=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 22-10-2024 18:00 − Mittwoch 23-10-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Exploit released for new Windows Server "WinReg" NTLM Relay attack
∗∗∗
---------------------------------------------
Proof-of-concept exploit code is now public for a vulnerability in
Microsofts Remote Registry client that could be used to take control of
a Windows domain by downgrading the security of the authentication
process.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-new-win…
∗∗∗ Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland
∗∗∗
---------------------------------------------
On the first day of Pwn2Own Ireland, participants demonstrated 52
zero-day vulnerabilities across a range of devices, earning a total of
$486,250 in cash prizes.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days…
∗∗∗ Fortinet warns of new critical FortiManager flaw used in zero-day
attacks ∗∗∗
---------------------------------------------
Fortinet publicly disclosed today a critical FortiManager API
vulnerability, tracked as CVE-2024-47575, that was exploited in
zero-day attacks to steal sensitive files containing configurations, IP
addresses, and credentials for managed devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critic…
∗∗∗ Android und iOS: Fest codierte Cloud-Zugangsdaten in populären Apps
entdeckt ∗∗∗
---------------------------------------------
Betroffen sind mehrere Apps mit teils Millionen von Downloads. Den
Entdeckern zufolge gefährdet dies nicht nur Backend-Dienste, sondern
auch Nutzerdaten.
---------------------------------------------
https://www.golem.de/news/android-und-ios-fest-codierte-cloud-zugangsdaten-…
∗∗∗ Grandoreiro, the global trojan with grandiose ambitions ∗∗∗
---------------------------------------------
In this report, Kaspersky experts analyze recent Grandoreiro campaigns,
new targets, tricks, and banking trojan versions.
---------------------------------------------
https://securelist.com/grandoreiro-banking-trojan/114257/
∗∗∗ The Crypto Game of Lazarus APT: Investors vs. Zero-days ∗∗∗
---------------------------------------------
Kaspersky GReAT experts break down the new campaign of Lazarus APT
which uses social engineering and exploits a zero-day vulnerability in
Google Chrome for financial gain.
---------------------------------------------
https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/
∗∗∗ CISA Warns of Active Exploitation of Microsoft SharePoint
Vulnerability (CVE-2024-38094) ∗∗∗
---------------------------------------------
A high-severity flaw impacting Microsoft SharePoint has been added to
the Known Exploited Vulnerabilities (KEV) catalog by the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday,
citing evidence of active ..
---------------------------------------------
https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html
∗∗∗ Achtung Fake-Shop: sparhimmel24.de ∗∗∗
---------------------------------------------
sparhimmel24.de ist ein betrügerischer Online-Shop, der Sie mit
vermeintlichen Schnäppchen in die Falle lockt. Bestellungen werden
trotz Bezahlung nicht geliefert. Wir zeigen Ihnen wie Sie Fake-Shops
erkennen und sich vor Betrug schützen können.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-shop-sparhimmel24de
∗∗∗ Deceptive Delight: Jailbreak LLMs Through Camouflage and
Distraction ∗∗∗
---------------------------------------------
We examine an LLM jailbreaking technique called "Deceptive Delight," a
technique that mixes harmful topics with benign ones to trick AIs, with
a high success rate.The post Deceptive Delight: Jailbreak LLMs Through
Camouflage and Distraction appeared first on Unit 42.
---------------------------------------------
https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distr…
∗∗∗ Burning Zero Days: FortiJump FortiManager vulnerability used by
nation state in espionage via MSPs ∗∗∗
---------------------------------------------
Did you know there’s widespread exploitation of FortiNet products going
on using a zero day, and that there’s no CVE? Now you do.
---------------------------------------------
https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerabi…
∗∗∗ Threat Spotlight: WarmCookie/BadSpace ∗∗∗
---------------------------------------------
WarmCookie is a malware family that emerged in April 2024 and has been
distributed via regularly conducted malspam and malvertising campaigns.
---------------------------------------------
https://blog.talosintelligence.com/warmcookie-analysis/
∗∗∗ Sicherheitslücke in Samsung-Android-Treiber wird angegriffen ∗∗∗
---------------------------------------------
Treiber für Samsungs Mobilprozessoren ermöglichen Angreifern das
Ausweiten ihrer Rechte. Google warnt vor laufenden Angriffen darauf.
---------------------------------------------
https://heise.de/-9991521
∗∗∗ Public Report: WhatsApp Contacts Security Assessment ∗∗∗
---------------------------------------------
In May 2024, Meta engaged NCC Group’s Cryptography Services practice to
perform a cryptography security assessment of selected aspects of the
WhatsApp Identity Proof Linked Storage (IPLS) protocol implementation.
IPLS underpins the WhatsApp Contacts solution, which aims to store ..
---------------------------------------------
https://www.nccgroup.com/us/research-blog/public-report-whatsapp-contacts-s…
=====================
= Vulnerabilities =
=====================
∗∗∗ SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber
Devices ∗∗∗
---------------------------------------------
InterMesh Subscriber devices contain multiple vulnerabilities that
could allow an unauthenticated remote attacker to execute arbitrary
code with root privileges. CVSS v4.0 Base Score: 10.0, CVE-2024-47901
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-333468.html?ste_sid=23…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dmitry, libheif, and
python-sql), Fedora (suricata and wireshark), SUSE (cargo-c,
libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif,
unbound, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/995293/
∗∗∗ 2024-10-21: Cyber Security Advisory - ABB Relion 611, 615, 620, 630
series, REX610, REX640, SMU615, SSC600, Arctic solution, COM600, SPA
ZC-400, SUE3000 Guidelines to Prevent Unauthorized Modifications of
Firmware and Configuration ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001911&Language…
∗∗∗ Authenticated Remote Code Execution in multiple Xerox printers ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/authenticated-remote-cod…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 21-10-2024 18:00 − Dienstag 22-10-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab ∗∗∗
---------------------------------------------
Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken.
---------------------------------------------
https://heise.de/-9990393
∗∗∗ Auch ein .rdp File kann gefährlich sein ∗∗∗
---------------------------------------------
Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein
∗∗∗ Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers ∗∗∗
---------------------------------------------
Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes.
---------------------------------------------
https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html
∗∗∗ Pixel perfect Ghostpulse malware loader hides inside PNG image files ∗∗∗
---------------------------------------------
The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_m…
∗∗∗ OpenSSL 3.4.0 released ∗∗∗
---------------------------------------------
Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details.
---------------------------------------------
https://lwn.net/Articles/995098/
∗∗∗ Akira ransomware continues to evolve ∗∗∗
---------------------------------------------
As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs.
---------------------------------------------
https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/
∗∗∗ Threat actor abuses Gophish to deliver new PowerRAT and DCRAT ∗∗∗
---------------------------------------------
Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT, as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT.
---------------------------------------------
https://blog.talosintelligence.com/gophish-powerrat-dcrat/
∗∗∗ Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach ∗∗∗
---------------------------------------------
In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-crypto…
∗∗∗ Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery ∗∗∗
---------------------------------------------
This is a continuation of the series on web application security where we dive into cookie dynamics.
---------------------------------------------
https://www.bitsight.com/blog/web-application-security-devops-site-and-orig…
=====================
= Vulnerabilities =
=====================
∗∗∗ VMware fixes bad patch for critical vCenter Server RCE flaw ∗∗∗
---------------------------------------------
VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-c…
∗∗∗ Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls ∗∗∗
---------------------------------------------
The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke).
---------------------------------------------
https://lwn.net/Articles/995095/
∗∗∗ Dell Product Security Update Advisory (CVE-2024-45766) ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/83995/
∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-45711) ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/84002/
∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 18-10-2024 18:00 − Montag 21-10-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New macOS vulnerability, “HM Surf”, could lead to unauthorized data access ∗∗∗
---------------------------------------------
Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent. [..] Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerab…
∗∗∗ Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails ∗∗∗
---------------------------------------------
Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). [..] In this blog, we will showcase the different spam techniques used in these phishing emails.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hooked-by-t…
∗∗∗ Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials ∗∗∗
---------------------------------------------
Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. [..] The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser.
---------------------------------------------
https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html
∗∗∗ Severe flaws in E2EE cloud storage platforms used by millions ∗∗∗
---------------------------------------------
Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. [..] The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. [..] BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-s…
∗∗∗ Open source LLM tool primed to sniff out Python zero-days ∗∗∗
---------------------------------------------
The static analyzer uses Claude AI to identify vulns and suggest exploit code Researchers with Seattle-based Protect AI plan to release a free, open source tool that can find zero-day vulnerabilities in Python codebases with the help of Anthropics Claude AI model.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/10/20/python_zero_…
∗∗∗ Hunting for Remote Management Tools: Detecting RMMs ∗∗∗
---------------------------------------------
Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we’ll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe.
---------------------------------------------
https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detect…
∗∗∗ Cisco bestätigt Attacke auf DevHub-Portal und nimmt es offline ∗∗∗
---------------------------------------------
Cisco hat aktuell laufende Untersuchungen zu einem IT-Sicherheitsvorfall vorangetrieben und nun eine Attacke bestätigt. Dabei sollen Angreifer Zugriff auf nicht für die Öffentlichkeit bestimmte Daten gehabt haben.
---------------------------------------------
https://heise.de/-9987412
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode).
---------------------------------------------
https://lwn.net/Articles/994941/
∗∗∗ Angreifer können PCs mit Virenschutz von Bitdefender und Trend Micro attackieren ∗∗∗
---------------------------------------------
Sicherheitslücken in Virenschutz-Software von Bitdefender und Trend Micro gefährden Systeme. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren, um Attacken vorzubeugen. [..] Im Supportbereich der Bitdefender-Website geben die Entwickler an, in diesem Kontext insgesamt fünf Sicherheitslücken (CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, CVE-2023-6057) mit dem Bedrohungsgrad "hoch" geschlossen zu haben. Damit so eine Attacke klappt, können Angreifer etwa über Hashkollsionen (MD5 und SHA1) Zertifikate erzeugen, die als legitim durchgewunken werden. Die Sicherheitsprobleme sollen in der sich automatisch installierenden Total-Security-Version 27.0.25.11 gelöst sein.
---------------------------------------------
https://heise.de/-9987394
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 17-10-2024 18:00 − Freitag 18-10-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia ∗∗∗
---------------------------------------------
A close look at the utilities, techniques, and infrastructure used by the hacktivist group Crypt Ghouls has revealed links to groups such as Twelve, BlackJack, etc.
---------------------------------------------
https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/1142…
∗∗∗ Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack) ∗∗∗
---------------------------------------------
Introduction In the perpetually evolving field of cybersecurity, new threats materialize daily. Attackers are on the prowl for weaknesses in infrastructure and software like a cat eyeing its helpless prey.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/feline-hack…
∗∗∗ U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign ∗∗∗
---------------------------------------------
Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks."Since October 2023, Iranian ..d
---------------------------------------------
https://thehackernews.com/2024/10/us-and-allies-warn-of-iranian.html
∗∗∗ Intel hits back at Chinas accusations it bakes in NSA backdoors ∗∗∗
---------------------------------------------
Chipzilla says it obeys the law wherever it is, which is nice Intel has responded to Chinese claims that its chips include security backdoors at the direction of Americas NSA.
---------------------------------------------
https://www.theregister.com/2024/10/18/intel_china_security_allegations/
∗∗∗ Alleged Bitcoin crook faces 5 years after SECs X account pwned ∗∗∗
---------------------------------------------
SIM swappers strike again, warping cryptocurrency prices An Alabama man faces five years in prison for allegedly attempting to manipulate the price of Bitcoin by pwning the US Securities and Exchange Commissions X account earlier this year.
---------------------------------------------
https://www.theregister.com/2024/10/18/sec_bitcoin_arrest/
∗∗∗ Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach ∗∗∗
---------------------------------------------
Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being "USDoD," a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBIs InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led ..
---------------------------------------------
https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infr…
∗∗∗ EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs ∗∗∗
---------------------------------------------
One of my Mastodon followers sent me an interesting toot today, which lead to this forum post ..
---------------------------------------------
https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targe…
∗∗∗ What I’ve learned in my first 7-ish years in cybersecurity ∗∗∗
---------------------------------------------
Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor.
---------------------------------------------
https://blog.talosintelligence.com/threat-source-newsletter-oct-17-2024/
∗∗∗ Call stack spoofing explained using APT41 malware ∗∗∗
---------------------------------------------
Summary Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, ..
---------------------------------------------
https://cybergeeks.tech/call-stack-spoofing-explained-using-apt41-malware/
∗∗∗ Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom ∗∗∗
---------------------------------------------
North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom.
---------------------------------------------
https://hackread.com/fake-north-korean-it-workers-west-firms-demand-ransom/
∗∗∗ U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now ∗∗∗
---------------------------------------------
Joint U.S. and UK advisory identifies 24 vulnerabilities exploited by Russian state-sponsored APT 29, with GreyNoise detecting active probing on nine of these critical CVEs. Stay informed with real-time ..
---------------------------------------------
https://www.greynoise.io/blog/u-s-and-uk-warn-of-russian-cyber-threats-9-of…
∗∗∗ Apple Passwörter: So lautet das Rezept für generierte Passwörter ∗∗∗
---------------------------------------------
Ein leitender Softwareentwickler Apples erklärt in einem Blogpost, nach welchem Muster Apple Passwörter generiert.
---------------------------------------------
https://heise.de/-9986503
=====================
= Vulnerabilities =
=====================
∗∗∗ SVD-2024-1013: Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024 ∗∗∗
---------------------------------------------
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher.
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1013
∗∗∗ Synology-SA-24:17 Synology Camera ∗∗∗
---------------------------------------------
The vulnerabilities allow remote attackers to execute arbitrary code, remote attackers to bypass security constraints and remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Camera BC500 Firmware, Synology Camera TC500 Firmware and Synology Camera CC400W Firmware.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_17
∗∗∗ ZDI-24-1419: Trend Micro Deep Security Improper Access Control Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1419/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 16-10-2024 18:00 − Donnerstag 17-10-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Iranian hackers act as brokers selling critical infrastructure access ∗∗∗
---------------------------------------------
Iranian hackers are breaching critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks from other threat actors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-broke…
∗∗∗ Mit Standard-Zugangsdaten: Kubernetes-Lücke ermöglicht Root-Zugriff per SSH ∗∗∗
---------------------------------------------
Betroffen sind Images, die mit dem Kubernetes Image Builder erstellt wurden. Es gibt zwar einen Patch, doch der schützt bestehende Images nicht.
---------------------------------------------
https://www.golem.de/news/mit-standard-zugangsdaten-kubernetes-luecke-ermoe…
∗∗∗ The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future ∗∗∗
---------------------------------------------
The 2024 State of ICS/OT report shows our industry’s growth since 2019 and offers insight into how we may improve going into 2029.
---------------------------------------------
https://www.sans.org/blog/the-2024-state-of-ics-ot-cybersecurity-our-past-a…
∗∗∗ DORA-Kernkonzepte verstehen: Fokus auf "Kritische oder wichtige Funktionen" ∗∗∗
---------------------------------------------
Mit dem Ziel, ein hohes Maß an digitaler operativer Widerstandsfähigkeit zu erreichen, bietet DORA einen umfassenden Rahmen für das wirksame ..
---------------------------------------------
https://sec-consult.com/de/blog/detail/dora-core-concepts-critical-or-impor…
∗∗∗ Cisco confirms ongoing investigation after crims brag about selling tons of data ∗∗∗
---------------------------------------------
Networking giant says no evidence of impact on its systems but will tell customers if their info has been stolen UPDATED Cisco has confirmed it is investigating claims of stealing — and now selling — data belonging ..
---------------------------------------------
https://www.theregister.com/2024/10/15/cisco_confirm_ongoing_investigation/
∗∗∗ New ThreatLabz Report: Mobile remains a top threat vector with 111% spyware growth while IoT attacks rise 45% ∗∗∗
---------------------------------------------
The role of the CISO continues to expand, driven by the rising number of breaches and cyberattacks like ransomware, as well as SEC requirements for public organizations to disclose material breaches. Among the fastest-moving ..
---------------------------------------------
https://www.zscaler.com/blogs/security-research/new-threatlabz-report-mobil…
∗∗∗ Sudanese Brothers Arrested in ‘AnonSudan’ Takedown ∗∗∗
---------------------------------------------
The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the ..
---------------------------------------------
https://krebsonsecurity.com/2024/10/sudanese-brothers-arrested-in-anonsudan…
∗∗∗ Russische Hackergruppe bekennt sich zu Angriff auf das Internet Archive ∗∗∗
---------------------------------------------
Eine Gruppe namens "SN_BLACKMETA" hat nach eigenen Angaben DDoS-Attacken auf die Internetbibliothek durchgeführt
---------------------------------------------
https://www.derstandard.at/story/3000000241091/russische-hackergruppe-beken…
∗∗∗ Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism ∗∗∗
---------------------------------------------
Explore how macOS Gatekeepers security could be compromised by third-party apps not enforcing quarantine attributes effectively.
---------------------------------------------
https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/
∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗
---------------------------------------------
Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa…
∗∗∗ Cyber Resilience Act beschlossen ∗∗∗
---------------------------------------------
Der Cyber Resilience Act (CRA) ist eine EU-Verordnung für die Sicherheit in Hard- und Softwareprodukten mit digitalen Elementen, die am 10.10.2024 im Rat der Europäischen Union verabschiedet wurde. Nach der Veröffentlichung im Amtsblatt der EU wird das ..
---------------------------------------------
https://certitude.consulting/blog/de/cyber-resilience-act-beschlossen/
∗∗∗ Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil ∗∗∗
---------------------------------------------
Police did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the attacks that were highlighted by Brazilian law enforcement following the arrest.
---------------------------------------------
https://therecord.media/hacker-behind-fbi-npd-airbus-attacks-arrested-brazil
∗∗∗ Why Hackers May Be Targeting You ∗∗∗
---------------------------------------------
In todays evolving cyber threat landscape, small and mid-sized businesses can reduce their risk by understanding cybercriminals, addressing misconceptions, and enhancing their cybersecurity and incident ..
---------------------------------------------
https://www.emsisoft.com/en/blog/46073/why-hackers-may-be-targeting-you/
=====================
= Vulnerabilities =
=====================
∗∗∗ Oracle Releases Quarterly Critical Patch Update Advisory for October 2024 ∗∗∗
---------------------------------------------
Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/10/17/oracle-releases-quarterl…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/994630/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 15-10-2024 18:00 − Mittwoch 16-10-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ ASEC and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) ∗∗∗
---------------------------------------------
AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat.
---------------------------------------------
https://asec.ahnlab.com/en/83877/
∗∗∗ Exfiltration over Telegram Bots: Skidding Infostealer Logs ∗∗∗
---------------------------------------------
Bitsight’s visibility over infostealer malware which exfiltrates over Telegram suggests that the most infected countries are the USA, Turkey, and Russia, followed by India and Germany.
---------------------------------------------
https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-info…
∗∗∗ EDRSilencer red team tool used in attacks to bypass security ∗∗∗
---------------------------------------------
A tool for red-team operations called EDRSilencer has been observed in malicious incidents attempting to identify security tools and mute their alerts to management consoles.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-us…
∗∗∗ Mehrere Dienste betroffen: Microsoft warnt Kunden vor Datenverlust beim Logging ∗∗∗
---------------------------------------------
Durch einen Softwarefehler hat Microsoft einige für seine Kunden wichtige Protokolldaten verloren. Betroffen sind mehrere Clouddienste des Konzerns.
---------------------------------------------
https://www.golem.de/news/mehrere-dienste-betroffen-microsoft-warnt-kunden-…
∗∗∗ New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists ∗∗∗
---------------------------------------------
The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said.
---------------------------------------------
https://thehackernews.com/2024/10/new-linux-variant-of-fastcash-malware.html
∗∗∗ Windows 11 24H2: Probleme mit VPN-Verbindungen, Direct Access … ∗∗∗
---------------------------------------------
Seit Microsoft Windows 11 24H2 allgemein freigegeben hat, sind mir Meldungen zu Problemen rund um das Thema VPN-Verbindungen (CheckPoint VPN, WireGuard, Direct Access) untergekommen. Ich fasse mal einige dieser Meldungen in einem Beitrag zusammen, auch um ein Bild zu bekommen, ob es nur Einzelfälle sind oder ob mehr Leute betroffen sind.
---------------------------------------------
https://www.borncity.com/blog/2024/10/15/windows-11-24h2-probleme-mit-vpn-v…
∗∗∗ Windows 11 24H2: Recall nicht deinstallierbar … ∗∗∗
---------------------------------------------
Trotz gegenteiliger Zusicherungen stellt sich momentan heraus, dass Microsofts umstrittene Funktion Recall sich nicht [ohne Kollateralschäden] unter Windows 11 24H2 deinstallieren lässt – das Ganze ist aktuell aber wohl noch im Fluss.
---------------------------------------------
https://www.borncity.com/blog/2024/10/16/windows-11-24h2-recall-nicht-deins…
∗∗∗ Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data ∗∗∗
---------------------------------------------
This article uncovers a Golang ransomware abusing AWS S3 for data theft, and masking as LockBit to further pressure victims. The discovery of hard-coded AWS credentials in these samples led to AWS account suspensions.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ran…
∗∗∗ Comparing AI Against Traditional Static Analysis Tools to Highlight Buffer Overflows ∗∗∗
---------------------------------------------
The idea of this blog post is to use open-source software tools to analyze unknown binaries for buffer overflows. In particular we are focusing on using Ollama3 to access multiple large language models. Ollama is a platform designed to simplify the deployment and usage of LLMs on local machines.This enables private data to be held locally instead of being sent to a cloud for processing.
---------------------------------------------
https://www.nccgroup.com/us/research-blog/comparing-ai-against-traditional-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Oracle Critical Patch Update Advisory - October 2024 ∗∗∗
---------------------------------------------
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory.
---------------------------------------------
https://www.oracle.com/security-alerts/cpuoct2024.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim).
---------------------------------------------
https://lwn.net/Articles/994436/
∗∗∗ HP-DesignJet-Drucker: Angreifer können SMTP-Server-Logins abgreifen ∗∗∗
---------------------------------------------
Wie aus einer Warnmeldung hervorgeht, ist die Schwachstelle (CVE-2024-5749) mit dem Bedrohungsgrad "hoch" eingestuft. Klappen Attacken, sind SMTP-Server-Zugangsdaten einsehbar. Wie so ein Angriff ablaufen könnte, führen die HP-Entwickler derzeit nicht aus. Konkret davon betroffen sind die DesignJet-Modelle T730 und T830.
---------------------------------------------
https://heise.de/-9983364
∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 131.2 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/
∗∗∗ Synology-SA-24:14 Synology Photos ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_14
∗∗∗ Synology-SA-24:13 BeePhotos ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_13
∗∗∗ Bosch: Unrestricted resource consumption in BVMS ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-162032-bt.html
∗∗∗ F5: K000141463: Multiple Angular JS vulnerabilities CVE-2019-10768, CVE-2023-26116, CVE-2023-26117, and CVE-2023-26118 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000141463
∗∗∗ F5: K000141459: Angular JS vulnerabilities CVE-2019-14863 and CVE-2022-25869 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000141459
∗∗∗ F5: K000141302: Quarterly Security Notification (October 2024) ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000141302
∗∗∗ F5: K000140061: BIG-IP monitors vulnerability CVE-2024-45844 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000140061
∗∗∗ F5: K000141080: BIG-IQ vulnerability CVE-2024-47139 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000141080
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 14-10-2024 18:00 − Dienstag 15-10-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ TrickMo malware steals Android PINs using fake lock screen ∗∗∗
---------------------------------------------
Forty new variants of the TrickMo Android banking trojan have been identified in the wild, linked to 16 droppers and 22 distinct command and control (C2) infrastructures, with new features designed to steal Android PINs.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trickmo-malware-steals-andro…
∗∗∗ New FIDO proposal lets you securely move passkeys across platforms ∗∗∗
---------------------------------------------
The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-fido-proposal-lets-you-s…
∗∗∗ BEC-ware the phish (part 1). Investigating incidents in M365 ∗∗∗
---------------------------------------------
This blog post is the first of three, that look at the key steps for an effective investigation, response, and remediation to email-based threats in M365. Part two covers response actions as well as short- and long-term remediations to prevent attackers getting back in. Part three considers the native detection and prevention options in M365.
---------------------------------------------
https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-inv…
∗∗∗ Vorsicht vor Anrufen vom „Bankbetrugssystem Österreich“ ∗∗∗
---------------------------------------------
Derzeit werden uns wieder vermehrt Tonbandanrufe gemeldet. Eine computergenerierte Stimme gibt sich als Bankbetrugssystem Österreich aus und behauptet, dass eine Zahlung von 1500 Euro abgelehnt wurde und Ihr Konto möglicherweise gehackt wurde. Sie werden aufgefordert, die Taste „1“ zu drücken, um mit einer echten Person verbunden zu werden. Legen Sie auf, das ist Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-vom-bankbetrugs…
∗∗∗ New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users ∗∗∗
---------------------------------------------
ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers.
---------------------------------------------
https://hackread.com/telekopye-scam-toolkit-hit-booking-com-airbnb-users/
∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability,
CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability,
CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-ex…
∗∗∗ Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 ∗∗∗
---------------------------------------------
Today wed like to share a recent journey into (yet another) SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinets FortiGate devices. It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild.
---------------------------------------------
https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-comple…
=====================
= Vulnerabilities =
=====================
∗∗∗ Splunk Security Advisories 2024-10-14 ∗∗∗
---------------------------------------------
Splunk released 12 security advisories: 4x high, 8x medium
---------------------------------------------
https://advisory.splunk.com//advisories
∗∗∗ Kritische Schwachstellen in Industrieroutern mbNET ∗∗∗
---------------------------------------------
In industriellen Fernwartungsgateways und Industrieroutern mbNET wurden mehrere, teils schwerwiegende Sicherheitsschwachstellen identifiziert. Sie ermöglichen es, das Gerät vollständig zu kompromittieren sowie verschlüsselte Konfigurationen zu entschlüsseln.
---------------------------------------------
https://www.syss.de/pentest-blog/kritische-schwachstellen-in-industrieroute…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (packages and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3).
---------------------------------------------
https://lwn.net/Articles/994268/
∗∗∗ WordPress plugin Jetpack fixes nearly decade-old critical security flaw ∗∗∗
---------------------------------------------
The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites. [..] The flaw, which is not believed to have been exploited, was found in the plugin’s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve.
---------------------------------------------
https://therecord.media/wordpress-jetpack-plugin-fixes-flaw
∗∗∗ ZDI-24-1382: QEMU SCSI Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1382/
∗∗∗ Zahlreiche Schwachstellen im Rittal IoT Interface & CMC III Processing Unit ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste…
∗∗∗ GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487) ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/83868/
∗∗∗ Kubernetes: CVE-2024-9594 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/128007
∗∗∗ Kubernetes: CVE-2024-9486 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/128006
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 11-10-2024 18:00 − Montag 14-10-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server ∗∗∗
---------------------------------------------
Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-a…
∗∗∗ Google warns uBlock Origin and other extensions may be disabled soon ∗∗∗
---------------------------------------------
Googles Chrome Web Store is now warning that the uBlock Origin ad blocker and other extensions may soon be blocked as part of the companys deprecation of the Manifest V2 extension specification.
---------------------------------------------
https://www.bleepingcomputer.com/news/google/google-warns-ublock-origin-and…
∗∗∗ Microsoft’s guidance to help mitigate Kerberoasting ∗∗∗
---------------------------------------------
Kerberoasting, a well-known Active Directory (AD) attack vector, enables threat actors to steal credentials and navigate through devices and networks. Microsoft is sharing recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidanc…
∗∗∗ Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration ∗∗∗
---------------------------------------------
A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users.
---------------------------------------------
https://thehackernews.com/2024/10/nation-state-attackers-exploiting.html
∗∗∗ Chatbot Traps: How to Avoid Job Scams ∗∗∗
---------------------------------------------
While the strategies outlined here can help you detect AI-powered scams, it is important to recognise that AI technology is advancing rapidly. Many current weaknesses—such as difficulties with complex questions or live conversations—may diminish as AI continues to improve.
---------------------------------------------
https://connect.geant.org/2024/10/14/chatbot-traps-how-to-avoid-job-scams
∗∗∗ Casio says ransomware attack exposed info of employees, customers and business partners ∗∗∗
---------------------------------------------
Japanese electronics manufacturer Casio confirmed on Friday that a cyber incident announced earlier this week was a ransomware attack that potentially exposed the information of employees, customers, business partners and affiliates.
---------------------------------------------
https://therecord.media/casio-ransomware-attack-exposed-emplyee-customer-da…
∗∗∗ Achtung: Neue textbasierte QR-Code-Phishing-Varianten ∗∗∗
---------------------------------------------
Sicherheitsforscher von Barracuda sind auf eine neue Variante zur Gestaltung von Phishing-Nachrichten gestoßen. Diese verwenden QR-Codes aus textbasierten ASCII/Unicode-Zeichen, statt wie üblich aus statischen Bildern erstellt zu werden, um herkömmliche Sicherheitsmaßnahmen zu umgehen.
---------------------------------------------
https://www.borncity.com/blog/2024/10/13/achtung-neue-textbasierte-qr-code-…
∗∗∗ Sicherheitslücke in Ecovacs-Saugrobotern erlaubt Remote-Steuerung durch Hacker ∗∗∗
---------------------------------------------
In den USA häufen sich Fälle, in denen gehackte Saugroboter offenbar fremdgesteuert Beleidigungen zurufen und Bilder über die interne Kamera übertragen.
---------------------------------------------
https://heise.de/-9979104
=====================
= Vulnerabilities =
=====================
∗∗∗ Notfall-Update: Tor-Nutzer über kritische Firefox-Lücke attackiert ∗∗∗
---------------------------------------------
Eine kritische Firefox-Schwachstelle betrifft auch den Tor-Browser und Thunderbird. Patches stehen bereit, kommen für einige Tor-Nutzer aber zu spät.
---------------------------------------------
https://www.golem.de/news/notfall-update-tor-nutzer-ueber-kritische-firefox…
∗∗∗ Moxa: Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances ∗∗∗
---------------------------------------------
The first vulnerability, CVE-2024-9137, allows attackers to manipulate device configurations without authentication. The second vulnerability, CVE-2024-9139, permits OS command injection through improperly restricted commands, potentially enabling attackers to execute arbitrary codes.
---------------------------------------------
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-2411…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (docker.io, libreoffice, node-dompurify, python-reportlab, and thunderbird), Fedora (buildah, chromium, kernel, kernel-headers, libgsf, mosquitto, p7zip, podman, python-cramjam, python-virtualenv, redis, rust-async-compression, rust-brotli, rust-brotli-decompressor, rust-libcramjam, rust-libcramjam0.2, rust-nu-command, rust-nu-protocol, rust-redlib, rust-tower-http, thunderbird, and webkit2gtk4.0), Oracle (.NET 6.0, .NET 8.0, e2fsprogs, firefox, golang, openssl, python3-setuptools, systemd, and thunderbird), SUSE (chromium, firefox, java-jwt, libmozjs-128-0, libwireshark18, ntpd-rs, OpenIPMI, thunderbird, and wireshark), and Ubuntu (firefox, python2.7, python3.5, thunderbird, and ubuntu-advantage-desktop-daemon).
---------------------------------------------
https://lwn.net/Articles/994080/
∗∗∗ Sicherheitsupdate: Angreifer können Netzwerkanalysetool Wireshark crashen lassen ∗∗∗
---------------------------------------------
Wireshark ist in einer gegen mögliche Angriffe abgesicherten Version erschienen. Darin haben die Entwickler auch mehrere Bugs gefixt.
---------------------------------------------
https://heise.de/-9979991
∗∗∗ ZDI-24-1374: IrfanView SID File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1374/
∗∗∗ ZDI-24-1369: Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1369/
∗∗∗ Security Vulnerability fixed in Firefox 131.0.3 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-53/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 10-10-2024 18:00 − Freitag 11-10-2024 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Akira and Fog ransomware now exploit critical Veeam RCE flaw ∗∗∗
---------------------------------------------
Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now…
∗∗∗ Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen ∗∗∗
---------------------------------------------
Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien.
---------------------------------------------
https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-un…
∗∗∗ Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation ∗∗∗
---------------------------------------------
The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said.
---------------------------------------------
https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html
∗∗∗ Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks ∗∗∗
---------------------------------------------
If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.” This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account.
---------------------------------------------
https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-…
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024) ∗∗∗
---------------------------------------------
Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database
---------------------------------------------
https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr…
∗∗∗ Lynx Ransomware: A Rebranding of INC Ransomware ∗∗∗
---------------------------------------------
Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.
---------------------------------------------
https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/
∗∗∗ Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices ∗∗∗
---------------------------------------------
Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome.
---------------------------------------------
https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/
∗∗∗ Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies ∗∗∗
---------------------------------------------
CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure…
∗∗∗ EU-Rat bringt Cyber Resilience Act auf den Weg ∗∗∗
---------------------------------------------
Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren.
---------------------------------------------
https://heise.de/-9977103
=====================
= Vulnerabilities =
=====================
∗∗∗ New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution ∗∗∗
---------------------------------------------
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches.
---------------------------------------------
https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.h…
∗∗∗ Priviledged admin able to view device summary for device in different [FortiManager] ADOM ∗∗∗
---------------------------------------------
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-472
∗∗∗ Aw, Sugar. Critical Vulnerabilities in SugarWOD ∗∗∗
---------------------------------------------
It is possible to:
* Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses
* Extract all Gyms join passwords
[..]
* Bypass user-chosen privacy settings
---------------------------------------------
https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8).
---------------------------------------------
https://lwn.net/Articles/993778/
∗∗∗ Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 ∗∗∗
---------------------------------------------
* CVE-2024-9680: Use-after-free in Animation timeline
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/
∗∗∗ Livewire Security Update Advisory (CVE-2024-47823) ∗∗∗
---------------------------------------------
The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a “.php” file with a valid MIME type.
---------------------------------------------
https://asec.ahnlab.com/en/83775/
∗∗∗ Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561) ∗∗∗
---------------------------------------------
* CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows)
* CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded)
---------------------------------------------
https://asec.ahnlab.com/en/83776/
∗∗∗ Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke ∗∗∗
---------------------------------------------
Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher.
---------------------------------------------
https://heise.de/-9977905
∗∗∗ baserCMS plugin "BurgerEditor" vulnerable to directory listing ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN54676967/
∗∗∗ ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 09-10-2024 18:00 − Donnerstag 10-10-2024 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Firefox Zero-Day Under Attack: Update Your Browser Immediately ∗∗∗
---------------------------------------------
Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild.The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug in the Animation timeline component.
---------------------------------------------
https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.h…
∗∗∗ CISA says critical Fortinet RCE flaw now exploited in attacks ∗∗∗
---------------------------------------------
Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-…
∗∗∗ Benutzt hier jemand ein Smartphone mit Qualcomm-SOC? ∗∗∗
---------------------------------------------
Für viele Android-Geräte da draußen ist die Antwort: Ja.The zero-day vulnerability, officially designated CVE-2024-43047, “may be under limited, targeted exploitation,” according to Qualcomm, citing unspecified “indications” from Google’s Threat Analysis Group, the company’s research unit that investigates government hacking threats.
---------------------------------------------
http://blog.fefe.de/?ts=99f9d232
∗∗∗ Magenta ID wurde deaktiviert: Vorsicht vor täuschend echter Phishing-Mail ∗∗∗
---------------------------------------------
Ein sehr gut gefälschtes Magenta-Mail ist gerade in Österreich in Umlauf. Wer genau hinsieht, kann es entlarven.
---------------------------------------------
https://futurezone.at/digital-life/magenta-id-wurde-deaktiviert-mail-phishi…
∗∗∗ Malware by the (Bit)Bucket: Unveiling AsyncRAT ∗∗∗
---------------------------------------------
Recently, we uncovered a sophisticated attack campaign employing a multi-stage approach to deliver AsyncRAT via a legitimate platform called Bitbucket.
---------------------------------------------
https://www.gdatasoftware.com/blog/2024/10/38043-asyncrat-bitbucket
∗∗∗ File hosting services misused for identity phishing ∗∗∗
---------------------------------------------
Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-servi…
∗∗∗ Technical Analysis of DarkVision RAT ∗∗∗
---------------------------------------------
IntroductionDarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. The RAT’s capabilities include keylogging, taking screenshots, file manipulation, process injection, remote code execution, and password theft.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-darkvisi…
∗∗∗ Ransom & Dark Web Issues Week 2, October 2024 ∗∗∗
---------------------------------------------
* New Target of KillSec Ransomware Attack: South Korean Commercial Property Content Provider
* Dark Web Market Bohemia/Cannabia Shut Down by Law Enforcement, Two Administrators Arrested
* New Ransomware Gang Sarcoma: Conducted Attacks on a Total of 30 Companies
---------------------------------------------
https://asec.ahnlab.com/en/83739/
∗∗∗ Internet Archive unter Beschuss: Über 30 Millionen Nutzerdaten gestohlen ∗∗∗
---------------------------------------------
Bislang Unbekannte vergriffen sich mehrfach am Internet Archive. Bereits im September wurden Nutzerdaten und Passwort-Hashes abgezogen.
---------------------------------------------
https://heise.de/-9975986
=====================
= Vulnerabilities =
=====================
∗∗∗ GitLab warns of critical arbitrary branch pipeline execution flaw ∗∗∗
---------------------------------------------
GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arb…
∗∗∗ Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems ∗∗∗
---------------------------------------------
Cybersecurity security researchers are warning about an unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could allow for the execution of arbitrary operating system (OS) commands.The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS score of 9.8 out of a maximum of 10.0, according to VulnCheck.
---------------------------------------------
https://thehackernews.com/2024/10/experts-warn-of-critical-unpatched.html
∗∗∗ wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049 ∗∗∗
---------------------------------------------
Project: wkhtmltopdfDate: 2024-October-09Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: UnsupportedAffected versions: *Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupportedSol…: If you use this project,
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-049
∗∗∗ Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047 ∗∗∗
---------------------------------------------
Project: FacetsDate: 2024-October-09Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: Description: This module enables you to to easily create and manage faceted search interfaces.The module doesnt sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.Solution: Install the latest version:If you use the Facets module, upgrade to Facets
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-047
∗∗∗ Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046 ∗∗∗
---------------------------------------------
Project: Block permissionsDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=1.0.0 Description: This module enables you to manage blocks from specific modules in the specific themes.The module doesnt sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-046
∗∗∗ Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045 ∗∗∗
---------------------------------------------
Project: Monster MenusDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass, Information DisclosureAffected versions: Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-045
∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗
---------------------------------------------
Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: =3.0.0 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.This vulnerability is mitigated by the fact that the tricked user needs to have an
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-048
∗∗∗ VMSA-2024-0020:VMware NSX updates address multiple vulnerabilities (CVE-2024-38818, CVE-2024-38817, CVE-2024-38815) ∗∗∗
---------------------------------------------
Multiple vulnerabilities in VMware NSX were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-=content-notification/-/extern…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit).
---------------------------------------------
https://lwn.net/Articles/993595/
∗∗∗ Redis Vulnerability Security Update Advisory (CVE-2024-31449) ∗∗∗
---------------------------------------------
An update has been released to address vulnerabilities in Redis. Users of the affected versions are advised to update to the latest version.
---------------------------------------------
https://asec.ahnlab.com/en/83704/
∗∗∗ Ivanti Product Security Update Advisory ∗∗∗
---------------------------------------------
* CVE-2024-9380, CVE-2024-9381: Ivanti Cloud Services Appliance (CSA) versions: ~ 5.0.1 (inclusive)
* CVE-2024-7612: Ivanti EPMM (Core) versions: ~ 12.1.0.3 (inclusive)
* CVE-2024-9167: Velocity License Server versions: 5.1 (inclusive) ~ 5.1.2 (inclusive)
---------------------------------------------
https://asec.ahnlab.com/en/83706/
∗∗∗ Adobe Family October 2024 Routine Security Update Advisory ∗∗∗
---------------------------------------------
Adobe has released a security update that addresses a vulnerability in its supplied products. Users of affected systems are advised to update to the latest version.
---------------------------------------------
https://asec.ahnlab.com/en/83710/
∗∗∗ SAP Product Security Update Advisory ∗∗∗
---------------------------------------------
* CVE-2024-37179: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 420, 430, 2025, Enterprise clienttools 420
* CVE-2024-41730: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 430, 440
* CVE-2024-39592: SAP PDCE, S4CORE 102, S4CORE 103, S4COREOP 104, S4COREOP 105, S4COREOP 106, S4COREOP 107, S4COREOP 108
---------------------------------------------
https://asec.ahnlab.com/en/83736/
∗∗∗ SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client Affected By Multiple Vulnerabilities ∗∗∗
---------------------------------------------
1) CVE-2024-45315 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Denial-of-Service Vulnerability
2) CVE-2024-45316 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Local Privilege Escalation Vulnerability
3) CVE-2024-45317 - Unauthenticated SMA1000 12.4.x Server-Side Request Forgery (SSRF) Vulnerability
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0017
∗∗∗ CISA Releases Twenty-One Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-24-284-01 Siemens SIMATIC S7-1500 and S7-1200 CPUs
* ICSA-24-284-02 Siemens Simcenter Nastran
* ICSA-24-284-03 Siemens Teamcenter Visualization and JT2Go
* ICSA-24-284-04 Siemens SENTRON PAC3200 Devices
* ICSA-24-284-05 Siemens Questa and ModelSim
* ICSA-24-284-06 Siemens SINEC Security Monitor
* ICSA-24-284-07 Siemens JT2Go
* ICSA-24-284-08 Siemens HiMed Cockpit
* ICSA-24-284-09 Siemens PSS SINCAL
* ICSA-24-284-10 Siemens SIMATIC S7-1500 CPUs
* ICSA-24-284-11 Siemens RUGGEDCOM APE1808
* ICSA-24-284-12 Siemens Sentron Powercenter 1000
* ICSA-24-284-13 Siemens Tecnomatix Plant Simulation
* ICSA-24-284-14 Schneider Electric Zelio Soft 2
* ICSA-24-284-15 Rockwell Automation DataMosaix Private Cloud
* ICSA-24-284-16 Rockwell Automation DataMosaix Private Cloud
* ICSA-24-284-17 Rockwell Automation Verve Asset Manager
* ICSA-24-284-18 Rockwell Automation Logix Controllers
* ICSA-24-284-19 Rockwell Automation PowerFlex 6000T
* ICSA-24-284-20 Rockwell Automation ControlLogix
* ICSA-24-284-21 Delta Electronics CNCSoft-G2
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/10/10/cisa-releases-twenty-one…
∗∗∗ Synacor Zimbra Collaboration Command Execution Vulnerability ∗∗∗
---------------------------------------------
Threat Actors are exploiting a recently fixed RCE vulnerability in Zimbra email servers, which can be exploited just by sending specially crafted emails to the SMTP server.
---------------------------------------------
https://fortiguard.fortinet.com/outbreak-alert/zimbra-collaboration-rce
∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-048
∗∗∗ 2024-10-10: Cyber Security Advisory - ABB IRC5 RobotWare – PROFINET Stack Vulnerability ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=SI20337&LanguageCod…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: BGP update message containing aggregator attribute with an ASN value of zero (0) is accepted (CVE-2024-47507) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: A large amount of traffic being processed by ATP Cloud can lead to a PFE crash (CVE-2024-47506) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Specific low privileged CLI commands and SNMP GET requests can trigger a resource leak ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities in OSS component nginx resolved ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5000 Series: Receipt of a specific malformed packet will cause a flowd crash (CVE-2024-47504) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX4600 and SRX5000 Series: Sequence of specific PIM packets causes a flowd crash (CVE-2024-47503) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: TCP session state is not always cleared on the Routing Engine (CVE-2024-47502) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: MX304, MX with MPC10/11/LC9600, and EX9200 with EX9200-15C: In a VPLS or Junos Fusion scenario specific show commands cause an FPC crash (CVE-2024-47501) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: QFX5000 Series: Configured MAC learning and move limits are not in effect (CVE-2024-47498) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series, QFX Series, MX Series and EX Series: Receiving specific HTTPS traffic causes resource exhaustion (CVE-2024-47497) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: MX Series: The PFE will crash on running specific command (CVE-2024-47496) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: In a dual-RE scenario a locally authenticated attacker with shell privileges can take over the device (CVE-2024-47495) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: Due to a race condition AgentD process causes a memory corruption and FPC reset (CVE-2024-47494) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: J-Web: Multiple vulnerabilities resolved in PHP software. ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5K, SRX4600 and MX Series: Trio-based FPCs: Continuous physical interface flaps causes local FPC to crash (CVE-2024-47493) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Receipt of a specific malformed BGP path attribute leads to an RPD crash (CVE-2024-47491) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX 7000 Series: Receipt of specific transit MPLS packets causes resources to be exhausted (CVE-2024-47490) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Multiple vulnerabilities resolved in c-ares 1.18.1 ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX Series: Receipt of specific transit protocol packets is incorrectly processed by the RE (CVE-2024-47489) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos Space: Remote Command Execution (RCE) vulnerability in web application (CVE-2024-39563) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: cRPD: Receipt of crafted TCP traffic can trigger high CPU utilization (CVE-2024-39547) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities resolved in OpenSSL ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Low privileged local user able to view NETCONF traceoptions files (CVE-2024-39544) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Connections to the network and broadcast address accepted (CVE-2024-39534) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: Low privileged user able to access sensitive information on file system (CVE-2024-39527) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: MX Series with MPC10/MPC11/LC9600, MX304, EX9200, PTX Series: Receipt of malformed DHCP packets causes interfaces to stop processing packets (CVE-2024-39526) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP nexthop traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Junos OS and Junos OS Evolved: Receipt of a specifically malformed BGP packet causes RPD crash when segment routing is enabled (CVE-2024-39516) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specially crafted BGP update causes RPD crash (CVE-2024-39515) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos Space: OS command injection vulnerability in OpenSSH (CVE-2023-51385) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specifically malformed BGP update causes RPD crash (CVE-2024-39516) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos…
∗∗∗ SSA-438590 V1.0: Buffer Overflow Vulnerability in Siveillance Video Camera Drivers ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-438590.html
∗∗∗ CVE-2024-9469 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-9469
∗∗∗ CVE-2024-9471 PAN-OS: Privilege Escalation (PE) Vulnerability in XML API (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-9471
∗∗∗ CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet (Severity: HIGH) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-9468
∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover (Severity: CRITICAL) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2024-0010
∗∗∗ CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-9473
∗∗∗ PAN-SA-2024-0011 Chromium: Monthly Vulnerability Updates (Severity: HIGH) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2024-0011
∗∗∗ CVE-2024-9470 Cortex XSOAR: Information Disclosure Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-9470
∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2024-0010
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily