Daily

daily@lists.cert.at

1 participants
3083 discussions

Tageszusammenfassung - 24.05.2024
by Daily end-of-shift report 24 May '24

24 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-05-2024 18:00 − Freitag 24-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft spots gift card thieves using cyber-espionage tactics ∗∗∗ --------------------------------------------- Microsoft has published a "Cyber Signals" report sharing new information about the hacking group Storm-0539 and a sharp rise in gift card theft as we approach the Memorial Day holiday in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-spots-gift-card-th… ∗∗∗ DKIM/BIMI: Die Zombies des Debian-OpenSSL-Bugs ∗∗∗ --------------------------------------------- Vor 16 Jahren sorgte ein Bug dafür, dass mit Debian und OpenSSL erstellte Schlüssel unsicher waren. Viele DKIM-Setups nutzten auch 16 Jahre später solche Schlüssel. --------------------------------------------- https://www.golem.de/news/dkim-bimi-die-zombies-des-debian-openssl-bugs-240… ∗∗∗ Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered that the malware known as BLOODALCHEMY used in attacks targeting government organizations in Southern and Southeastern Asia is in fact an updated version of Deed RAT, which is believed to be a successor to ShadowPad. --------------------------------------------- https://thehackernews.com/2024/05/japanese-experts-warn-of-bloodalchemy.html ∗∗∗ Fake Antivirus Websites Deliver Malware to Android and Windows Devices ∗∗∗ --------------------------------------------- Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. --------------------------------------------- https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.h… ∗∗∗ Google Chrome: Vierte bereits missbrauchte Zero-Day-Lücke in zwei Wochen ∗∗∗ --------------------------------------------- Google schließt eine Zero-Day-Lücke im Chrome-Webbrowser, die bereits angegriffen wird. Die vierte in zwei Wochen. --------------------------------------------- https://heise.de/-9730530 ===================== = Vulnerabilities = ===================== ∗∗∗ Dringend patchen: Gitlab-Schwachstelle ermöglicht Übernahme fremder Konten ∗∗∗ --------------------------------------------- Die Sicherheitslücke ist über ein Bug-Bounty-Programm gemeldet worden. Der Entdecker erhielt dafür mehr als 10.000 US-Dollar von Gitlab. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gitlab-schwachstelle-ermoeglicht… ∗∗∗ Mehrere Schwachstellen entdeckt: Qnap verschläft Patches und gelobt Besserung ∗∗∗ --------------------------------------------- Nach der Entdeckung teils schwerwiegender Sicherheitslücken in QTS und QuTS Hero liefert Qnap Patches und entschuldigt sich für die Verspätung. --------------------------------------------- https://www.golem.de/news/mehrere-schwachstellen-entdeckt-qnap-verschlaeft-… ∗∗∗ CISA Warns of Actively Exploited Apache Flink Security Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting Apache Flink, an open-source, unified stream-processing and batch-processing framework, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. --------------------------------------------- https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-apache.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, libreoffice, and thunderbird), Red Hat (.NET 7.0, .NET 8.0, gdk-pixbuf2, git-lfs, glibc, python3, and xorg-x11-server-Xwayland), SUSE (firefox, opensc, and ucode-intel), and Ubuntu (cjson and gnome-remote-desktop). --------------------------------------------- https://lwn.net/Articles/974913/ ∗∗∗ Splunk Config Explorer vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN56781258/ ∗∗∗ WordPress Plugin "WP Booking" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35838128/ ∗∗∗ Exposed Serial Shell on multiple PLCs in Siemens CP-XXXX Series ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/exposed-serial-shell-on-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2024
by Daily end-of-shift report 23 May '24

23 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-05-2024 18:00 − Donnerstag 23-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ State hackers turn to massive ORB proxy networks to evade detection ∗∗∗ --------------------------------------------- Security researchers are warning that state-backed hackers are increasingly relying on vast proxy networks of virtual private servers and compromised connected devices for cyberespionage operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massiv… ∗∗∗ ShrinkLocker: Turning BitLocker into ransomware ∗∗∗ --------------------------------------------- The Kaspersky GERT has detected a new group that has been abusing Microsoft Windows features by modifying the system to lower the defenses and using the local MS BitLocker utility to encrypt entire drives and demand a ransom. --------------------------------------------- https://securelist.com/ransomware-abuses-bitlocker/112643/ ∗∗∗ Ihre Website läuft über Jimdo? Vorsicht vor Phishing-Mails zu Zahlungsproblemen! ∗∗∗ --------------------------------------------- Website- und Online-Shop-Betreiber:innen aufgepasst: Wenn Ihre Website über Jimdo läuft, haben es Kriminelle aktuell vermehrt auf Ihre Daten und Ihr Geld abgesehen. Sie versenden dazu Phishing-Mails in denen Probleme mit Ihren laufenden Zahlungen vorgegaukelt werden. --------------------------------------------- https://www.watchlist-internet.at/news/jimdo-phishing-mails/ ∗∗∗ Format String Exploitation: A Hands-On Exploration for Linux ∗∗∗ --------------------------------------------- This blogpost covers a Capture The Flag challenge that was part of the 2024 picoCTF event. --------------------------------------------- https://blog.nviso.eu/2024/05/23/format-string-exploitation-a-hands-on-expl… ∗∗∗ New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea ∗∗∗ --------------------------------------------- Unfading Sea Hazes modus operandi spans over five years, with evidence dating back to 2018, reveals Bitdefender Labs investigation. --------------------------------------------- https://www.hackread.com/unfading-sea-haze-military-target-south-china-sea/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (chromium, libxml2, pgadmin4, and python-libgravatar), Mageia (ghostscript), Red Hat (389-ds:1.4, ansible-core, bind and dhcp, container-tools:rhel8, edk2, exempi, fence-agents, freeglut, frr, ghostscript, glibc, gmp, go-toolset:rhel8, grafana, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd:2.4, idm:DL1, idm:DL1 and idm:client modules, kernel, kernel-rt, krb5, LibRaw, [...] --------------------------------------------- https://lwn.net/Articles/974824/ ∗∗∗ Aptos Wisal Payroll Accounting Uses Hardcoded Database Credentials ∗∗∗ --------------------------------------------- Aptos WISAL payroll accounting uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-007/ ∗∗∗ CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack ∗∗∗ --------------------------------------------- Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. --------------------------------------------- https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justic… ∗∗∗ Cisco: Root-Zugriff durch SQL-Injection-Lücke in Firepower möglich ∗∗∗ --------------------------------------------- Cisco warnt vor Sicherheitslücken in ASA- und Firepower-Appliances. Angreifer können mit SQL-Injection Firepower-Geräte kompromittieren. --------------------------------------------- https://heise.de/-9729121 ∗∗∗ Sicherheitsupdates VMware: Schadcode kann aus VM ausbüchsen ∗∗∗ --------------------------------------------- Admins sollten zeitnah mehrere Sicherheitspatches für diverse VMware-Produkte installieren. --------------------------------------------- https://heise.de/-9729288 ∗∗∗ LCDS LAquis SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-142-01 ∗∗∗ Vulnerabilities in Autodesk InfraWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0008 ∗∗∗ AutomationDirect Productivity PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-144-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2024
by Daily end-of-shift report 22 May '24

22 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-05-2024 18:00 − Mittwoch 22-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GhostEngine mining attacks kill EDR security using vulnerable drivers ∗∗∗ --------------------------------------------- A malicious crypto mining campaign codenamed REF4578, has been discovered deploying a malicious payload named GhostEngine that uses vulnerable drivers to turn off security products and deploy an XMRig miner. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ghostengine-mining-attacks-k… ∗∗∗ Sicherheitsexperte warnt: Neue Windows-Funktion ist ein "Security-Alptraum" ∗∗∗ --------------------------------------------- Mit Recall sollen Windows-Nutzer in die Vergangenheit reisen können. Unter Sicherheits- und Datenschutzexperten stößt das neue Feature auf Unverständnis. --------------------------------------------- https://www.golem.de/news/sicherheitsexperte-warnt-neue-windows-funktion-is… ∗∗∗ Stealers, stealers and more stealers ∗∗∗ --------------------------------------------- In this report, we discuss two new stealers: Acrid and ScarletStealer, and an evolution of the known Sys01 stealer, with the latter two dividing stealer functionality across several modules. --------------------------------------------- https://securelist.com/crimeware-report-stealers/112633/ ∗∗∗ Risky Biz News: DNSBomb attack is here! Pew pew pew!!! ∗∗∗ --------------------------------------------- A team of academics from Tsinghua University in Beijing, China has discovered a new method of launching large-scale DDoS attacks using DNS traffic. --------------------------------------------- https://news.risky.biz/risky-biz-news-dnsbomb-attack-is-here-pew-pew-pew/ ∗∗∗ Gehacktes Brawl Stars Konto: Was tun, wenn ich erpresst werde? ∗∗∗ --------------------------------------------- Ihr eigenes oder das Spielekonto Ihres Kindes wurde gehackt? Die Kriminellen fordern nun Geld oder Gutscheinkarten, um den Zugriff zurückzubekommen? Lassen Sie sich nicht erpressen. Wir zeigen Ihnen, was Sie tun können! --------------------------------------------- https://www.watchlist-internet.at/news/gehacktes-brawl-stars-konto-was-tun-… ∗∗∗ Microsoft Exchange Server: Keylogger infiziert Regierungsorganisationen weltweit ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf einen Keylogger gestoßen, der weltweit Regierungsorganisation, aber auch Banken oder andere Institutionen über Microsoft Exchange Server infiziert. --------------------------------------------- https://www.borncity.com/blog/2024/05/22/microsoft-exchange-server-keylogge… ∗∗∗ Rockwell Automation Encourages Customers to Assess and Secure Public-Internet-Exposed Assets ∗∗∗ --------------------------------------------- Rockwell Automation has released guidance encouraging users to remove connectivity on all Industrial Control Systems (ICS) devices connected to the public-facing internet to reduce exposure to unauthorized or malicious cyber activity. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/21/rockwell-automation-enco… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (kernel), Mageia (chromium-browser-stable, djvulibre, gdk-pixbuf2.0, nss & firefox, postgresql15 & postgresql13, python-pymongo, python-sqlparse, stb, thunderbird, and vim), Red Hat (go-toolset:rhel8, nodejs, and varnish:6), SUSE (gitui, glibc, and kernel), and Ubuntu (libspreadsheet-parseexcel-perl, linux-aws, linux-aws-5.15, linux-gke, linux-gcp, python-idna, and thunderbird). --------------------------------------------- https://lwn.net/Articles/974572/ ∗∗∗ Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager ∗∗∗ --------------------------------------------- Ivanti has released product updates to resolve multiple vulnerabilities, including critical code execution flaws in Endpoint Manager. --------------------------------------------- https://www.securityweek.com/ivanti-patches-critical-code-execution-vulnera… ∗∗∗ Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution ∗∗∗ --------------------------------------------- Claroty shows how Honeywell ControlEdge Virtual UOC vulnerability can be exploited for unauthenticated remote code execution. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-in-honeywell-virtual-co… ∗∗∗ Kritische Lücke gewährt Angreifern Zugriff auf Veeam Backup Enterprise Manager ∗∗∗ --------------------------------------------- In einer aktuellen Version von Veeam Backup & Replication haben die Entwickler mehrere Schwachstellen geschlossen. --------------------------------------------- https://heise.de/-9726433 ∗∗∗ Patchday: Atlassian rüstet Data Center gegen Schadcode-Attacken ∗∗∗ --------------------------------------------- Admins sollten aus Sicherheitsgründen unter anderem Jira Data Center and Server und Service Management auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-9728466 ∗∗∗ K000139685: Python vulnerability CVE-2023-40217 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139685 ∗∗∗ K000139700: Linux kernel usbmon vulnerability CVE-2022-43750 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139700 ∗∗∗ NextGen Healthcare Mirth Connect RCE (CVE-2023-43208, CVE-2023-37679) ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5460 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2024
by Daily end-of-shift report 21 May '24

21 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-05-2024 18:00 − Dienstag 21-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising ∗∗∗ --------------------------------------------- A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-wind… ∗∗∗ Banking malware Grandoreiro returns after police disruption ∗∗∗ --------------------------------------------- The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-… ∗∗∗ CISA warns of hackers exploiting Chrome, EoL D-Link bugs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its Known Exploited Vulnerabilities catalog, one impacting Google Chrome and two affecting some D-Link routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ New BiBi Wiper version also destroys the disk partition table ∗∗∗ --------------------------------------------- A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-bibi-wiper-version-also-… ∗∗∗ GitHub warns of SAML auth bypass flaw in Enterprise Server ∗∗∗ --------------------------------------------- GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-by… ∗∗∗ Ungeschützte API: Sicherheitslücke macht Studenten zu Wäsche-Millionären ∗∗∗ --------------------------------------------- In vielen Hochschulen und Wohnheimen stehen Wäscheautomaten von CSC Serviceworks. Zwei Studenten haben darin eine Sicherheitslücke entdeckt - mit erheblichem Missbrauchspotenzial. --------------------------------------------- https://www.golem.de/news/ungeschuetzte-api-sicherheitsluecke-macht-student… ∗∗∗ Fluent Bit: Kritische Schwachstelle betrifft alle gängigen Cloudanbieter ∗∗∗ --------------------------------------------- Mit der Schwachstelle lassen sich nicht nur Ausfälle provozieren und Daten abgreifen. Auch eine Schadcodeausführung aus der Ferne ist unter gewissen Umständen möglich. --------------------------------------------- https://www.golem.de/news/fluent-bit-kritische-schwachstelle-betrifft-alle-… ∗∗∗ Analyzing MSG Files, (Mon, May 20th) ∗∗∗ --------------------------------------------- .msg email files are ole files and can be analyzed with my tool oledump.py. --------------------------------------------- https://isc.sans.edu/diary/Analyzing+MSG+Files/30940 ∗∗∗ Latrodectus Malware Loader Emerges as IcedIDs Successor in Phishing Campaigns ∗∗∗ --------------------------------------------- Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware."These campaigns typically involve a .. --------------------------------------------- https://thehackernews.com/2024/05/latrodectus-malware-loader-emerges-as.html ∗∗∗ Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail ∗∗∗ --------------------------------------------- A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible .. --------------------------------------------- https://thehackernews.com/2024/05/cyber-criminals-exploit-github-and.html ∗∗∗ SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure ∗∗∗ --------------------------------------------- The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from .. --------------------------------------------- https://thehackernews.com/2024/05/solarmarker-malware-evolves-to-resist.html ∗∗∗ Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users ∗∗∗ --------------------------------------------- A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads."The VBScript and PowerShell scripts in the .. --------------------------------------------- https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html ∗∗∗ Vorsicht vor Telegram-Gruppe „Scammerpayback“ ∗∗∗ --------------------------------------------- Kriminelle verbreiten in Foren, auf Facebook-Seiten oder Gruppen, in denen Betrugsopfer Unterstützung oder Informationen suchen, falsche Hilfsangebote. Mit gefälschten oder gekaperten Profilen kommentieren sie Facebook-Beiträge der Watchlist Internet und locken in eine Telegram-Gruppe, in der Opfer angeblich ihr Geld zurückbekommen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-telegram-gruppe-scammer… ∗∗∗ Sicherheitsupdate: DoS-Lücken in Netzwerkanalysetool Wireshark geschlossen ∗∗∗ --------------------------------------------- In der aktuellen Version von Wireshark haben die Entwickler drei Sicherheitslücken geschlossen und mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9725317 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, and thunderbird), Fedora (buildah, chromium, firefox, mingw-python-werkzeug, and suricata), Mageia (golang), Oracle (firefox and nodejs:20), Red Hat (firefox, httpd:2.4, nodejs, and thunderbird), and SUSE (firefox, git-cliff, and ucode-intel). --------------------------------------------- https://lwn.net/Articles/974339/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, nodejs, and thunderbird), Fedora (uriparser), Oracle (firefox and thunderbird), Slackware (mariadb), SUSE (cairo, gdk-pixbuf, krb5, libosinfo, postgresql14, and python310), and Ubuntu (firefox, linux-aws, linux-aws-5.15, and linux-azure). --------------------------------------------- https://lwn.net/Articles/974450/ ∗∗∗ WAGO: Vulnerability in WAGO Navigator ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-021/ ∗∗∗ WAGO: Multiple Vulnerabilities in e!Cockpit and e!Runtime / CODESYS Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-068/ ∗∗∗ Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates 1.6.7 and 1.5.7 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2024
by Daily end-of-shift report 17 May '24

17 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-05-2024 18:00 − Freitag 17-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zahlungsaufforderungen der IDS EU zu Ihrer Domain ignorieren! ∗∗∗ --------------------------------------------- Österreichische Unternehmen erhalten aktuell Zahlungsaufforderungen einer IDS EU bzw. ids-eu.org und idseu.org. Die Forderungen sollen eine Domainregistrierung betreffen. Bei genauerem Hinsehen offenbart sich, dass IDS EU in Verbindung zu einem früheren Betrug steht, zu welchem die Watchlist Internet bereits berichtete. Es gilt: Nichts bezahlen und die Forderung ignorieren! --------------------------------------------- https://www.watchlist-internet.at/news/zahlungsaufforderungen-ids-eu-ignori… ∗∗∗ Aufklärung nach Cyberangriff: BSI setzt Microsoft juristisch unter Druck ∗∗∗ --------------------------------------------- Seit Monaten versucht das BSI, von Microsoft Auskünfte zu einem Cyberangriff von 2023 zu erhalten. Inzwischen hat die Behörde ein Verwaltungsverfahren eröffnet. --------------------------------------------- https://www.golem.de/news/aufklaerung-nach-cyberangriff-bsi-setzt-microsoft… ∗∗∗ Another PDF Streams Example: Extracting JPEGs, (Fri, May 17th) ∗∗∗ --------------------------------------------- In this diary entry, I will show how file-magic.py can augment JSON data produced by pdf-parser.py with file-type information that an then be used by myjson-filter.py to filter out files you are interested in. As an example, I will extract all JPEGs from a PDF document. --------------------------------------------- https://isc.sans.edu/diary/rss/30924 ∗∗∗ New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data ∗∗∗ --------------------------------------------- Dubbed Antidot and spotted in early May, the malware masquerades as a Google Play update and employs overlay attacks to harvest victims’ credentials. [..] “The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the command-and-control (C&C) server,” Cyble explains. --------------------------------------------- https://www.securityweek.com/new-antidot-android-trojan-allows-cybercrimina… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Security Patch Day – May 2024 ∗∗∗ --------------------------------------------- On 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. Further, there were 3 updates to previously released Security Notes. --------------------------------------------- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/ma… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, firefox, and podman), Mageia (chromium-browser-stable, ghostscript, and java-1.8.0, java-11, java-17, java-latest), Red Hat (bind, Firefox, firefox, gnutls, httpd:2.4, and thunderbird), SUSE (glibc, opera, and python-Pillow), and Ubuntu (dotnet7, dotnet8, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-signed, linux-signed-aws, linux-signed-aws-6.5, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-raspi). --------------------------------------------- https://lwn.net/Articles/974055/ ∗∗∗ QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends) ∗∗∗ --------------------------------------------- The first four of these bugs have patches available. These bugs are fixed in the following products: QTS 5.1.6.2722 build 20240402 and later, QuTS hero h5.1.6.2734 build 20240414 and later [..] However, the remaining bugs still have no fixes available, even after an extended period. Those who are affected by these bugs are advised to consider taking such systems offline, or to heavily restrict access until patches are available. --------------------------------------------- https://labs.watchtowr.com/qnap-qts-qnapping-at-the-wheel-cve-2024-27130-an… ∗∗∗ Trellix ePolicy Orchestrator ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Vor zwei Sicherheitslücken in ePolicy Orchestrator warnt Hersteller Trellix. Bösartige Akteure können ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-9722391 ∗∗∗ WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85380030/ ∗∗∗ Rechteausweitung durch unsichere Standardkonfiguration im CI-Out-of-Office Manager (SYSS-2024-013) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/rechteausweitung-durch-unsichere-standardk… ∗∗∗ Mattermost security update Desktop App v5.8.0 released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-desktop-app-v5-8-0-r… ∗∗∗ Palo Alto Networks: CVE-2024-3661 Impact of TunnelVision Vulnerability (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-3661 ∗∗∗ F5: K000139652 : Intel CPU vulnerability CVE-2023-23583 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139652 ∗∗∗ F5: K000139643 : Node-tar vulnerability CVE-2024-28863 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2024
by Daily end-of-shift report 16 May '24

16 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-05-2024 18:00 − Donnerstag 16-05-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ To the Moon and back(doors): Lunar landing in diplomatic missions ∗∗∗ --------------------------------------------- ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landin… ∗∗∗ Windows Quick Assist abused in Black Basta ransomware attacks ∗∗∗ --------------------------------------------- Microsoft has been investigating this campaign since at least mid-April 2024, and, as they observed, the threat group (tracked as Storm-1811) started their attacks by email bombing the target after subscribing their addresses to various email subscription services. Once their mailboxes flood with unsolicited messages, the threat actors call them while impersonating a Microsoft technical support or the attacked company's IT or help desk staff to help remediate the spam issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-… ∗∗∗ Google patches third exploited Chrome zero-day in a week ∗∗∗ --------------------------------------------- Google has released a new emergency Chrome security update to address the third zero-day vulnerability exploited in attacks within a week. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-patches-third-exploited… ∗∗∗ Springtail: New Linux Backdoor Added to Toolkit ∗∗∗ --------------------------------------------- The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/springta… ∗∗∗ Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices ∗∗∗ --------------------------------------------- This blog post aims to provide details on methods for investigating potentially compromised Palo Alto Networks firewall devices and a general approach towards edge device threat detection. --------------------------------------------- https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3… ∗∗∗ ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently discovered ViperSoftX attackers using Tesseract to exfiltrate users’ image files. ViperSoftX is a malware strain responsible for residing on infected systems and executing the attackers’ commands or stealing cryptocurrency-related information. The malware newly discovered this time utilizes the open-source OCR engine Tesseract. --------------------------------------------- https://asec.ahnlab.com/en/65426/ ∗∗∗ Talos releases new macOS open-source fuzzer ∗∗∗ --------------------------------------------- Cisco Talos has developed a fuzzer that enables us to test macOS software on commodity hardware. [..] Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties. --------------------------------------------- https://blog.talosintelligence.com/talos-releases-new-macos-fuzzer/ ∗∗∗ Llama Drama: Critical Vulnerability CVE-2024-34359 Threatening Your Software Supply Chain ∗∗∗ --------------------------------------------- Jinja2: This library is a popular Python tool for template rendering, primarily used for generating HTML. Its ability to execute dynamic content makes it powerful but can pose a significant security risk if not correctly configured to restrict unsafe operations. `llama_cpp_python`: This package integrates Python's ease of use with C++'s performance, making it ideal for complex AI models handling large data volumes. However, its use of Jinja2 for processing model metadata without enabling necessary security safeguards exposes it to template injection attacks. [..] The vulnerability identified has been addressed in version 0.2.72 of the llama-cpp-python package, which includes a fix enhancing sandboxing and input validation measures. --------------------------------------------- https://checkmarx.com/blog/llama-drama-critical-vulnerability-cve-2024-3435… ∗∗∗ The xz apocalypse that almost was* ∗∗∗ --------------------------------------------- Given Bitsight’s pretty broad view of the Internet, I thought I could contribute to the discussion a bit and ask “how bad could this have been?” and as a corollary “how many chances would there have been to notice?” So let’s get into the “how bad could this have been?” question first. --------------------------------------------- https://www.bitsight.com/blog/xz-apocalypse-almost-was ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 7.0, .NET 8.0, and nodejs:20), Debian (chromium, firefox-esr, ghostscript, and libreoffice), Fedora (djvulibre, mingw-glib2, mingw-python-jinja2, and mingw-python-werkzeug), Oracle (.NET 7.0, .NET 8.0, kernel, and nodejs:18), Red Hat (nodejs:20), Slackware (gdk and git), SUSE (python), and Ubuntu (linux-hwe-5.15, linux-raspi). --------------------------------------------- https://lwn.net/Articles/973908/ ∗∗∗ Sicherheitslücken in Überwachungskameras und Video-Babyphones ∗∗∗ --------------------------------------------- Schwachstellen aus der ThroughTek Kaylay-IoT-Plattform. Dringend Update-Status der IoT-Geräte prüfen. --------------------------------------------- https://www.zdnet.de/88415973/sicherheitsluecken-in-ueberwachungskameras-un… ∗∗∗ WLAN-Attacke: SSID-Verwechslungs-Angriff macht Nutzer verwundbar ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in WLAN-Protokollen führt dazu, dass Angreifer in einer Man-in-the-Middle-Position WLAN-Verkehr manipulieren können. [..] Das ohnehin nicht mehr sicher zu nutzende WEP ist anfällig, und das neuere, sonst sicherere WPA3 ebenfalls. 802.11X/EAP und Mesh-Netzwerke mit AMPE-Authentifizierung sind laut Auflistung ebenfalls für SSID-Confusion verwundbar. --------------------------------------------- https://heise.de/-9720818 ∗∗∗ Cisco: Updates schließen Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In mehreren Cisco-Produkten klaffen Sicherheitslücken, durch die Angreifer sich etwa root-Rechte verschaffen und Geräte kompromittieren können. [..] Insgesamt warnt Cisco in drei Mitteilungen vor hochriskanten Sicherheitslücken. --------------------------------------------- https://heise.de/-9720226 ∗∗∗ Freies Admin-Panel: Codeschmuggel durch Cross-Site-Scripting in Froxlor ∗∗∗ --------------------------------------------- Dank schludriger Eingabefilterung können Angreifer ohne Anmeldung Javascript im Browser des Server-Admins ausführen. Ein Patch steht bereit. --------------------------------------------- https://heise.de/-9721569 ∗∗∗ Netzwerksicherheit: Diverse Fortinet-Produkte für verschiedene Attacken anfällig ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem FortiSandbox, FortiPortal und FortiWebManager erschienen. --------------------------------------------- https://heise.de/-9720252 ∗∗∗ Access Points von Aruba verwundbar – keine Updates für ältere Versionen ∗∗∗ --------------------------------------------- Insgesamt haben die Entwickler sechs "kritische" Sicherheitslücken in noch unterstützten Versionen von ArubaOS und InstantOS geschlossen. --------------------------------------------- https://heise.de/-9720385 ∗∗∗ Rockwell Automation FactoryTalk View SE ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-14 ∗∗∗ [R1] Nessus Agent Version 10.6.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-09 ∗∗∗ [R1] Nessus Version 10.7.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-08 ∗∗∗ F5: K000139637 : Expat vulnerability CVE-2024-28757 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139637 ∗∗∗ F5: K000139643 : Node.js vulnerability CVE-2024-28863 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2024
by Daily end-of-shift report 15 May '24

15 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-05-2024 18:00 − Mittwoch 15-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers ∗∗∗ --------------------------------------------- The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploit-released-for-rce… ∗∗∗ Weitere Schwachstelle entdeckt: Hacker startet erneut Cyberangriff auf Dell ∗∗∗ --------------------------------------------- Die bereits abgegriffenen 49 Millionen Kundendatensätze sind ihm offenbar nicht genug. Menelik greift Dell erneut an. Dieses Mal sind wohl Support-Daten betroffen. --------------------------------------------- https://www.golem.de/news/weitere-schwachstelle-entdeckt-hacker-startet-ern… ∗∗∗ Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain ∗∗∗ --------------------------------------------- One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of compromised servers, and it has diversified to include credit card and cryptocurrency theft. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-lin… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (sssd and tcpdump), Red Hat (.NET 7.0, .NET 8.0, expat, kernel, and kernel-rt), Slackware (mozilla), SUSE (kernel, postgresql15, postgresql16, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, and python3), and Ubuntu (linux-bluefield). --------------------------------------------- https://lwn.net/Articles/973746/ ∗∗∗ ICS Patch Tuesday: Advisories Published by Siemens, Rockwell, Mitsubishi Electric ∗∗∗ --------------------------------------------- Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-advisories-published-by-siem… ∗∗∗ Intel Publishes 41 Security Advisories for Over 90 Vulnerabilities ∗∗∗ --------------------------------------------- Intel has published 41 new May 2024 Patch Tuesday advisories covering a total of more than 90 vulnerabilities. [..] The most important flaw, based on its severity rating of ‘critical’ and a CVSS score of 10, is CVE-2024-22476. [..] Intel says this critical vulnerability could allow an unauthenticated attacker to “enable escalation of privilege via remote access”. --------------------------------------------- https://www.securityweek.com/intel-publishes-41-security-advisories-for-ove… ∗∗∗ LibreOffice: Falscher Klick kann zur Ausführung von Schadcode führen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im quelloffenen LibreOffice ermöglicht Angreifern, Opfern Schadcode unterzujubeln. Die müssen nur einmal klicken. --------------------------------------------- https://heise.de/-9719334 ∗∗∗ VMware Workstation und Fusion: Ausbruch aus Gastsystem möglich ∗∗∗ --------------------------------------------- In VMware Workstation und Fusion klaffen Sicherheitslücken, die beim Pwn2Own-Wettbewerb missbraucht wurden. Sie ermöglichen den Ausbruch aus dem Gastsystem. --------------------------------------------- https://heise.de/-9718624 ∗∗∗ Patchday: Angreifer attackieren Windows und verschaffen sich Systemrechte ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Edge, Dynamics 365 und Windows veröffentlicht. Es gibt bereits Attacken. --------------------------------------------- https://heise.de/-9718608 ∗∗∗ Patchday: Angreifer können Schadcode durch Lücken in Adobe-Software schieben ∗∗∗ --------------------------------------------- Der Softwarehersteller Adobe hat unter anderem Animate, Illustrator und Reader vor möglichen Attacken abgesichert. --------------------------------------------- https://heise.de/-9718639 ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ Lenovo Security Advisories ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ 30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/05/30000-wordpress-sites-affected-by-ar… ∗∗∗ Bosch: Remote code execution vulnerability has been found over an insecure connection in the Praesensa Logging Application, Praesideo Logging Application and Praesideo PC Call Station ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-106054-bt.html ∗∗∗ B&R: 2024-05-14: Cyber Security Advisory - Insecure Loading of Code in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P005_Insecure_Loading_of_Code-c… ∗∗∗ SUBNET PowerSYSTEM Center ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-02 ∗∗∗ F5: K000139592 : libxml2 vulnerability CVE-2023-29469 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139592 ∗∗∗ ZDI-24-456: NI FlexLogger FLXPROJ File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-456/ ∗∗∗ ZDI-24-455: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-455/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2024
by Daily end-of-shift report 14 May '24

14 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 13-05-2024 18:00 − Dienstag 14-05-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyPi package backdoors Macs using the Sliver pen-testing suite ∗∗∗ --------------------------------------------- A new package mimicked the popular requests library on the Python Package Index (PyPI) to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-package-backdoors-macs-… ∗∗∗ Apple and Google add alerts for unknown Bluetooth trackers to iOS, Android ∗∗∗ --------------------------------------------- On Monday, Apple and Google jointly announced a new privacy feature that warns Android and iOS users when an unknown Bluetooth tracking device travels with .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-and-google-add-alerts-… ∗∗∗ Incident response analyst report 2023 ∗∗∗ --------------------------------------------- The report shares statistics and observations from incident response practice in 2023, analyzes trends and gives cybersecurity recommendations. --------------------------------------------- https://securelist.com/kaspersky-incident-response-report-2023/112504/ ∗∗∗ Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated., (Tue, May 14th) ∗∗∗ --------------------------------------------- Apple today released updates for its various operating systems. The updates cover iOS, iPadOS, macOS, watchOS and tvOS. A standalone update for Safari was released for older versions of macOS. One already exploited vulnerability, CVE-2024-23296 is patched for older versions of macOS and iOS. In March, Apple patched this vulnerability for more recent versions of iOS and macOS. --------------------------------------------- https://isc.sans.edu/diary/rss/30916 ∗∗∗ Ongoing Campaign Bombarded Enterprises with Spam Emails and Phone Calls ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered an ongoing social engineering campaign that bombards enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/05/ongoing-campaign-bombarded-enterprises.ht… ∗∗∗ Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code ∗∗∗ --------------------------------------------- The maintainers of the Cacti open-source network monitoring and fault management framework have addressed a dozen security flaws, including two critical issues that could lead to the execution of arbitrary code.The most severe of the vulnerabilities are listed below -CVE-2024-25641 (CVSS score: 9.1) - An arbitrary file write vulnerability in the "Package Import" feature that --------------------------------------------- https://thehackernews.com/2024/05/critical-flaws-in-cacti-framework-could.h… ∗∗∗ Log4J shows no sign of fading, spotted in 30% of CVE exploits ∗∗∗ --------------------------------------------- Organizations continue to run insecure protocols across their wide access networks (WAN), making it easier for cybercriminals to move across networks, according to a Cato Networks survey. Enterprises are too trusting within their networks The Cato CTRL SASE Threat Report Q1 2024 provides insight into the security threats and their .. --------------------------------------------- https://www.helpnetsecurity.com/2024/05/14/log4j-wan-insecure-protocols/ ∗∗∗ Google Patches Second Chrome Zero-Day in One Week ∗∗∗ --------------------------------------------- Google has announced patches for another Chrome vulnerability that has been exploited in attacks. This is the second zero-day addressed by the company in one week and the third flaw leveraged in malicious attacks in 2024. The new zero-day, tracked as CVE-2024-4761, has been described as a high-severity out-of-bounds write issue .. --------------------------------------------- https://www.securityweek.com/google-patches-second-chrome-zero-day-in-one-w… ∗∗∗ Falsche Gewinnbenachrichtigungen in echten Gewinnspielen ∗∗∗ --------------------------------------------- An einem Facebook-Gewinnspiel teilgenommen? Vorsicht, Kriminelle nutzen echte Gewinnspiele für Betrugsmaschen. Mit Fake-Profilen kommentieren sie die Kommentare der Teilnehmer:innen und behaupten, sie hätten gewonnen. Mit einem Link locken sie auf eine betrügerische Webseite. Wir zeigen Ihnen, wie Sie sicher an Gewinnspielen teilnehmen! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-gewinnbenachrichtigungen-in-… ∗∗∗ Foxit PDF Reader “Flawed Design” : Hidden Dangers Lurking in Common Tools ∗∗∗ --------------------------------------------- Heightened vulnerability: Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit PDF Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands, exploiting human psychology to manipulate users into accidentally providing .. --------------------------------------------- https://blog.checkpoint.com/research/foxit-pdf-reader-flawed-design-hidden-… ∗∗∗ Guidance for organisations considering payment in ransomware incidents ∗∗∗ --------------------------------------------- Advice for organisations experiencing a ransomware attack and the partner organisations supporting them. --------------------------------------------- https://www.ncsc.gov.uk/guidance/organisations-considering-payment-in-ranso… ∗∗∗ Avast Q1/2024 Threat Report ∗∗∗ --------------------------------------------- Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT CampaignThe post Avast Q1/2024 Threat Report appeared first on Avast Threat Labs. --------------------------------------------- https://decoded.avast.io/threatresearch/avast-q1-2024-threat-report/ ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-CORE-SA-2024-010: Uncontrolled Resource Consumption in ShowImageController ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-010 ∗∗∗ TYPO3-CORE-SA-2024-009: Cross-Site Scripting in ShowImageController ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-009 ∗∗∗ TYPO3-CORE-SA-2024-008: Cross-Site Scripting in Form Manager Module ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-008 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/973667/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/ ∗∗∗ Security Vulnerabilities fixed in Firefox 126 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2024
by Daily end-of-shift report 13 May '24

13 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-05-2024 18:00 − Montag 13-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ GoTo Meeting loads Remcos RAT via Rust Shellcode Loader ∗∗∗ --------------------------------------------- Legitimate applications can unwittingly become conduits for malware execution. This is also the case for recent malware loaders which abuse GoTo Meeting, an online meeting software, to deploy Remcos RAT. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos ∗∗∗ API missbraucht: Hacker teilt Details zum Cyberangriff auf Dell ∗∗∗ --------------------------------------------- Ein Cyberkrimineller hat rund 49 Millionen Kundendatensätze von Dell abgegriffen. Möglich gewesen ist ihm dies über eine unzureichend geschützte API eines Partnerportals. --------------------------------------------- https://www.golem.de/news/api-missbraucht-hacker-teilt-details-zum-cyberang… ∗∗∗ FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT ∗∗∗ --------------------------------------------- The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT. --------------------------------------------- https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html ∗∗∗ Vorsicht vor falschen Anrufen von PayPal oder Amazon ∗∗∗ --------------------------------------------- Derzeit werden uns vermehrt Anrufe im Namen von PayPal und Amazon gemeldet. Die Kriminellen geben vor, ein Problem mit Ihrem Konto zu haben und bieten Ihnen telefonische Hilfe an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-anrufen-von-pa… ∗∗∗ Leveraging DNS Tunneling for Tracking and Scanning ∗∗∗ --------------------------------------------- We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. --------------------------------------------- https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/ ∗∗∗ Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS ∗∗∗ --------------------------------------------- This post explores Windows Side-by-Side (WinSxS) and DLL hijacking, deep-diving some tooling Ive written and some of the fun along the way. --------------------------------------------- https://blog.zsec.uk/hellojackhunter-exploring-winsxs/ ∗∗∗ Not all scams are easy to spot ∗∗∗ --------------------------------------------- Even the most intelligent individuals can fall victim to scams due to coincidental timing and convincing tactics, so staying skeptical, verifying communications and using anti-scam tools is key to reducing the risk. --------------------------------------------- https://www.emsisoft.com/en/blog/45650/not-all-scams-are-easy-to-spot/ ∗∗∗ Europol sperrt eigenes Forum nach erfolgreichem Einbruch ∗∗∗ --------------------------------------------- Die europäische Polizeibehörde hat ihren Dienst "Europol for Experts" vom Netz genommen. Zuvor waren unter anderem Strategiepapiere daraus angeboten worden. --------------------------------------------- https://heise.de/-9715410 ∗∗∗ Ransomware Black Basta zählt nach zwei Jahren weltweit über 500 Opfer ∗∗∗ --------------------------------------------- Das FBI teilt wichtige Fakten im Kampf gegen den Erpressungstrojaner Black Basta. Die Ransomware macht auch vor kritischen Infrastrukturen nicht halt. --------------------------------------------- https://heise.de/-9715674 ===================== = Vulnerabilities = ===================== ∗∗∗ Widely used modems in industrial IoT devices open to SMS attack ∗∗∗ --------------------------------------------- Security flaws in Telit Cinterion cellular modems, widely used in sectors including industrial, healthcare, and telecommunications, could allow remote attackers to execute arbitrary code via SMS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/widely-used-modems-in-indust… ∗∗∗ Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the projects logo. --------------------------------------------- https://thehackernews.com/2024/05/malicious-python-package-hides-sliver.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (nodejs:18 and shim), Debian (atril and chromium), Fedora (chromium, glib2, gnome-shell, mediawiki, php-wikimedia-cdb, php-wikimedia-utfnormal, stb, and tcpdump), Gentoo (Kubelet, PoDoFo, Rebar3, and thunderbird), Mageia (glibc and libnbd), Oracle (kernel), Red Hat (bind and dhcp and varnish), and SUSE (chromium, cpio, freerdp, giflib, gnutls, opera, python-Pillow, python-Werkzeug, tinyproxy, and tpm2-0-tss). --------------------------------------------- https://lwn.net/Articles/973496/ ∗∗∗ Microsoft fixt DLL-Hijacking-Schwachstelle in Store-App Telemetrie-Wrapper-Installer ∗∗∗ --------------------------------------------- Microsoft hat damit vor einiger Zeit seine Store-Apps mit einem neuen Installer versehen. Dieser enthält einen ausführbaren .NET-Wrapper der Telemetrie und weiteren Code in die App integriert. In der ersten Version wies dieser .NET-Wrapper aber eine DLL-Hijacking-Schwachstelle auf [...] --------------------------------------------- https://www.borncity.com/blog/2024/05/11/microsoft-fixt-dll-hijacking-schwa… ∗∗∗ Self-Signed Zertifikate im SAP® Cloud Connector zugelassen ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/self-signed-zertifika… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2024
by Daily end-of-shift report 10 May '24

10 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-05-2024 18:00 − Freitag 10-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Datenschutzvorfall: Dell informiert über Abfluss von Kundendaten ∗∗∗ --------------------------------------------- Zu den abgeflossenen Informationen zählen laut Dell Namen, Adressdaten sowie weitere Daten über Bestellungen und darin enthaltene Dell-Hardware. --------------------------------------------- https://www.golem.de/news/datenschutzvorfall-dell-informiert-ueber-abfluss-… ∗∗∗ APT trends report Q1 2024 ∗∗∗ --------------------------------------------- The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity. --------------------------------------------- https://securelist.com/apt-trends-report-q1-2024/112473/ ∗∗∗ Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery ∗∗∗ --------------------------------------------- Two recently disclosed security flaws in Ivanti Connect Secure (ICS) devices are being exploited to deploy the infamous Mirai botnet. --------------------------------------------- https://thehackernews.com/2024/05/mirai-botnet-exploits-ivanti-connect.html ∗∗∗ GhostStripe attack haunts self-driving cars by making them ignore road signs ∗∗∗ --------------------------------------------- Six boffins mostly hailing from Singapore-based universities have proven it's possible to attack autonomous vehicles by exploiting the system's reliance on camera-based computer vision and cause it to not recognize road signs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/10/baidu_apollo… ∗∗∗ Back to the Hype: An Update on How Cybercriminals Are Using GenAI ∗∗∗ --------------------------------------------- Generative AI continues to be misused and abused by malicious individuals. In this article, we dive into new criminal LLMs, criminal services with ChatGPT-like capabilities, and deepfakes being offered on criminal sites. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-th… ∗∗∗ Zscaler Investigates Hacking Claims After Data Offered for Sale ∗∗∗ --------------------------------------------- Zscaler says its customer, production and corporate environments are not impacted after a notorious hacker offers to sell access. --------------------------------------------- https://www.securityweek.com/zscaler-investigates-hacking-claims-after-data… ∗∗∗ With nation-state threats in mind, nearly 70 software firms agree to Secure by Design pledge ∗∗∗ --------------------------------------------- The nation’s top cybersecurity agency said 68 of the world’s leading software manufacturers have signed on to a voluntary pledge to design products that have security built in from the beginning. --------------------------------------------- https://therecord.media/secure-by-design-companies-cisa-rsa ∗∗∗ In interview, LockbitSupp says authorities outed the wrong guy ∗∗∗ --------------------------------------------- The leader of the LockBit ransomware gang, who goes by the name LockbItSupp, told Click Here in an interview that international law enforcement has made a mistake. --------------------------------------------- https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit ∗∗∗ Krypto-Betrüger: Sechs Österreicher festgenommen ∗∗∗ --------------------------------------------- Weil sie einen Online-Handel mit angeblich neuer Kryptowährung aufgezogen und damit Investoren abgezockt haben, wurden nun sechs Österreicher verhaftet. --------------------------------------------- https://heise.de/-9714300 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ansible-core, avahi, bind, buildah, containernetworking-plugins, edk2, fence-agents, file, freeglut, freerdp, frr, git-lfs, gnutls, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, libjpeg-turbo, libnbd, LibRaw, libreswan, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, [...] --------------------------------------------- https://lwn.net/Articles/973071/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:4.0, container-tools:rhel8, git-lfs, glibc, libxml2, nodejs:18, and nodejs:20), Debian (dav1d and libpgjava), Fedora (kernel and pypy), Red Hat (glibc and nodejs:16), SUSE (ffmpeg, ffmpeg-4, ghostscript, go1.21, go1.22, less, python-python-jose, python-Werkzeug, and sssd), and Ubuntu (fossil, glib2.0, and libspreadsheet-parsexlsx-perl). --------------------------------------------- https://lwn.net/Articles/973206/ ∗∗∗ Admins müssen selbst handeln: PuTTY-Sicherheitslücke bedroht Citrix Hypervisor ∗∗∗ --------------------------------------------- Um XenCenter für Citrix Hypervisor abzusichern, müssen Admins händisch ein Sicherheitsupdate für das SSH-Tool PuTTY installieren. --------------------------------------------- https://heise.de/-9713898 ∗∗∗ Google Chrome: Exploit für Zero-Day-Lücke gesichtet ∗∗∗ --------------------------------------------- In Googles Webbrowser Chrome klafft eine Sicherheitslücke, für die ein Exploit existiert. Google reagiert mit einem Notfall-Update. --------------------------------------------- https://heise.de/-9714519 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-05 Reference Advisory: Junos OS and Junos OS Evolved: Multiple CVEs reported in OpenSSH ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Juno… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily