=====================
= End-of-Day report =
=====================
Timeframe: Freitag 23-08-2024 18:00 − Montag 26-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Stealthy sedexp Linux malware evaded detection for two years ∗∗∗
---------------------------------------------
A stealthy Linux malware named sedexp has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malwar…
∗∗∗ BSI: Prüfung der Sicherheit von Huawei bleibt ein Staatsgeheimnis ∗∗∗
---------------------------------------------
Da die Sicherheitsinteressen Deutschlands berührt sind, legt das BSI die technische Prüfung von Huawei nicht offen. Immerhin hat Golem.de erreicht, dass die Einstufung überprüft wurde.
---------------------------------------------
https://www.golem.de/news/bsi-pruefung-der-sicherheit-von-huawei-bleibt-ein…
∗∗∗ DSGVO-Verstoß: Uber soll 290 Millionen Euro Geldstrafe zahlen ∗∗∗
---------------------------------------------
Dem beliebten Fahrdienst wird vorgeworfen, mehr als zwei Jahre lang sensible Fahrerdaten bei unzureichendem Schutz in die USA übermittelt zu haben.
---------------------------------------------
https://www.golem.de/news/datenuebertragung-in-die-usa-uber-soll-290-millio…
∗∗∗ From Highly Obfuscated Batch File to XWorm and Redline, (Mon, Aug 26th) ∗∗∗
---------------------------------------------
If you follow my diaries, you probably already know that one of my favorite topics around malware is obfuscation. I&#;x26;#;39;m often impressed by the crazy techniques attackers use to ..
---------------------------------------------
https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+R…
∗∗∗ SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access ∗∗∗
---------------------------------------------
SonicWall has released security updates to address a critical flaw impacting its firewalls that, if successfully exploited, could grant malicious actors unauthorized access to the devices. The vulnerability, tracked as ..
---------------------------------------------
https://thehackernews.com/2024/08/sonicwall-issues-critical-patch-for.html
∗∗∗ Cisco calls for United Nations to revisit cyber-crime convention ∗∗∗
---------------------------------------------
Echoes human rights groups concerns that it could suppress free speech and more Networking giant Cisco has suggested the United Nations first-ever convention against cyber-crime is dangerously flawed and should be revised before being put to a formal vote.
---------------------------------------------
https://www.theregister.com/2024/08/22/cisco_criticizes_un_cybercrime_conve…
∗∗∗ Post-Quantum Cryptography: Standards and Progress ∗∗∗
---------------------------------------------
The National Institute of Standards and Technology (NIST) just released three finalized standards for post-quantum cryptography (PQC) covering public key encapsulation and two forms of digital signatures. In progress since 2016, this achievement represents a major milestone towards standards development that will keep information on the Internet secure and confidential for many years to come.
---------------------------------------------
http://security.googleblog.com/2024/08/post-quantum-cryptography-standards.…
∗∗∗ Meta blockiert Whatsapp-Konten nach Hackerangriffen ∗∗∗
---------------------------------------------
Hierbei wurde die iranische Hackergruppe APT42 ins Visier genommen
---------------------------------------------
https://www.derstandard.at/story/3000000233708/meta-blockiert-whatsapp-kont…
∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog for Versa Networks Director ∗∗∗
---------------------------------------------
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/08/23/cisa-adds-one-known-expl…
∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗
---------------------------------------------
Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding…
=====================
= Vulnerabilities =
=====================
∗∗∗ Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desk…
∗∗∗ WPS Office Security Update Advisory ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/82637/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 22-08-2024 18:00 − Freitag 23-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Qilin ransomware now steals credentials from Chrome browsers ∗∗∗
---------------------------------------------
The Qilin ransomware group has been using a new tactic and deploys a custom stealer to steal account credentials stored in Google Chrome browser.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qilin-ransomware-now-steals-…
∗∗∗ Hackers are exploiting critical bug in LiteSpeed Cache plugin ∗∗∗
---------------------------------------------
Hackers have already started to exploit the critical severity vulnerability that affects LiteSpeed Cache, a WordPress plugin used for accelerating response times, a day after technical details become public.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-criti…
∗∗∗ Warnung vor Ebola-Infektion: Uni löst mit Phishing-Test unnötige Panik aus ∗∗∗
---------------------------------------------
Studenten und Mitarbeiter der UCSC haben per E-Mail eine falsche Warnung vor einer Ebola-Infektion auf dem Campus erhalten. Der CISO der Uni entschuldigt sich.
---------------------------------------------
https://www.golem.de/news/warnung-vor-ebola-infektion-phishing-test-an-eine…
∗∗∗ Mäh- und Saugroboter: Ecovacs will Spionagelücken nun doch angehen ∗∗∗
---------------------------------------------
Mehrere Mäh- und Saugroboter von Ecovacs lassen sich von Angreifern übernehmen. Erst wollte der Hersteller gar nicht patchen, doch nun kommt die Kehrtwende.
---------------------------------------------
https://www.golem.de/news/hersteller-lenkt-ein-ecovacs-arbeitet-nun-doch-an…
∗∗∗ WordPress Websites Used to Distribute ClearFake Trojan Malware ∗∗∗
---------------------------------------------
Unfortunately, scams are all over the place, and anybody who has surfed the web should know this. We’ve all gotten phishing emails, or redirected to questionable websites at some point or another. Being on your guard is an important posture to take online, and part of that is knowing how to identify threats, scams, or places you shouldn’t visit ..
---------------------------------------------
https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clear…
∗∗∗ Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control ∗∗∗
---------------------------------------------
Details have emerged about a China-nexus threat groups exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliances and evade detection.The activity, attributed to Velvet Ant, was ..
---------------------------------------------
https://thehackernews.com/2024/08/chinese-hackers-exploit-zero-day-cisco.ht…
∗∗∗ Halliburton probes an issue disrupting business ops ∗∗∗
---------------------------------------------
What could the problem be? Reportedly, a cyberattack American oil giant Halliburton is investigating an "issue," reportedly a cyberattack, that has disrupted some business operations and global networks.
---------------------------------------------
https://www.theregister.com/2024/08/22/halliburton_investigates_incident_am…
∗∗∗ Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware ∗∗∗
---------------------------------------------
We analyze a recent incident by Bling Libra, the group behind ShinyHunters ransomware as they shift from data theft to extortion, exploiting AWS credentials.
---------------------------------------------
https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
∗∗∗ CrowdStrike Outage Timeline and Analysis ∗∗∗
---------------------------------------------
Bitsights analysis of the CrowdStrike outage and timeline mysteries.
---------------------------------------------
https://www.bitsight.com/blog/crowdstrike-outage-timeline-and-analysis
∗∗∗ A Global Treaty to Fight Cybercrime—Without Combating Mercenary Spyware: Article by Kate Robertson in Lawfare ∗∗∗
---------------------------------------------
In an article for Lawfare, the Citizen Labs senior research associate Kate Robertson analyzes how, in its current form, the draft treaty is poised "to become a vehicle for complicity in the global mercenary spy trade."
---------------------------------------------
https://citizenlab.ca/2024/08/a-global-treaty-to-fight-cybercrime-without-c…
=====================
= Vulnerabilities =
=====================
∗∗∗ SonicOS Improper Access Control Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 21-08-2024 18:00 − Donnerstag 22-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Google fixes ninth Chrome zero-day exploited in attacks this year ∗∗∗
---------------------------------------------
Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability, the ninth one tagged as exploited this year.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-fixes-tenth-actively-…
∗∗∗ U.S. charges Karakurt extortion gang’s “cold case” negotiator ∗∗∗
---------------------------------------------
A member of the Russian Karakurt ransomware group has been charged in the U.S. for money laundering, wire fraud, and extortion crimes.
---------------------------------------------
https://www.bleepingcomputer.com/news/legal/us-charges-karakurt-extortion-g…
∗∗∗ Löschpflicht und Sicherheitslücken: Bußgelder wegen Datenschutzverstößen häufen sich ∗∗∗
---------------------------------------------
In Hamburg wurden bereits jetzt mehr Bußgeldverfahren wegen Datenschutzverstößen abgeschlossen als im Kalenderjahr 2023. Die Strafen sind mitunter hoch.
---------------------------------------------
https://www.golem.de/news/loeschpflicht-und-sicherheitsluecken-bussgelder-w…
∗∗∗ Memory corruption vulnerabilities in Suricata and FreeRDP ∗∗∗
---------------------------------------------
While pentesting KasperskyOS-based Thin Client and IoT Secure Gateway, we found several vulnerabilities in the Suricata and FreeRDP open-source projects. We shared details on these vulnerabilities with the community along with our fuzzer.
---------------------------------------------
https://securelist.com/suricata-freerdp-memory-corruption/113489/
∗∗∗ Windows Security best practices for integrating and managing security tools ∗∗∗
---------------------------------------------
We examine the recent CrowdStrike outage and provide a technical overview of the root cause.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-b…
∗∗∗ Understanding the ‘Morphology’ of Ransomware: A Deeper Dive ∗∗∗
---------------------------------------------
Ransomware isnt just about malware. Its about brands, trust, and the shifting allegiances of cybercriminals.
---------------------------------------------
https://www.securityweek.com/understanding-the-morphology-of-ransomware-a-d…
∗∗∗ Recall: Microsofts umstrittenes "Überwachungs"-Feature kommt zurück ∗∗∗
---------------------------------------------
Nach heftigen Sicherheitsbedenken will das Unternehmen bei der neuen KI-Funktion nachgebessert haben
---------------------------------------------
https://www.derstandard.at/story/3000000233374/recall-microsofts-umstritten…
∗∗∗ BLUUID: Firewallas, Diabetics, And… Bluetooth ∗∗∗
---------------------------------------------
Dive into the fascinating and overlooked realm of Bluetooth Low Energy (BTLE) security in GreyNoise Labs latest blog post. Learn techniques for remote device identification, uncover vulnerabilities, and explore the broader implications for IoT and healthcare.
---------------------------------------------
https://www.greynoise.io/blog/bluuid-firewallas-diabetics-and-bluetooth
∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗
---------------------------------------------
Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.OverviewMandiant Managed Defense identified a memory-only dropper and downloader delivering ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding…
∗∗∗ Angreifer können Ciscos VoIP-System Unified Communications Manager lahmlegen ∗∗∗
---------------------------------------------
Aufgrund von Sicherheitslücken sind Attacken auf mehrere Cisco-Produkte möglich. Updates sind verfügbar.
---------------------------------------------
https://heise.de/-9843447
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Unified Communications Manager Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Identity Services Engine REST API Blind SQL Injection Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Unified Communications Manager Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Atlassian Jira August 2024 Security Update Advisory ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/82562/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 20-08-2024 18:00 − Mittwoch 21-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ CrowdStrike unhappy with “shady commentary” from competitors after outage ∗∗∗
---------------------------------------------
Botched update leads to claims that competitors are "ambulance chasing."
---------------------------------------------
https://arstechnica.com/?p=2044431
∗∗∗ GitHub Enterprise Server vulnerable to critical auth bypass flaw ∗∗∗
---------------------------------------------
A critical vulnerability affecting multiple versions of GitHub Enterprise Server could be exploited to bypass authentication and enable an attacker to gain administrator privileges on the machine.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/github-enterprise-server-vul…
∗∗∗ Großer Chipkonzern: Cyberangriff stört Produktion von Microchip Technology ∗∗∗
---------------------------------------------
Die Produktionskapazitäten des Chipherstellers sind derzeit eingeschränkt. Ursache ist eine Cyberattacke, deren Ausmaß aktuell untersucht wird.
---------------------------------------------
https://www.golem.de/news/grosser-chipkonzern-cyberangriff-stoert-produktio…
∗∗∗ Sicherheitsprobleme: Lastenrad-Skandal weitet sich aus ∗∗∗
---------------------------------------------
Niederländische Verbraucherschützer untersuchen weitere Lastenradhersteller, weil dort ebenfalls gravierende Mängel aufgetreten sind.
---------------------------------------------
https://www.golem.de/news/sicherheitsprobleme-lastenrad-skandal-weitet-sich…
∗∗∗ Plane tracker FlightAware admits user passwords, SSNs exposed for years ∗∗∗
---------------------------------------------
Notification omits a number of key details Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users data for more than three years.
---------------------------------------------
https://www.theregister.com/2024/08/20/flightaware_data_exposure/
∗∗∗ An AWS Configuration Issue Could Expose Thousands of Web Apps ∗∗∗
---------------------------------------------
Amazon has updated its instructions for how customers should more securely implement AWSs traffic-routing service known as Application Load Balancer, but its not clear everyone will get the memo.
---------------------------------------------
https://www.wired.com/story/aws-application-load-balancer-implementation-co…
∗∗∗ Teach a Man to Phish ∗∗∗
---------------------------------------------
I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here it is, I’ve written it down for you instead.
---------------------------------------------
https://posts.specterops.io/teach-a-man-to-phish-43528846e382
∗∗∗ CISA Adds Four Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/08/21/cisa-adds-four-known-exp…
∗∗∗ CPU-Sicherheitsleck Sinkclose: Firmware-Update auch für AMDs Ryzen 3000 ∗∗∗
---------------------------------------------
Die CPU-Sicherheitslücke "Sinkclose" ermöglicht Angreifern das Einschleusen von Schadcode. Für ältere CPUs waren erst keine Updates geplant.
---------------------------------------------
https://heise.de/-9842780
=====================
= Vulnerabilities =
=====================
∗∗∗ Unauthenticated information leak in Bosch IP cameras ∗∗∗
---------------------------------------------
BOSCH-SA-659648: A vulnerability was discovered in internal testing of Bosch IP cameras of families CPP13 and CPP14, that allows an unauthenticated attacker to retrieve video analytics event data. No video data is leaked through this vulnerability.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-659648.html
∗∗∗ DSA-5752-1 dovecot - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00165.html
∗∗∗ [20240803] - Core - XSS in HTML Mail Templates ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/944-20240803-core-xss-in-h…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 19-08-2024 18:00 − Dienstag 20-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Windows driver zero-day exploited by Lazarus hackers to install rootkit ∗∗∗
---------------------------------------------
The notorious North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-driver-zero-day-exp…
∗∗∗ Solaranlagen und die Cloud: Entwickler befürchtet Kollaps europäischer Stromnetze ∗∗∗
---------------------------------------------
Moderne Solaranlagen sind häufig mit Clouddiensten der Hersteller verbunden. Ein Entwickler sieht darin eine große Gefahr für unsere Energieversorgung.
---------------------------------------------
https://www.golem.de/news/solaranlagen-und-die-cloud-entwickler-befuerchtet…
∗∗∗ Approach to mainframe penetration testing on z/OS ∗∗∗
---------------------------------------------
We explain how mainframes work, potential attack vectors, and what to focus on when pentesting such systems.
---------------------------------------------
https://securelist.com/zos-mainframe-pentesting/113427/
∗∗∗ Hacking Wireless Bicycle Shifters ∗∗∗
---------------------------------------------
This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually ..
---------------------------------------------
https://www.schneier.com/blog/archives/2024/08/hacking-wireless-bicycle-shi…
∗∗∗ Ransomware Victims Paid $460 Million in First Half of 2024 ∗∗∗
---------------------------------------------
Ransomware payments in H1 2024 totaled nearly $460 million and $1.58 billion have been stolen in cryptocurrency heists.
---------------------------------------------
https://www.securityweek.com/ransomware-victims-paid-460-million-in-first-h…
∗∗∗ Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover ∗∗∗
---------------------------------------------
A critical vulnerability in the GiveWP WordPress plugin could be exploited for remote code execution and arbitrary file deletion.
---------------------------------------------
https://www.securityweek.com/critical-flaw-in-donation-plugin-exposed-10000…
∗∗∗ Navigating the Uncharted: A Framework for Attack Path Discovery ∗∗∗
---------------------------------------------
This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in October. In the previous post, I asked, “How does one discover and abuse new attack paths?” To start answering ..
---------------------------------------------
https://posts.specterops.io/navigating-the-uncharted-a-framework-for-attack…
∗∗∗ Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum ∗∗∗
---------------------------------------------
The sale and purchase of unauthorized access to compromised enterprise networks has become a linchpin for cybercriminal operations, particularly in facilitating ransomware attacks.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/08/20/selling-ransomware-breaches-4-t…
∗∗∗ Challenges in Automating and Scaling Remote Vulnerability Detection ∗∗∗
---------------------------------------------
We cover investments that Bitsight is making to greatly scale out our vulnerability coverage in record time through automation.
---------------------------------------------
https://www.bitsight.com/blog/challenges-automating-and-scaling-remote-vuln…
∗∗∗ Österreichs Innenminister will Messenger ausspionieren ∗∗∗
---------------------------------------------
Österreichs Geheimdienste sollen mehr Befugnisse erhalten, Malware einschleusen und WLAN-Catcher nutzen dürfen. Das beantragt die Regierungspartei ÖVP.
---------------------------------------------
https://heise.de/-9840256
∗∗∗ Softwareentwicklung: Schadcode-Attacken auf Jenkins-Server beobachtet ∗∗∗
---------------------------------------------
Derzeit nutzen Angreifer eine kritische Lücke im Software-System Jenkins aus. Davon sind auch Instanzen in Deutschland bedroht.
---------------------------------------------
https://heise.de/-9840463
=====================
= Vulnerabilities =
=====================
∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-28986) ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/82529/
∗∗∗ Intel Family Security Update Advisory ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/82531/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 16-08-2024 18:00 − Montag 19-08-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Nachbetrachtung: Windows und die TCP-IP-Schwachstelle CVE-2024-38063 ∗∗∗
---------------------------------------------
Zum 13. August 2024 wurde die 0-day-Schwachstelle CVE-2024-38063 in Windows bekannt. Es handelt sich um eine Remote-Code-Execution-Schwachstelle in der TCP/IP-Implementierung von Windows steckt. Angreifer können über IPv6-Pakete einen Host kompromittieren und dort Code ausführen. Weben der Bewertung mit dem CVEv3 Score 9.8 (critical, "Exploitation More Likely") empfiehlt Redmond Administratoren momentan IPv6 zu deaktivieren, hat aber auch Sicherheitsupdates für Windows bereitgestellt. Hier sollten Administratoren also reagieren.
---------------------------------------------
https://www.borncity.com/blog/2024/08/16/nachbetrachtung-windows-und-die-tc…
∗∗∗ Technical Analysis: CVE-2024-38021 ∗∗∗
---------------------------------------------
Recently, Morphisec researchers discovered a vulnerability in Microsoft Outlook that can lead to remote code execution (RCE). This vulnerability, identified as CVE-2024-38021, highlights a significant security flaw within the Microsoft Outlook application, potentially allowing attackers to execute arbitrary code without requiring prior authentication.
---------------------------------------------
https://blog.morphisec.com/technical-analysis-cve-2024-38021
∗∗∗ New Mad Liberator gang uses fake Windows update screen to hide data theft ∗∗∗
---------------------------------------------
A new data extortion group tracked as Mad Liberator is targeting AnyDesk users and runs a fake Microsoft Windows update screen to distract while exfiltrating data from the target device. [..] It is unclear how the threat actor selects its targets but one theory, although yet to be proven, is that Mad Liberator tries potential addresses (AnyDesk connection IDs) until someone accepts the connection request.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-mad-liberator-gang-uses-…
∗∗∗ Chrome will redact credit cards, passwords when you share Android screen ∗∗∗
---------------------------------------------
While the flag doesn't work at the moment, it is supposed to hide sensitive form fields present on the page by redacting the entire screen. It's unclear when the feature will be rolled out to everyone in Chrome for Android, but you'll be able to try the feature in Chrome Canary in the next few weeks.
---------------------------------------------
https://www.bleepingcomputer.com/news/google/chrome-will-redact-credit-card…
∗∗∗ AMD knickt ein: Ryzen 3000 erhält nun doch Patch gegen Sinkclose-Lücke ∗∗∗
---------------------------------------------
Ursprünglich wollte AMD Ryzen-3000-CPUs nicht gegen die Sinkclose-Lücke patchen. Nach reichlich Unmut in der Community folgt nun die Kehrtwende.
---------------------------------------------
https://www.golem.de/news/amd-knickt-ein-ryzen-3000-erhaelt-nun-doch-patch-…
∗∗∗ Verbesserung der Netzwerksicherheit: Überwachung der Client-Kommunikation mit Velociraptor ∗∗∗
---------------------------------------------
SEC Defence, die Managed Incident Response-Einheit von SEC Consult, hat eine Reihe von Velociraptor-Artefakten entwickelt, die es ermöglichen, die aktuelle Netzwerkkommunikation auf registrierten Clients zu überwachen und bei bestimmten Verbindungen zu alarmieren, z. B. zu bekannten bösartigen IP-Adressen oder Verbindungen, die von bekannten bösartigen Prozessen erstellt wurden.
---------------------------------------------
https://sec-consult.com/de/blog/detail/verbesserung-der-netzwerksicherheit-…
∗∗∗ Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks ∗∗∗
---------------------------------------------
Malicious actors are using a cloud attack tool named Xeon Sender to conduct SMS phishing and spam campaigns on a large scale by abusing legitimate services."Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2024/08/xeon-sender-tool-exploits-cloud-apis.html
∗∗∗ Microsoft Azure: Ab 15. Oktober 2024 MFA für Administratoren verpflichtend, aber "Aufschub" möglich ∗∗∗
---------------------------------------------
Microsoft hat gerade im M365 Admin-Nachrichten-Center bekannt gegeben, dass man bei Azure ab dem 15.10.2024 die Authentifizierung der Administratoren über MFA verlangt. Redmond gewährt aber Administratoren die Möglichkeit, diese Verpflichtung um insgesamt 5 Monate zu verschieben.
---------------------------------------------
https://www.borncity.com/blog/2024/08/17/microsoft-azure-ab-15-oktober-2024…
∗∗∗ Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove ∗∗∗
---------------------------------------------
The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights. The creator of Styx Stealer revealed his personal details, including Telegram accounts, emails, and contacts, by debugging the stealer on his own computer with a Telegram bot token provided by a customer involved in the Agent Tesla campaign. This critical OpSec failure not only compromised his anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign.
---------------------------------------------
https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-s…
∗∗∗ "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services ∗∗∗
---------------------------------------------
Mandiant disclosed this vulnerability to Microsoft via the MSRC vulnerability disclosure program, and Microsoft has fixed the underlying issue. [..] Adopting a process to create restrictive NetworkPolicies that allow access only to required services prevents this entire attack class. Privilege escalation via an undocumented service is prevented when the service cannot be accessed at all.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/escalating-privile…
∗∗∗ Bericht: Pixel-Handys mit heimlicher, aber inaktiver Fernwartung ausgeliefert ∗∗∗
---------------------------------------------
Pixel-Smartphones wurden auf Wunsch Verizons mit Fernwartungssoftware ausgeliefert. Wenn aktiviert, kann sie unsicheren Code nachladen.
---------------------------------------------
https://heise.de/-9836726
∗∗∗ Jetzt patchen! Schadcode-Attacken auf Solarwinds Web Help Desk beobachtet ∗∗∗
---------------------------------------------
Angreifer nutzen derzeit eine kritische Schwachstelle Solarwinds Web Help Desk aus. Ein Sicherheitspatch ist verfügbar, kann aber mitunter für Probleme sorgen.
---------------------------------------------
https://heise.de/-9838566
∗∗∗ SIM-Swapping bleibt in Deutschland Randphänomen ∗∗∗
---------------------------------------------
Zahlreiche Medien warnen vor Schäden durch SIM-Swapping. Die Betrugsmasche bleibt in Deutschland jedoch selten.
---------------------------------------------
https://heise.de/-9839531
=====================
= Vulnerabilities =
=====================
∗∗∗ Mehrere Sicherheitsschwachstellen in IDOL2 (uciIDOL) ∗∗∗
---------------------------------------------
Fünf schwerwiegende Sicherheitsschwachstellen wurden in der Zeiterfassungssoftware IDOL2 (uciIDOL) identifiziert. Sie ermöglichen es, die verschlüsselte Kommunikation zwischen Client und Server vollständig zu kompromittieren. Außerdem erlauben sie Remote Code Execution sowohl auf Client- als auch auf Serverseite.
---------------------------------------------
https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-idol-…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-asyncssh), Fedora (bind, bind-dyndb-ldap, httpd, and tor), SUSE (cosign, cpio, curl, expat, java-11-openjdk, ncurses, netty, netty-tcnative, opera, python-Django, python-Pillow, shadow, sudo, and wpa_supplicant), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/986225/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2024-0004.html
∗∗∗ F5: K000140732: BIND vulnerability CVE-2024-1737 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000140732
∗∗∗ Kubernetes: CVE-2024-7646 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/126744
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 14-08-2024 18:00 − Freitag 16-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Opinion: More layers in malware campaigns are not a sign of sophistication ∗∗∗
---------------------------------------------
Ten infection and protection layers to deploy malware sounds impressive and very hard to deal with. However, adding more layers counterintuitively does the opposite for antivirus evasion and is not a sign of sophistication. Why is that so?
---------------------------------------------
https://www.gdatasoftware.com/blog/2024/08/37995-malware-sophistication
∗∗∗ Ailurophile: New Infostealer sighted in the wild ∗∗∗
---------------------------------------------
We discovered a new stealer in the wild called "Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the ..
---------------------------------------------
https://www.gdatasoftware.com/blog/2024/08/38005-ailurophile-infostealer
∗∗∗ Tusk: unraveling a complex infostealer campaign ∗∗∗
---------------------------------------------
Kaspersky researchers discovered Tusk campaign with ongoing activity that uses Danabot and StealC infostealers and clippers to obtain cryptowallet credentials and system data.
---------------------------------------------
https://securelist.com/tusk-infostealers-campaign/113367/
∗∗∗ PrestaShop GTAG Websocket Skimmer ∗∗∗
---------------------------------------------
During a recent investigation we uncovered another credit card skimmer leveraging a web socket connection to steal credit card details from an infected PrestaShop website.While PrestaShop is not the most popular eCommerce solution for online stores it is still in the top 10 most common ecommerce platforms in use on the web, and clocks in at just ..
---------------------------------------------
https://blog.sucuri.net/2024/08/prestashop-gtag-websocket-skimmer.html
∗∗∗ Ransomware Attacks on Industrial Firms Surged in Q2 2024 ∗∗∗
---------------------------------------------
Dragos has seen a significant increase in ransomware attacks on industrial organizations in Q2 2024 compared to the previous quarter.
---------------------------------------------
https://www.securityweek.com/ransomware-attacks-on-industrial-firms-surged-…
∗∗∗ Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments ∗∗∗
---------------------------------------------
We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations AWS environments.
---------------------------------------------
https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
∗∗∗ New infostealer targets macOS devices, appears to have Russian links ∗∗∗
---------------------------------------------
Researchers have discovered new information-stealing malware labeled Banshee Stealer that is designed to breach Apple computers.
---------------------------------------------
https://therecord.media/apple-macos-infostealer-banshee-stealer
∗∗∗ Iranian backed group steps up phishing campaigns against Israel, U.S. ∗∗∗
---------------------------------------------
Google’s Threat Analysis Group shares insights on APT42, an Iranian government-backed threat actor.
---------------------------------------------
https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phi…
∗∗∗ Ransomware Prevention Guide for Managed Service Providers ∗∗∗
---------------------------------------------
This comprehensive ransomware prevention guide outlines a strategic approach to preventing ransomware attacks, drawing upon industry best practices, compelling statistics, and expert insights.
---------------------------------------------
https://www.emsisoft.com/en/blog/45911/ransomware-prevention-guide-for-mana…
∗∗∗ Hacking Beyond.com — Enumerating Private TLDs ∗∗∗
---------------------------------------------
My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates that included the client name. In these certificates I identified that the client owned its own top-level domain (TLD). A TLD is the last part of a domain name, the letters that come after ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/enumerating-privat…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, ..
---------------------------------------------
https://lwn.net/Articles/985980/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 13-08-2024 18:00 − Mittwoch 14-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Neue Betrugsmasche auf WhatsApp: Vorsicht vor gefälschten Sicherheitswarnungen ∗∗∗
---------------------------------------------
Derzeit kursieren gefälschte SMS, angeblich vom WhatsApp-Sicherheitscenter. Die Nachricht besagt, dass Ihr Konto gefährdet sei und Sie eine Überprüfung im offiziellen Sicherheitscenter vornehmen müssen.
---------------------------------------------
https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-whatsapp-vors…
∗∗∗ Versuchte Leistungserschleichung bei Sicherheitsunternehmen ∗∗∗
---------------------------------------------
Mehrere Sicherheitsunternehmen (insbesondere im Bereich von Threat Intelligence) berichten von Versuchen von Bedrohungsakteuren sich unter Vortäuschung falscher Tatsachen Zugriff auf die Produkte betroffener Firmen zu verschaffen.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/8/versuchte-leistungserschleichung-be…
∗∗∗ Biden administration pledges $11 million to open source security initiative ∗∗∗
---------------------------------------------
The White House and Department of Homeland Security (DHS) are partnering on an $11 million initiative to gain an understanding of how open source software is used across critical infrastructure and to better secure it.
---------------------------------------------
https://therecord.media/open-source-software-security-white-house-dhs-11mil…
∗∗∗ FIN7: The Truth Doesnt Need to be so STARK ∗∗∗
---------------------------------------------
The purpose of this blog post is not to exhaustively identify FIN7 infrastructure; rather, it represents a snapshot in time of activity hosted on the infrastructure of one hosting provider (Stark).
---------------------------------------------
https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark
∗∗∗ Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments ∗∗∗
---------------------------------------------
In this blog we explain about the campaign, the techniques used and how to detect and protect your environments.
---------------------------------------------
https://blog.aquasec.com/gafgyt-malware-variant-exploits-gpu-power-and-clou…
∗∗∗ Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe ∗∗∗
---------------------------------------------
This campaign, which we have investigated in collaboration with Access Now and with the participation of numerous civil society organizations including First Department, Arjuna Team, and RESIDENT.ngo, engages targets with personalized and highly-plausible social engineering in an attempt to gain access to their online accounts. [..] The Citizen Lab is sharing all indicators with major email providers to assist them in tracking and blocking these campaigns.
---------------------------------------------
https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-percei…
∗∗∗ Bundestrojaner: So funktioniert die Chat-Überwachung ∗∗∗
---------------------------------------------
Ein Bundestrojaner ist eine Schadsoftware, die von Behörden und der Polizei verwendet wird. Auch verschlüsselte Nachrichten lassen sich dadurch lesen.
---------------------------------------------
https://futurezone.at/netzpolitik/bundestrojaner-chat-ueberwachung-oesterre…
=====================
= Vulnerabilities =
=====================
∗∗∗ SolarWinds fixes critical RCE bug affecting all Web Help Desk versions ∗∗∗
---------------------------------------------
A critical vulnerability in SolarWinds Web Help Desk solution for customer support could be exploited to achieve remote code execution, the American business software developer warns in a security advisory today.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rc…
∗∗∗ Fortinet, Zoom Patch Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Fortinet and Zoom have released patches for multiple vulnerabilities in their products, including high-severity bugs.
---------------------------------------------
https://www.securityweek.com/fortinet-zoom-patch-multiple-vulnerabilities/
∗∗∗ Patchday Microsoft: Angreifer attackieren Office und Windows mit Schadcode ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für verschiedene Microsoft-Produkte erschienen. Aufgrund von laufenden Attacken sollten Admins zügig handeln. [..] Mit einem CVSS-Punktwert von 9,8 gehört eine Sicherheitslücke in Windows' TCP/IP-Stack zu den gefährlichsten Fehlern im aktuellen Patchday. Nicht angemeldete Angreifer, die präparierte IPv6-Pakete an Windows-Rechner schicken, können diese aus der Ferne kompromittieren und eigene Befehle ausführen.
---------------------------------------------
https://heise.de/-9834085
∗∗∗ Xen Security Advisory CVE-2024-31146 / XSA-461 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-461.html
∗∗∗ Xen Security Advisory CVE-2024-31145 / XSA-460 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-460.html
∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/08/14/adobe-releases-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 12-08-2024 18:00 − Dienstag 13-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ APT trends report Q2 2024 ∗∗∗
---------------------------------------------
The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.
---------------------------------------------
https://securelist.com/apt-trends-report-q2-2024/113275/
∗∗∗ AMD won’t patch Sinkclose security bug on older Zen CPUs ∗∗∗
---------------------------------------------
Some AMD processors dating back to 2006 have a security vulnerability that's a boon for particularly underhand malware and rogue insiders, though the chip designer is only patching models made since 2020.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/08/13/amd_sinkclos…
∗∗∗ Who uses LLM prompt injection attacks IRL? Mostly unscrupulous job seekers, jokesters and trolls ∗∗∗
---------------------------------------------
Because apps talking like pirates and creating ASCII art never gets old Despite worries about criminals using prompt injection to trick large language models (LLMs) into leaking sensitive data or performing other destructive actions, most of these types of AI shenanigans come from job seekers trying to get their resumes past automated HR screeners – and people protesting generative AI for various reasons, according to Russian security biz Kaspersky.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/08/13/who_uses_llm…
∗∗∗ CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz ∗∗∗
---------------------------------------------
On August 5, 2024, researchers at SonicWall discovered a zero-day security flaw in Apache OFBiz tracked as CVE-2024-38856. The vulnerability, which has been assigned a CVSS score of 9.8, allows threat actors to perform pre-authentication remote code execution (RCE). While testing a patch for CVE-2024-36104, SonicWall researchers discovered that unauthenticated access was permitted to the ProgramExport endpoint, potentially enabling the execution of arbitrary code.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/cve-2024-38856-pre-auth-rce…
∗∗∗ Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation ∗∗∗
---------------------------------------------
NIST has formally published three post-quantum cryptography standards from the competition it held to develop cryptography able to withstand the anticipated quantum computing decryption of current asymmetric encryption.
---------------------------------------------
https://www.securityweek.com/post-quantum-cryptography-standards-officially…
∗∗∗ Falsche Mitteilung im Namen des Bundeskanzleramtes über Entschädigungszahlungen ∗∗∗
---------------------------------------------
Kriminelle versenden im Namen des Bundeskanzleramtes gefälschte E-Mails über eine Entschädigungszahlung für die Wasser- und Energierechnung. Im E-Mail steht, dass Sie € 102,49 erhalten. Für den Erhalt der Summe, müssen Sie aber auf einen Link klicken.
---------------------------------------------
https://www.watchlist-internet.at/news/falsche-mitteilung-im-namen-des-bund…
∗∗∗ Harnessing LLMs for Automating BOLA Detection ∗∗∗
---------------------------------------------
Learn about BOLABuster, an LLM-driven tool automating BOLA vulnerability detection in web applications. Issues have already been identified in multiple projects.
---------------------------------------------
https://unit42.paloaltonetworks.com/automated-bola-detection-and-ai/
∗∗∗ Strafverfolgern gelingt Schlag gegen Radar/Dispossessor Ransomwaregruppe ∗∗∗
---------------------------------------------
Es ist der nächste Schlag gegen Cyberkriminelle. Strafverfolger aus den USA (FBI), Großbritannien und Deutschland ist es gelungen, die Infrastruktur der Ransomwaregruppe Radar/Dispossessor zu zerschlagen.
---------------------------------------------
https://www.borncity.com/blog/2024/08/13/strafverfolgern-gelingt-schlag-geg…
∗∗∗ Hackers Leak 1.4 Billion Tencent User Accounts Online ∗∗∗
---------------------------------------------
Massive data leak exposes 1.4 billion Tencent user accounts. Leaked data includes emails, phone numbers, and QQ IDs potentially linked to the “Mother of All Breaches” (MOAB).
---------------------------------------------
https://hackread.com/hackers-leak-1-4-billion-tencent-user-accounts-online/
∗∗∗ CryptoCore: Unmasking the Sophisticated Cryptocurrency Scam Operations ∗∗∗
---------------------------------------------
This report delves into the intricacies of the CryptoCore group’s scam and analyses their modus operandi. We will describe key exploited events, including hijacked YouTube accounts and deepfake videos, alongside a technical analysis of the fraudulent sites. One purpose of this study is to present a fundamental analysis – and key statistics – of fraudulent wallets that have received profits in the millions of dollars, as well as provide statistical data on detections, showing how victims are lured into suspicious websites and ultimately end up crypto scam victims.
---------------------------------------------
https://decoded.avast.io/martinchlumecky1/cryptocore-unmasking-the-sophisti…
∗∗∗ Ivanti warns of critical vTM auth bypass with public exploit ∗∗∗
---------------------------------------------
Tracked as CVE-2024-7593, this auth bypass vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-vtm…
=====================
= Vulnerabilities =
=====================
∗∗∗ Ivanti: August Security Update ∗∗∗
---------------------------------------------
Today, fixes have been released for the following solutions: Ivanti Neurons for ITSM, Ivanti Avalanche and Ivanti Virtual Traffic Manager (vTM).
---------------------------------------------
https://www.ivanti.com/blog/august-security-update
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel and roundcube), Fedora (microcode_ctl, pypy, python2.7, and python3.6), Oracle (389-ds-base, httpd, kernel, kernel-container, and linux-firmware), Red Hat (kernel-rt), SUSE (firefox, kubernetes1.23, libqt5-qtbase, openssl-1_1, python-gunicorn, python-Twisted, python-urllib3, and qt6-base), and Ubuntu (linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.8, linux-oracle-5.15, and qemu).
---------------------------------------------
https://lwn.net/Articles/985481/
∗∗∗ SAP Patches Critical Vulnerabilities in BusinessObjects, Build Apps ∗∗∗
---------------------------------------------
SAP has released 25 security notes on August 2024 Security Patch Day, including for critical vulnerabilities in BusinessObjects and Build Apps.
---------------------------------------------
https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-busine…
∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
AVEVA SuiteLink Server, Rockwell Automation, Ocean Data Systems
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/08/13/cisa-releases-ten-indust…
∗∗∗ Splunk: SVD-2024-0801: Third-Party Package Updates in Python for Scientific Computing - August 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-0801
∗∗∗ Lenovo: NVIDIA GPU Display Driver - July 2024 ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500637-NVIDIA-GPU-DISPLAY-DRIV…
∗∗∗ Lenovo: LDCC and LADM Privilege Escalation Vulnerabilities ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500636-LDCC-AND-LADM-PRIVILEGE…
∗∗∗ 0patch: The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It ∗∗∗
---------------------------------------------
https://blog.0patch.com/2024/01/the-eventlogcrasher-0day-for-remotely.html
∗∗∗ tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.2.1, 6.3.0 and 6.4.0: SC-202408.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-13
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 09-08-2024 18:00 − Montag 12-08-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Passwortmanager und VPN-Apps: Klartextpasswörter aus Prozessspeicher gelesen ∗∗∗
---------------------------------------------
Passwörter landen bei der Verarbeitung zwangsläufig im Speicher. Bei einigen Anwendungen verbleiben sie dort aber zu lange, was die Angriffsfläche vergrößert.
---------------------------------------------
https://www.golem.de/news/passwortmanager-und-vpn-apps-klartextpasswoerter-…
∗∗∗ Verschlüsselung ausgehebelt: Forscher übernimmt Kontrolle über Geldautomaten ∗∗∗
---------------------------------------------
So manch ein Hacker träumt davon, die Software von Geldautomaten zu knacken, um sich beliebig viel Bargeld auszahlen zu lassen. Einem Forscher ist wohl genau das gelungen. [..] Für einen erfolgreichen Angriff ist nach Angaben des Sicherheitsforschers allerdings ein physischer Zugang zum jeweiligen Geldautomaten erforderlich, "bei dem man den oberen Teil des Geldautomaten öffnet, die Festplatte herausnimmt und dann den Inhalt der Festplatte manipuliert".
---------------------------------------------
https://www.golem.de/news/verschluesselung-ausgehebelt-forscher-uebernimmt-…
∗∗∗ Experts Uncover Severe AWS Flaws Leading to RCE, Data Theft, and Full-Service Takeovers ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) offerings that, if successfully exploited, could result in serious consequences. [..] Following responsible disclosure in February 2024, Amazon addressed the shortcomings over several months from March to June. The findings were presented at Black Hat USA 2024.
---------------------------------------------
https://thehackernews.com/2024/08/experts-uncover-severe-aws-flaws.html
∗∗∗ Living off the land with Bluetooth PAN ∗∗∗
---------------------------------------------
Just like in the living off the land native SSH blog post, this is not a new and clever method of attack, rather it is using tools that are built-in to Windows to present an unexpected vector for access to networks that could mask many of the common tools used to assess a network. [..] Look at disabling these using Intune / Group Policy configuration policies. If there is a justification for their use, consider monitoring the usage of these tools in your environment.
---------------------------------------------
https://www.pentestpartners.com/security-blog/living-off-the-land-with-blue…
∗∗∗ BlackHat 2024: Remote Code Execution-Angriff auf M365 Copilot per E-Mail ∗∗∗
---------------------------------------------
Auf der BlackHat 2024 hat Michael Bargury RCE-Angriffe auf M365 Copilot gezeigt – eine E-Mail reicht, um Sensitives zu suchen. Insgesamt stellt Bargury fünf verschiedene Angriffsmethoden auf Microsofts AI-Lösungen vor. Hier mal ein kurzer Abriss zu diesem Thema.
---------------------------------------------
https://www.borncity.com/blog/2024/08/11/blackhat-2024-remote-code-executio…
∗∗∗ Ongoing Social Engineering Campaign Refreshes Payloads ∗∗∗
---------------------------------------------
On June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing Techniques, Tactics, and Procedures (TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7. [..] The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-camp…
∗∗∗ Google Patches Critical Vulnerabilities in Quick Share After Researchers’ Warning ∗∗∗
---------------------------------------------
A groundbreaking presentation at Defcon 32 has revealed critical flaws in Google’s Quick Share, a peer-to-peer data-transfer utility for Android, Windows, and Chrome operating systems. Quick Share boasts impressive versatility, utilizing Bluetooth, Wi-Fi, Wi-Fi Direct, WebRTC, and NFC to facilitate peer-to-peer file transfers however, these protocols are not designed for file transfers but rather to establish stable device connections for communication purposes.
---------------------------------------------
https://hackread.com/google-patches-quick-share-vulnerabilities-warning/
∗∗∗ Mit Domain-Based Authentication in unternehmensinterne Gruppen eindringen ∗∗∗
---------------------------------------------
Was ergeben ein uraltes Protokoll, eine millionenfach benutzte Bibliothek und eine Authentifizierung per Maildomain? Zugang zum internen Github-Netzwerk.
---------------------------------------------
https://heise.de/-9830944
=====================
= Vulnerabilities =
=====================
∗∗∗ Neue Schwachstellen in OpenVPN ∗∗∗
---------------------------------------------
Microsoft hat in den OpenVPN-Clients von Android, iOS, macOS, BSD und Windows eine Reihe Schwachstellen gefunden. Angreifer könnten einige der entdeckten Schwachstellen kombinierte, um eine remote ausnutzbare Angriffskette zu erhalten, die eine Remotecodeausführung (RCE) und lokaler Privilegienerweiterung (LPE) umfasst. Die Schwachstellen sollten durch Updates beseitigt werden, wobei man teilweise auf Firmware diverser Gerätehersteller angewiesen ist.
---------------------------------------------
https://www.borncity.com/blog/2024/08/10/neue-schwachstellen-in-openvpn/
∗∗∗ Sicherheitslücken: Netzwerkmonitoringtool Zabbix kann Passwörter leaken ∗∗∗
---------------------------------------------
In aktuellen Ausgaben des Netzwerkmonitoringtools Zabbix haben die Entwickler insgesamt acht Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer etwa Passwörter im Klartext einsehen oder sogar Schadcode ausführen.
---------------------------------------------
https://heise.de/-9832311
∗∗∗ Industrial Remote Access Tool Ewon Cosy+ Vulnerable to Root Access Attacks ∗∗∗
---------------------------------------------
Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks.
---------------------------------------------
https://thehackernews.com/2024/08/industrial-remote-access-tool-ewon-cosy.h…
∗∗∗ FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability ∗∗∗
---------------------------------------------
The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity.
---------------------------------------------
https://thehackernews.com/2024/08/freebsd-releases-urgent-patch-for-high.ht…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure).
---------------------------------------------
https://lwn.net/Articles/985336/
∗∗∗ Warnung vor Microsoft Office Spoofing-Schwachstelle CVE-2024-38200 ∗∗∗
---------------------------------------------
Microsoft hat zum 8. August 2024 (mit Update vom 10. August 2024) eine Warnung von einer ungepatchten Spoofing-Schwachstelle CVE-2024-38200 veröffentlicht. Die Schwachstelle ist in allen Office-Versionen (Office 2016 – 2021, Office 365) enthalten. [..] Angreifer haben die Möglichkeit, über eine spezielle oder kompromittierte Webseite eine Datei bereitzustellen, um die Schwachstelle auszunutzen. Über die Sicherheitslücke könnten NTLM-Hashes gegenüber Remote-Angreifern offengelegt werden.
---------------------------------------------
https://www.borncity.com/blog/2024/08/12/warnung-vor-microsoft-office-spoof…
∗∗∗ Schwachstelle "Ghostwrite" erlaubt DRAM-Zugriff in RISC-V CPUs ∗∗∗
---------------------------------------------
Deutsche Forscher fanden Schwachstellen in einzelnen RISC-V CPUs von T-Head Semiconductors. Die flexible, junge Architektur entpuppt sich dabei als Risiko. [..] Die entdeckten Schwachstellen können allerdings auch nach ihrer Offenlegung nicht mit Mikrocode oder einem Softwareupdate behoben werden, denn sie befinden sich in der Schaltung der Hardware.
---------------------------------------------
https://heise.de/-9830926
∗∗∗ B&R: 2024-08-09: Cyber Security Advisory - B&R Automation Runtime Several vulnerabilities in B&R Automation Runtime ∗∗∗
---------------------------------------------
https://www.br-automation.com/fileadmin/SA24P011-d8aaf02f.pdf
∗∗∗ Asterisk Security Advisories ∗∗∗
---------------------------------------------
https://www.asterisk.org/downloads/security-advisories/
∗∗∗ GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 ∗∗∗
---------------------------------------------
https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-re…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily