The TellYouThePass ransomware gang started exploiting a recent code execution flaw in PHP days after public disclosure. --------------------------------------------- https://www.securityweek.com/ransomware-group-exploits-php-vulnerability-da… ∗∗∗ GitHub Paid Out Over $4 Million via Bug Bounty Program ∗∗∗ --------------------------------------------- The code hosting platform GitHub has paid out more than $4 million since the launch of its bug bounty program 10 years ago. --------------------------------------------- https://www.securityweek.com/github-paid-out-over-4-million-via-bug-bounty-… ∗∗∗ The Evolution of QR Code Phishing: ASCII-Based QR Codes ∗∗∗ --------------------------------------------- Quishing is a rapidly evolving threat. Starting around August, when we saw the first rapid increase, we’ve also seen a change in the type of QR code attacks. It started with standard MFA authentication requests. It then evolved to conditional routing and custom targeting. Now, we’re seeing another evolution, into the manipulation of .. --------------------------------------------- https://blog.checkpoint.com/harmony-email/the-evolution-of-qr-code-phishing… ∗∗∗ Ukrainian police identify suspected affiliate of Conti, LockBit groups ∗∗∗ --------------------------------------------- Ukrainian cyber police say they have identified a local hacker affiliated with the notorious Conti and LockBit .. --------------------------------------------- https://therecord.media/ukraine-suspected-lockbit-conti-affiliate ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5707-1 vlc - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00117.html ∗∗∗ ZDI-24-579: Apple macOS PPM Image Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-579/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/978136/ ∗∗∗ XenServer and Citrix Hypervisor Security Update for CVE-2024-5661 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hyperviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2024
by Daily end-of-shift report 11 Jun '24

11 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 10-06-2024 18:00 − Dienstag 11-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gitloker attacks abuse GitHub notifications to push malicious oAuth apps ∗∗∗ --------------------------------------------- Threat actors impersonate GitHubs security and recruitment teams in phishing attacks to hijack repositories using malicious OAuth apps in an ongoing extortion campaign wiping compromised repos. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-githu… ∗∗∗ Arm warns of actively exploited flaw in Mali GPU kernel drivers ∗∗∗ --------------------------------------------- Arm has issued a security bulletin warning of a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers that is being exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/arm-warns-of-actively-exploi… ∗∗∗ QR code SQL injection and other vulnerabilities in a popular biometric terminal ∗∗∗ --------------------------------------------- The report analyzes the security properties of a popular biometric access control terminal made by ZkTeco and describes vulnerabilities found in it. --------------------------------------------- https://securelist.com/biometric-terminal-vulnerabilities/112800/ ∗∗∗ A Brief History of SmokeLoader, Part 1 ∗∗∗ --------------------------------------------- In May 2024, Zscaler ThreatLabz technical analysis of SmokeLoader supported an international law enforcement action known as Operation Endgame, which remotely disinfected tens of thousands of infections. In the process of providing assistance to law enforcement for the operation, ThreatLabz has documented SmokeLoader for nearly all known versions. In this two-part blog series, we explore the evolution of SmokeLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-p… ∗∗∗ „Hallo Mama/Hallo Papa“-Nachrichten zielen auf persönliche Fotos ∗∗∗ --------------------------------------------- Vorsicht, wenn Ihr Kind plötzlich von einer unbekannten Nummer schreibt und behauptet, dies sei nun die neue Nummer. Dahinter stecken Kriminelle, die Ihnen Geld stehlen wollen. Außerdem bittet „Ihr Kind“ um die Zusendung von persönlichen Fotos. Diese werden von den Kriminellen vermutlich für weitere Betrugsmaschen missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-hallo-papa-nachrichten-zi… ∗∗∗ Enumerating System Management Interrupts ∗∗∗ --------------------------------------------- System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility. --------------------------------------------- https://research.nccgroup.com/2024/06/10/enumerating-system-management-inte… ∗∗∗ BIOS-Update 01.17.00 macht HP Probooks 445 G7 und 455 G7 komplett unbrauchbar ∗∗∗ --------------------------------------------- Hewlett Packard (HP) hat eine kaputte BIOS-Version veröffentlicht, die Notebooks der Modelle HP Probook 445 G7 455 G7 aus dem Jahr 2020 zum teuren Briefbeschwerer machen. [..] Dieses BIOS 01.17.00.Update soll eine kritische Sicherheitslücke schließen, was auch so vom Support Assistant als kritisches Update gelistet wurde, welches man möglichst schnell installieren sollte. --------------------------------------------- https://www.borncity.com/blog/2024/06/11/bios-update-01-17-00-macht-hp-prob… ===================== = Vulnerabilities = ===================== ∗∗∗ Netgear WNR614 flaws allow device takeover, no fix available ∗∗∗ --------------------------------------------- Researchers found half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300, a budget-friendly router that proved popular among home users and small businesses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netgear-wnr614-flaws-allow-d… ∗∗∗ (0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, the vulnerable behavior occurs only in certain hardware configurations. [..] Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-598/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff). --------------------------------------------- https://lwn.net/Articles/977939/ ∗∗∗ CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U ∗∗∗ --------------------------------------------- On June 5, 2024, SolarWinds disclosed CVE-2024-28995, a high-severity directory traversal vulnerability affecting the Serv-U file transfer server. Successful exploitation of the vulnerability allows unauthenticated attackers to read sensitive files on the host. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-ex… ∗∗∗ SAP liefert am Patchday Sicherheitskorrekturen für zwei hochriskante Lücken ∗∗∗ --------------------------------------------- SAP warnt zum Juni-Patchday vor zehn neuen Sicherheitslücken. Aktualisierungen zum Abdichten der Lecks stehen bereit. --------------------------------------------- https://heise.de/-9757338 ∗∗∗ Avast Antivirus: Angreifer können Rechte durch Schwachstelle ausweiten ∗∗∗ --------------------------------------------- Avast Antivirus ermöglichte bösartigen Akteuren aufgrund einer Sicherheitslücke, ihre Rechte im System auszuweiten. Aktualisierte Software ist verfügbar und sollte idealerweise bereits mittels automatischem Update-Mechanismus verteilt worden sein. In der Auflistung der Sicherheitsmitteilungen von Norton (unter dieser Gen Digital Inc.-Marke sind Avast-, Avira-, AVG- und Norton Security-Produkte inzwischen gruppiert) findet sich nichts zu dieser Lücke, jedoch hat NortonLifeLock als CNA einen entsprechenden CVE-Eintrag erstellt. --------------------------------------------- https://heise.de/-9757748 ∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2024-5661 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hyperviso… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 127 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-25/ ∗∗∗ Phoenix Contact: Unbounded growth of OpenSSL session cache in multiple FL MGUARD devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-029/ ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-03 ∗∗∗ AVEVA PI Asset Framework Client ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03 ∗∗∗ AVEVA PI Web API ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02 ∗∗∗ Rockwell Automation ControlLogix, GuardLogix, and CompactLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-01 ∗∗∗ Intrado 911 Emergency Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-04 ∗∗∗ MicroDicom DICOM Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-163-01 ∗∗∗ SSA-900277 V1.0: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-900277.html ∗∗∗ SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-879734.html ∗∗∗ SSA-771940 V1.0: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-771940.html ∗∗∗ SSA-690517 V1.0: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-690517.html ∗∗∗ SSA-625862 V1.0: Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-625862.html ∗∗∗ SSA-620338 V1.0: Buffer Overflow Vulnerability in SICAM AK3 / BC / TM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-620338.html ∗∗∗ SSA-540640 V1.0: Improper Privilege Management Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-540640.html ∗∗∗ SSA-481506 V1.0: Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-481506.html ∗∗∗ SSA-341067 V1.0: Multiple vulnerabilities in third-party components in ST7 ScadaConnect before V1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-341067.html ∗∗∗ SSA-337522 V1.0: Multiple Vulnerabilities in TIM 1531 IRC before V2.4.8 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-337522.html ∗∗∗ SSA-319319 V1.0: Denial of Service Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-319319.html ∗∗∗ SSA-238730 V1.0: Out-of-Bounds Write Vulnerabilities in SITOP UPS1600 before V2.5.4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-238730.html ∗∗∗ SSA-196737 V1.0: Multiple Vulnerabilities in SINEC Traffic Analyzer before V1.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-196737.html ∗∗∗ SSA-024584 V1.0: Authentication Bypass Vulnerability in PowerSys before V3.11 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-024584.html ∗∗∗ Fortinet: Blind SQL Injection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-128 ∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-036 ∗∗∗ Fortinet: FortiOS/FortiProxy - XSS in reboot page ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-471 ∗∗∗ Fortinet: FortiSOAR is vulnerable to sql injection in Event Auth API via uuid parameter ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-495 ∗∗∗ Fortinet: Multiple buffer overflows in diag npu command ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-460 ∗∗∗ Fortinet: Stack buffer overflow on bluetooth write feature ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-356 ∗∗∗ Fortinet: TunnelVision - CVE-2024-3661 ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-170 ∗∗∗ Fortinet: Weak key derivation for backup file ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-423 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily