=====================
= End-of-Day report =
=====================
Timeframe: Freitag 12-07-2024 18:00 − Montag 15-07-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Neue Absenderadresse für unsere täglichen Mails an Netzbetreiber ∗∗∗
---------------------------------------------
Wir versenden jeden Tag zwischen 150 und 250 Mails an unsere Kontakte bei Netzbetreibern in Österreich, um diese über Probleme in ihren Netzen zu informieren, die wir (bzw. unsere Datenquellen) dort gefunden haben. [..] Jetzt haben wir uns dazu entschlossen, den gleichen Weg zu nehmen, den schon viele andere Firmen beschritten haben: Wir senden ab sofort diese Mails nicht mehr von team(a)cert.at als Absender, sondern von noreply(a)cert.at aus. [..] Echte Rückfragen sollten weiterhin an team(a)cert.at gerichtet werden.
---------------------------------------------
https://www.cert.at/de/blog/2024/7/neuer-absender-fuer-notifications
∗∗∗ Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD ∗∗∗
---------------------------------------------
On patch Tuesday last week, Microsoft released an update for CVE-2024-38112, which they said was being exploited in the wild. We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that’s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft. However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice any coordination regarding the fix. This lack of transparency from vendors often leaves researchers who practice CVD with more questions than answers.
---------------------------------------------
https://www.thezdi.com/blog/2024/7/15/uncoordinated-vulnerability-disclosur…
∗∗∗ Microsoft Says Windows Not Impacted by regreSSHion as Second OpenSSH Bug Is Found ∗∗∗
---------------------------------------------
Microsoft confirmed last week that Windows is not affected by the vulnerability.
---------------------------------------------
https://www.securityweek.com/microsoft-says-windows-not-impacted-by-regress…
∗∗∗ ClickFix Deception: A Social Engineering Tactic to Deploy Malware ∗∗∗
---------------------------------------------
The HTML file masquerades as a Word document, displaying an error prompt to deceive users. [..] In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. [..] Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-s…
∗∗∗ DNS hijacks target crypto platforms registered with Squarespace ∗∗∗
---------------------------------------------
A wave of coordinated DNS hijacking attacks targets decentralized finance (DeFi) cryptocurrency domains using the Squarespace registrar, redirecting visitors to phishing sites hosting wallet drainers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-pl…
∗∗∗ June Windows Server updates break Microsoft 365 Defender features ∗∗∗
---------------------------------------------
Microsoft has confirmed that Windows Server updates from last months Patch Tuesday break some Microsoft 365 Defender features that use the network data reporting service.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/june-windows-server-updates…
∗∗∗ Facebook ads for Windows desktop themes push info-stealing malware ∗∗∗
---------------------------------------------
Cybercriminals use Facebook business pages and advertisements to promote fake Windows themes that infect unsuspecting users with the SYS01 password-stealing malware. [..] While using Facebook advertisements to push information-stealing malware is not new, the social media platform's massive reach makes these campaigns a significant threat.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/facebook-ads-for-windows-the…
∗∗∗ Knot Resolver 6 News: DoS protection – operator’s overview ∗∗∗
---------------------------------------------
The team behind Knot Resolver, the scalable caching DNS resolver, is hard at work developing a complex solution for protecting DNS servers and other participants on the Internet alike against denial-of-service attacks. This effort is a part of the ongoing DNS4EU project, co-funded by the European Union1, which we are a proud part of. [..] As usual with projects from CZ.NIC, all of this code is also free and open source under the GPL license, so everyone is free to study and adapt it for their own exciting purposes.
---------------------------------------------
https://en.blog.nic.cz/2024/07/15/knot-resolver-6-news-dos-protection-opera…
∗∗∗ 16-bit Hash Collisions in .xls Spreadsheets, (Sat, Jul 13th) ∗∗∗
---------------------------------------------
Since the hashing algorithm used for the protection of .xls files produces a 16-bit integer with its highest bit set, there are 32768 (0x8000) possible hash values (called verifier), and thus ample chance to generate hash collisions. I generated such a list, and included it in an update of my oledump plugin plugin_biff.py.
---------------------------------------------
https://isc.sans.edu/diary/rss/31066
∗∗∗ Protected OOXML Spreadsheets, (Mon, Jul 15th) ∗∗∗
---------------------------------------------
I was asked a question about the protection of an .xlsm spreadsheet [..]
---------------------------------------------
https://isc.sans.edu/diary/rss/31070
∗∗∗ CRYSTALRAY Hackers Infect Over 1,500 Victims Using Network Mapping Tool ∗∗∗
---------------------------------------------
A threat actor that was previously observed using an open-source network mapping tool has greatly expanded their operations to infect over 1,500 victims. Sysdig, which is tracking the cluster under the name CRYSTALRAY, said the activities have witnessed a tenfold surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source software] security tools."
---------------------------------------------
https://thehackernews.com/2024/07/crystalray-hackers-infect-over-1500.html
∗∗∗ CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks ∗∗∗
---------------------------------------------
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (cups, krb5, pgadmin4, python3.6, and yarnpkg), Mageia (freeradius, kernel, kmod-xtables-addons, kmod-virtualbox, and dwarves, kernel-linus, and squid), Red Hat (ghostscript, kernel, and less), SUSE (avahi, c-ares, cairo, cups, fdo-client, gdk-pixbuf, git, libarchive, openvswitch3, podman, polkit, python-black, python-Jinja2, python-urllib3, skopeo, squashfs, tiff, traceroute, and wget), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm).
---------------------------------------------
https://lwn.net/Articles/982029/
∗∗∗ Admin-Lücke bedroht Palo Alto Networks Migration-Tool Expedition ∗∗∗
---------------------------------------------
Verschiedene Cybersicherheitsprodukte von Palo Alto Networks sind verwundbar. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-9800845
∗∗∗ Wireshark 4.2.6 Released, (Sun, Jul 14th) ∗∗∗
---------------------------------------------
https://isc.sans.edu/diary/rss/31068
∗∗∗ 2024-07-15: Cyber Security Advisory -Mint Workbench I Unquoted Service Path Enumeration ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7912&Lan…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 11-07-2024 18:00 − Freitag 12-07-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Nach Social-Media-Drama: Signal patcht eine seit 2018 bekannte Schwachstelle ∗∗∗
---------------------------------------------
Durch die Schwachstelle können andere Anwendungen auf Signal-Chats zugreifen. Bekannt ist das Problem schon seit sechs Jahren. Nun soll endlich ein Fix kommen.
---------------------------------------------
https://www.golem.de/news/nach-social-media-drama-signal-patcht-seit-sechs-…
∗∗∗ Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots ∗∗∗
---------------------------------------------
Some of the commands observed can be confusing for a novice looking at ssh honeypot logs. Sure, you have some obvious commands like "uname -a" to fingerprint the kernel. However, other commands are less intuitive and are not commands a normal user would use. I am trying to summarize some of the more common ones here, focusing on commands attackers use to figure out if they are inside a honeypot.
---------------------------------------------
https://isc.sans.edu/diary/Understanding+SSH+Honeypot+Logs+Attackers+Finger…
∗∗∗ 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack ∗∗∗
---------------------------------------------
Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, while also adding a new layer of stealth to evade detection.The fresh packages, about 60 in number and spanning 290 versions, demonstrate a refined approach from the ..
---------------------------------------------
https://thehackernews.com/2024/07/60-new-malicious-packages-uncovered-in.ht…
∗∗∗ Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments ∗∗∗
---------------------------------------------
A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users inboxes.The vulnerability, tracked as CVE-2024-39929, has a CVSS ..
---------------------------------------------
https://thehackernews.com/2024/07/critical-exim-mail-server-vulnerability.h…
∗∗∗ Telefonbetrug: Scam Anruf von Anwälten im Umlauf ∗∗∗
---------------------------------------------
Der Betrüger fälscht die Telefonnummer einer renommierten Anwaltskanzlei in der Umgebung und ruft das Opfer an. Im Gespräch gibt sich der vermeintliche Anwalt als eine echte Person aus, die ..
---------------------------------------------
https://blog.zettasecure.com/telefonbetrug-scam-anruf-von-anwaelten-im-umla…
∗∗∗ AT&T wurde Opfer eines riesigen Hackerangriffs ∗∗∗
---------------------------------------------
Verbindungsdaten von 109 Millionen Kunden wurden von unbekannten Angreifern heruntergeladen
---------------------------------------------
https://www.derstandard.at/story/3000000228237/att-wurde-opfer-eines-riesig…
∗∗∗ Apple sends new warning about mercenary spyware attacks to iPhone users. Should you worry now? ∗∗∗
---------------------------------------------
Though mercenary spyware attacks are rare and typically sent only to targeted individuals, Apple has alerted iPhone users about them for the second time this year.
---------------------------------------------
https://www.zdnet.com/article/apple-warns-of-mercenary-spyware-attacks-agai…
∗∗∗ mSpy: Dritter Hack seit 2010 legt Millionen Nutzerdaten offen ∗∗∗
---------------------------------------------
Es heißt ja "Aller guten Dinge sind drei" – was aber hier wohl eher nicht zutrifft. Der Anbieter von Smartphone-Überwachung, mySpy, ist erneut durch ein Datenleck auf Grund eines Hacks aufgefallen (der dritte Vorfall seit 2010). Ein ..
---------------------------------------------
https://www.borncity.com/blog/2024/07/12/mspy-dritter-hack-seit-2010-legt-m…
∗∗∗ Checking in on the state of cybersecurity and the Olympics ∗∗∗
---------------------------------------------
Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.
---------------------------------------------
https://blog.talosintelligence.com/threat-source-newsletter-july-12-2024/
=====================
= Vulnerabilities =
=====================
∗∗∗ DSA-5729-1 apache2 - security update ∗∗∗
---------------------------------------------
Multiple vulnerabilities have been discovered in the Apache HTTP server,which may result in authentication bypass, execution of scripts in directories not directly reachable by any URL, server-side request forgery or denial of service.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00140.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 10-07-2024 18:00 − Donnerstag 11-07-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Datenleck: Millionen von 2FA-SMS standen frei zugänglich im Netz ∗∗∗
---------------------------------------------
Die vom CCC entdeckten SMS haben wohl neben internen Verwaltungs- und Abrechnungsdaten auf einer ungesicherten S3-Instanz eines Dienstleisters gelegen.
---------------------------------------------
https://www.golem.de/news/datenleck-millionen-von-2fa-sms-standen-frei-zuga…
∗∗∗ You had a year to patch this Veeam flaw and now its going to hurt ∗∗∗
---------------------------------------------
LockBit variant targets backup software - which you may remember is supposed to help you recover from ransomware Yet another new ransomware gang, this one dubbed EstateRansomware, is exploiting a ..
---------------------------------------------
https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/
∗∗∗ Achtung: Phishingversuche im Namen von Bitpanda! ∗∗∗
---------------------------------------------
Derzeit kursieren vermehrt Phishingmails und SMS, die vortäuschen, vom Finanzdienstleister BitPanda versendet worden zu sein. Geben Sie keine persönlichen Daten oder Codes weiter, sonst geben Sie Kriminellen Zugang zu Ihrem Wallet!
---------------------------------------------
https://www.watchlist-internet.at/news/phishingversuche-bitpanda/
∗∗∗ E-Mail genügt: Outlook-Lücke gibt Angreifern Zugriff aufs System ∗∗∗
---------------------------------------------
Gefahr insbesondere bei Mails von "vertrauenswürdigen Absendern" – Patch steht bereit
---------------------------------------------
https://www.derstandard.at/story/3000000228006/e-mail-genuegt-outlook-lueck…
∗∗∗ Impact of data breaches is fueling scam campaigns ∗∗∗
---------------------------------------------
Data breaches have become one of the most crucial threats to organizations across the globe, and they’ve only become more prevalent and serious over time. A data breach occurs when unauthorized ..
---------------------------------------------
https://blog.talosintelligence.com/data-breaches-fueling-scam-campaigns/
∗∗∗ CISA and FBI Release Secure by Design Alert on Eliminating OS Command Injection Vulnerabilities ∗∗∗
---------------------------------------------
Today, CISA and FBI are releasing their newest Secure by Design Alert in the series, Eliminating OS Command Injection Vulnerabilities, in response to recent well-publicized threat actor campaigns that exploited OS command injection ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/07/10/cisa-and-fbi-release-sec…
=====================
= Vulnerabilities =
=====================
∗∗∗ DSA-5728-1 exim4 - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00139.html
∗∗∗ DSA-5727-1 firefox-esr - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00138.html
∗∗∗ 2024-07 Security Bulletin: Junos OS Evolved: Execution of a specific CLI command will cause a crash in the AFT manager (CVE-2024-39513) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-07-Security-Bulletin-Junos…
∗∗∗ 2024-07 Security Bulletin: Junos OS and Junos OS Evolved: BGP multipath incremental calculation is resulting in an rpd crash (CVE-2024-39554) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-07-Security-Bulletin-Junos…
∗∗∗ NetScaler Console, Agent and SDX Security Bulletin for CVE-2024-6235 and CVE-2024-6236 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX677998/netscaler-console-agent-and-sd…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 09-07-2024 18:00 − Mittwoch 10-07-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Ticket Heist network of 700 domains sells fake Olympic Games tickets ∗∗∗
---------------------------------------------
A large-scale fraud campaign with over 700 domain names is likely targeting Russian-speaking users looking to purchase tickets for the Summer Olympics in Paris.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ticket-heist-network-of-700-…
∗∗∗ Im Klartext: Linksys-Router senden wohl WLAN-Passwörter an US-Server ∗∗∗
---------------------------------------------
Eine Verbraucherorganisation hat zwei Routermodelle von Linksys getestet. Beide übermitteln wohl sensible Daten an einen Server in den USA. Einen Patch gibt es bisher nicht.
---------------------------------------------
https://www.golem.de/news/im-klartext-linksys-router-senden-wohl-wlan-passw…
∗∗∗ Cyberangriff trifft IT-Konzern: 49 Systeme von Fujitsu mit Malware infiziert ∗∗∗
---------------------------------------------
Cyberkriminellen ist es gelungen, interne Systeme von Fujitsu zu infiltrieren. Potenziell sind auch Kundendaten abgeflossen. Viele Details nennt der Konzern aber nicht.
---------------------------------------------
https://www.golem.de/news/cyberangriff-trifft-it-konzern-49-systeme-von-fuj…
∗∗∗ Finding Honeypot Data Clusters Using DBSCAN: Part 1 ∗∗∗
---------------------------------------------
Sometimes data needs to be transformed or different tools need to be used so that it can be compared with other data. Some honeypot data is easy to compare since there is no customized information such as randomly generated file names, IP addresses, etc.
---------------------------------------------
https://isc.sans.edu/diary/Finding+Honeypot+Data+Clusters+Using+DBSCAN+Part…
∗∗∗ Ransomware crews investing in custom data stealing malware ∗∗∗
---------------------------------------------
BlackByte, LockBit among the criminals using bespoke tools As ransomware crews increasingly shift beyond just encrypting victims files and demanding a payment to unlock them, instead swiping sensitive info straight away, some of the ..
---------------------------------------------
https://www.theregister.com/2024/07/10/ransomware_data_exfil_malware/
∗∗∗ Google Is Adding Passkey Support for Its Most Vulnerable Users ∗∗∗
---------------------------------------------
Google is bringing the password-killing “passkey” tech to its Advanced Protection Program users more than a year after rolling them out broadly.
---------------------------------------------
https://www.wired.com/story/google-passkey-advance-protection-program/
∗∗∗ Augen auf beim Ticketkauf ∗∗∗
---------------------------------------------
Wie Betrüger beliebte Ticketplattformen für ihre finsteren Zwecke missbrauchen
---------------------------------------------
https://www.welivesecurity.com/de/tipps-ratgeber/augen-auf-beim-ticketkauf/
∗∗∗ Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities ∗∗∗
---------------------------------------------
This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities.
---------------------------------------------
https://blog.talosintelligence.com/microsoft-patch-tuesday-july-2024/
∗∗∗ Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs ∗∗∗
---------------------------------------------
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
---------------------------------------------
https://blog.talosintelligence.com/common-ransomware-actor-ttps-playbooks/
∗∗∗ Eldorado Ransomware Targeting Windows and Linux with New Malware ∗∗∗
---------------------------------------------
Another day, another threat against Windows and Linux systems!
---------------------------------------------
https://hackread.com/eldorado-ransomware-windows-linux-malware/
∗∗∗ CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook ∗∗∗
---------------------------------------------
Morphisec researchers have identified a significant vulnerability, CVE-2024-38021 — a zero-click remote code execution (RCE) vulnerability that impacts most Microsoft Outlook applications.
---------------------------------------------
https://blog.morphisec.com/cve-2024-38021-microsoft-outlook-moniker-rce-vul…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, kernel-rt, libreswan, linux-firmware, pki-core, and podman), Fedora (firefox and jpegxl), Gentoo (Buildah, HarfBuzz, and LIVE555 Media Server), Oracle (buildah, gvisor-tap-vsock, kernel, libreswan, and podman), Red Hat (containernetworking-plugins, dotnet6.0, dotnet8.0, fence-agents, kernel, libreswan, libvirt, perl-HTTP-Tiny, python39:3.9, toolbox, and virt:rhel and virt-devel:rhel modules), SUSE (firefox,
---------------------------------------------
https://lwn.net/Articles/981508/
∗∗∗ [20240705] - Core - XSS in com_fields default field value ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/939-20240705-core-xss-in-c…
∗∗∗ [20240704] - Core - XSS in Wrapper extensions ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/938-20240704-core-xss-in-w…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-07-2024 18:00 − Dienstag 09-07-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories ∗∗∗
---------------------------------------------
Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and persistent" supply chain ..
---------------------------------------------
https://thehackernews.com/2024/07/trojanized-jquery-packages-found-on-npm.h…
∗∗∗ Houthi rebels are operating their own GuardZoo spyware ∗∗∗
---------------------------------------------
Fairly low budget, unsophisticated malware, say researchers, but it can collect the same data as Pegasus ..
---------------------------------------------
https://www.theregister.com/2024/07/09/houthi_rebels_malware/
∗∗∗ People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action ∗∗∗
---------------------------------------------
The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to ..
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a
∗∗∗ Vulnerability discovered in RADIUS protocol ∗∗∗
---------------------------------------------
On 9 July 2024, a vulnerability in the RADIUS protocol was published that allows an attacker to manipulate RADIUS server responses and thus gain unauthorized access.
---------------------------------------------
https://www.dfn.de/en/blastradius-newsmeldung/
∗∗∗ Exploring Compiled V8 JavaScript Usage in Malware ∗∗∗
---------------------------------------------
In this article, we give you a basic understanding of how V8 compiled code is used not just in regular apps but also for malicious purposes.
---------------------------------------------
https://research.checkpoint.com/2024/exploring-compiled-v8-javascript-usage…
∗∗∗ Microsoft’s cybersecurity dilemma: An open letter to Satya Nadella ∗∗∗
---------------------------------------------
Microsoft is suffering cybersecurity failures due to systemic problems with strategic leadership. The world is witnessing an alarming trend of cybersecurity issues with Microsoft products and services. Over the past ..
---------------------------------------------
https://www.helpnetsecurity.com/2024/07/09/microsoft-cybersecurity-dilemma/
∗∗∗ Mitarbeiter:innen wollen Gehaltskonto ändern? Vorsicht vor Betrug! ∗∗∗
---------------------------------------------
Kriminelle haben es aktuell auf die Lohnzahlungen Ihrer Angestellten abgesehen. Per E-Mail treten sie mit der zuständigen Abteilung Ihres Unternehmens in Kontakt und versuchen, eine Änderung der IBAN zum Empfang der Gehälter zu erwirken. Klappt der Betrug, landet das Geld in den Taschen Krimineller und wird erst bemerkt, wenn die Auszahlung des Gehalts nie bei der tatsächlich angestellten Person eingeht.
---------------------------------------------
https://www.watchlist-internet.at/news/gehaltskonto-aendern-betrug/
∗∗∗ "Ich hab doch nur gschaut .. (bis sich eine bessere Gelegenheit bietet)!" ∗∗∗
---------------------------------------------
Angriffe mit (vermeintlich) hacktivistischer Motivation sind inzwischen ein fester Bestandteil des digitalen Hintergrundrauschens. Das ist nicht erst seit Beginn des russischen Angriffskrieges auf die Ukraine der Fall, jedoch hat die Zahl von Attacken durch Bedrohungsakteure, welche im Sinne ihrer "Sache" für eine der Seiten innerhalb ..
---------------------------------------------
https://www.cert.at/de/blog/2024/7/industriesteueranlagen-und-fernwartung-d…
∗∗∗ Amazon Prime Day: Vorsicht vor Phishing und falschen Amazon-Webseiten ∗∗∗
---------------------------------------------
Mehr als 1.230 neue Amazon-bezogene Domains wurden im Juni 2024 registriert, 85 Prozent davon werden als bösartig oder verdächtig eingestuft.
---------------------------------------------
https://www.zdnet.de/88416929/amazon-prime-day-vorsicht-vor-phishing-und-fa…
∗∗∗ New group exploits public cloud services to spy on Russian agencies, Kaspersky says ∗∗∗
---------------------------------------------
Researchers say they have discovered a new hacker group, dubbed CloudSorcerer, that uses “a sophisticated cyberespionage tool” to steal data from Russian government agencies.
---------------------------------------------
https://therecord.media/cloudsorcerer-apt-kaspersky-research
∗∗∗ Wordpress-Plug-in mit 150.000 Installation ermöglicht beliebige Dateiuploads ∗∗∗
---------------------------------------------
In einem Wordpress-Plug-in mit 150.000 Installationen wurde eine Sicherheitslücke entdeckt, die das Hochladen beliebiger Dateien erlaubt.
---------------------------------------------
https://heise.de/-9794927
∗∗∗ Ransomware: Entschlüsselungstool für Muse, DarkRace und DoNex veröffentlicht ∗∗∗
---------------------------------------------
Opfer der Verschlüsselungstrojaner Muse, DarkRace und DoNex können ab sofort, ohne Lösegeld zu zahlen, wieder auf ihre Daten zugreifen.
---------------------------------------------
https://heise.de/-9795098
∗∗∗ Patchday: SAP rüstet Unternehmenssoftware gegen etwaige Angriffe ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates unter anderem für SAP Commerce und NetWeaver erschienen.
---------------------------------------------
https://heise.de/-9795171
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (virt:rhel and virt-devel:rhel), Fedora (ghostscript, golang, httpd, libnbd, netatalk, rust-sequoia-chameleon-gnupg, rust-sequoia-gpg-agent, rust-sequoia-keystore, rust-sequoia-openpgp, and rust-sequoia-sq), Mageia (apache), Red Hat (booth, buildah, edk2, fence-agents, git, gvisor-tap-vsock, kernel, kernel-rt, less, libreswan, linux-firmware, openssh, pki-core, podman, postgresql-jdbc, python3, tpm2-tss, virt:rhel, and virt:rhel and virt-devel:rhel
---------------------------------------------
https://lwn.net/Articles/981285/
∗∗∗ Another OpenSSH remote code execution vulnerability ∗∗∗
---------------------------------------------
https://lwn.net/Articles/981287/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.13 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/
∗∗∗ Security Vulnerabilities fixed in Firefox 128 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-07-2024 18:00 − Montag 08-07-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Fast 10 Milliarden Passwörter: Gigantischer Passwort-Leak wirft Fragen auf ∗∗∗
---------------------------------------------
In einem Hackerforum ist eine fast 50 GByte große Passwortliste namens Rockyou2024 aufgetaucht. [..] Das erhebliche Sicherheitsrisiko, vor dem einige Medien warnen, scheint von Rockyou2024 allerdings nicht auszugehen. [..] "Sorry, hier gibt es nichts zu sehen. Das ist einfach nur minderwertiger Müll – sowohl die 'geleakte' Datei als auch die Berichterstattung darüber", so Karlslunds Fazit.
---------------------------------------------
https://www.golem.de/news/fast-10-milliarden-passwoerter-gigantischer-passw…
∗∗∗ Nach Cyberangriff: Warnmail von Microsoft landet bei vielen Kunden im Spam ∗∗∗
---------------------------------------------
Seit Juni informiert Microsoft betroffene Kunden über bei einem Cyberangriff abgeflossene E-Mails. So ganz reibungslos läuft das offenbar noch nicht. [..] "Überprüfen Sie Ihre E-Mail-Protokolle (einschließlich Exchange Online) auf eine E-Mail von mbsupport(a)microsoft.com", warnt der Forscher.
---------------------------------------------
https://www.golem.de/news/nach-cyberangriff-warnmail-von-microsoft-landet-b…
∗∗∗ Nach Cyberangriff: Hacker erpressen Ticketmaster und verschenken Tickets ∗∗∗
---------------------------------------------
Die Angreifer behaupten, Ticket-Barcodes im Gesamtwert von mehr als 22 Milliarden US-Dollar erbeutet zu haben. Für Taylor-Swift-Konzerte stehen schon einige im Netz.
---------------------------------------------
https://www.golem.de/news/nach-cyberangriff-hacker-erpressen-ticketmaster-u…
∗∗∗ Booking.com: Aufforderung zur erneuten Buchungsbestätigung ist Betrug ∗∗∗
---------------------------------------------
Vorsicht, wenn Sie im Nachrichtenportal von booking.com trotz bestätigter Buchung aufgefordert werden, die Buchung erneut zu bestätigen. Dahinter stecken Kriminelle, die sich Zugang zum Buchungssystem des Hotels verschafft haben. Klicken Sie nicht auf den Link und antworten Sie nicht!
---------------------------------------------
https://www.watchlist-internet.at/news/bookingcom-aufforderung-zur-erneuten…
∗∗∗ Schadcode-Attacken auf Multifunktionsdrucker von Toshiba und Sharp möglich ∗∗∗
---------------------------------------------
Angreifer können hunderte Multifunktionsdrucker von Toshiba und Sharp ins Visier nehmen. Sicherheitsupdates sind verfügbar. [..] Toshiba hat bereits Mitte Juni 2024 Informationen zu den Schwachstellen und betroffenen Modellen bekannt gegeben. Der Sicherheitsforscher hat seine Informationen erst kürzlich veröffentlicht.
---------------------------------------------
https://heise.de/-9793179
∗∗∗ Kunai: Keep an Eye on your Linux Hosts Activity, (Mon, Jul 8th) ∗∗∗
---------------------------------------------
Last week, I attended « Pass The Salt », a conference focussing on open-source software and cybersecurity. I participated in a very interesting workshop about « Kunai ». This tool, developed by Quentin Jérôme from CIRCL (the Luxembourg CERT) aims to replace SysmonForLinux. Its goal is to record and log system activity but in a more «Linux-oriented» flavor. It was presented for the first time at hack.lu in 2023 and it now reaches enough maturity to be tested and deployed on some Linux hosts.
---------------------------------------------
https://isc.sans.edu/diary/rss/31054
∗∗∗ Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies ∗∗∗
---------------------------------------------
The supply chain attack targeting the widely-used Polyfill[.]io JavaScript library is broader in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024. [..] "Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it."
---------------------------------------------
https://thehackernews.com/2024/07/polyfillio-attack-impacts-over-380000.html
∗∗∗ Tool: AtomDucky ∗∗∗
---------------------------------------------
Atom Ducky is a HID device controlled through a web browser. Its designed to function as a wirelessly operated Rubber Ducky, personal authenticator, or casual keyboard. Its primary aim is to help ethical hackers gain knowledge about Rubber Ducky devices while integrating their use into everyday life.
---------------------------------------------
https://www.reddit.com/r/netsec/comments/1drhkc0/atom_ducky_wifi_rubber_duc…
∗∗∗ Shelltorch Explained: Multiple Vulnerabilities in Pytorch Model Server (Torchserve) (CVSS 9.9, CVSS 9.8) Walkthrough ∗∗∗
---------------------------------------------
In July 2023, the Oligo Research Team disclosed multiple new critical vulnerabilities to Pytorch maintainers Amazon and Meta, including CVE-2023-43654 (CVSS 9.8). [..] Want the deep dive, full story with technical walkthrough for the PyTorch (TorchServe) ShellTorch vulnerabilities CVE-2023-43654 (CVSS: 9.8) and CVE-2022-1471 (CVSS: 9.9)? You’re in the right place.
---------------------------------------------
https://www.oligo.security/blog/shelltorch-explained-multiple-vulnerabiliti…
∗∗∗ Kimsuky Group’s New Backdoor (HappyDoor) ∗∗∗
---------------------------------------------
This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat Intelligence Platform (TIP), containing key information for analyzing breaches. The report in AhnLab TIP includes details on encoding & encryption methods, packet structure, and more in addition to the characteristics and features of the malware.
---------------------------------------------
https://asec.ahnlab.com/en/67660/
∗∗∗ The Current State of Browser Cookies ∗∗∗
---------------------------------------------
Well, almost every other website uses cookies. According to W3Techs, as of June 24, 2024, 41.3% of all websites use cookies with some of the most prominent providers included in that list, such as Google, Facebook, Microsoft and Apple. [..] Although cookies are being used to save sensitive data, they are still stored in a way that enables attackers to leak them easily and use them for malicious purposes.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/the-current-state-o…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (openssh), Debian (krb5), Fedora (yt-dlp), Gentoo (firefox, KDE Plasma Workspaces, Stellarium, thunderbird, and X.Org X11 library), Mageia (python-js2py and znc), Oracle (389-ds, c-ares, container-tools, cups, go-toolset, httpd:2.4/httpd, iperf3, kernel, less, libreoffice, libuv, nghttp2, openldap, openssh, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, and xmlrpc-c), Red Hat (kernel, kernel-rt, openssh, and virt:rhel and virt-devel:rhel modules), and SUSE (go1.21, go1.22, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, netty3, opera, and python-urllib3).
---------------------------------------------
https://lwn.net/Articles/981119/
∗∗∗ Mastodon: Sicherheitslücke ermöglicht unbefugten Zugriff auf Posts ∗∗∗
---------------------------------------------
Neue Versionen der Mastodon-Serversoftware schließen eine als hochriskant eingestufte Sicherheitslücke. Angreifer können sich unbefugten Zugriff auf Posts verschaffen. [..] Der Fehler tritt demnach ab Mastodon 2.6.0 auf. Die Entwickler haben die Versionen Mastodon 4.2.10 sowie 4.1.18 veröffentlicht. [..] Nähere Details wollen die Mastodon-Entwickler laut Sicherheitsmitteilung am Montag kommender Woche, den 15. Juli, veröffentlichen.
---------------------------------------------
https://heise.de/-9792706
∗∗∗ Mattermost security updates 9.9.1 / 9.8.2 / 9.7.6 / 9.5.7 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-9-9-1-9-8-2-9-7-6-9…
∗∗∗ MSI Center: Schwachstelle CVE-2024-37726 ermöglicht System-Privilegien ∗∗∗
---------------------------------------------
https://www.borncity.com/blog/2024/07/06/msi-center-schwachstelle-cve-2024-…
∗∗∗ K000140257: OpenSSL vulnerability CVE-2024-4741 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000140257
∗∗∗ Vulnerability Summary for the Week of July 1, 2024 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/bulletins/sb24-190
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-07-2024 18:00 − Freitag 05-07-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New Eldorado ransomware targets Windows, VMware ESXi VMs ∗∗∗
---------------------------------------------
A new ransomware-as-a-service (RaaS) called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-eldorado-ransomware-targ…
∗∗∗ Turla: A Master’s Art of Evasion ∗∗∗
---------------------------------------------
Turla, a well-known piece of malware, has taken to weaponising LNK-files to infect computers. We have observed a current example of this.
---------------------------------------------
https://www.gdatasoftware.com/blog/2024/07/37977-turla-evasion-lnk-files
∗∗∗ New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a new botnet called Zergeca thats capable of conducting distributed denial-of-service (DDoS) attacks. Written in Golang, the botnet is so named for its reference to a string named "ootheca" present in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top").
---------------------------------------------
https://thehackernews.com/2024/07/new-golang-based-zergeca-botnet-capable.h…
∗∗∗ Latest Ghostscript vulnerability haunts experts as the next big breach enabler ∗∗∗
---------------------------------------------
Theres also chatter about whether medium severity scare is actually code red nightmare Infosec circles are awash with chatter about a vulnerability in Ghostscript some experts believe could be the cause of several major breaches in the coming months.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/07/05/ghostscript_…
∗∗∗ Binance-Kund:innen aufgepasst: SMS zu Login-Versuch ist Fake ∗∗∗
---------------------------------------------
Aktuell erreichen uns Meldungen über eine SMS im Namen der Handelsplattform Binance: Angeblich gibt es einen Login-Versuch aus Malta oder einem anderen Land. Es wird um einen Rückruf gebeten. Ignorieren Sie die SMS. Kriminelle versuchen Ihr Konto zu kapern und an Ihr Geld zu kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/binance-login-fake/
∗∗∗ TeamViewer gibt Entwarnung: Keine Kundendaten beim Hack im Juni 2024 abgeflossen ∗∗∗
---------------------------------------------
Der Hack des Fernwartungsanbieters TeamViewer scheint wohl glimpflicher abgegangen zu sein, als befürchtet. Ein staatlicher Akteur (APT29) hatte zwar Zugriff auf die interne IT-Umgebung des Unternehmens. Aber weder die Produktivumgebung mit den Quellen und Binärdateien der Fernwartungssoftware noch Kundendaten scheinen betroffen. Das hat der Anbieter in einem nunmehr dritten Statusupdate bekannt gegeben.
---------------------------------------------
https://www.borncity.com/blog/2024/07/05/teamviewer-gibt-entwarnung-keine-k…
∗∗∗ Turning Jenkins Into a Cryptomining Machine From an Attackers Perspective ∗∗∗
---------------------------------------------
In this blog entry, we will discuss how the Jenkins Script Console can be weaponized by attackers for cryptomining activity if not configured properly.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/g/turning-jenkins-into-a-crypt…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (cockpit, python-astropy, python3-docs, and python3.12), Gentoo (BusyBox, GNU Coreutils, GraphicsMagick, podman, PuTTY, Sofia-SIP, TigerVNC, and WebKitGTK+), Mageia (chromium-browser-stable and openvpn), SUSE (cockpit, krb5, and netatalk), and Ubuntu (kopanocore, libreoffice, linux-aws, linux-oem-6.8, linux-aws-5.15, linux-azure, linux-azure-4.15, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oracle, linux-starfive-6.5, and virtuoso-opensource).
---------------------------------------------
https://lwn.net/Articles/980855/
∗∗∗ ZDI-24-897: Trend Micro Apex One modOSCE SQL Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-897/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-07-2024 18:00 − Donnerstag 04-07-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ MikroTik Router als DDoS Quellen: Zahlen für Österreich ∗∗∗
---------------------------------------------
OVH beschreibt ausführlich in einem Blogbeitrag, dass sie es in letzter Zeit öfters mit DDoS-Angriffen zu tun hatten, die sie auf kompromittierte MikroTik Router zurückführen. Es geht hier um ernsthafte Bandbreiten und Packets/Sekunde: kein Wunder, wenn es die Angreifer geschafft haben, gute angebundene Router für ihre Zwecke einzuspannen. [..] Ich habe das als Anlass genommen, mal in unserer Datenbasis (basierend auf Scans von Shadowserver) nachzuschauen, wie es um diese Geräte in Österreich bestellt ist: MikroTik Router, die per SNMP ihre Modellnummern verraten.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/7/mikrotik-snmp
∗∗∗ Authy: Hacker greifen Millionen von Telefonnummern über eine ungesicherte API ab ∗∗∗
---------------------------------------------
Nachdem Kriminelle eine CSV-Datei mit Telefonnummern von angeblich 33 Millionen Authy-Nutzern geleakt haben, drohen unter anderem SMS-Phishing-Attacken.
---------------------------------------------
https://heise.de/-9789229
∗∗∗ Backup-Fiasko in Indonesien: Hacker verschenken Schlüssel und entschuldigen sich ∗∗∗
---------------------------------------------
Ein Ransomwareangriff bereitet Indonesien enorme Probleme. Die Lage ist sogar derart prekär, dass die Angreifer den Behörden nun die Hand reichen.
---------------------------------------------
https://www.golem.de/news/backup-fiasko-in-indonesien-hacker-verschenken-sc…
∗∗∗ Neues zum Hack des Qualys-Blogs ∗∗∗
---------------------------------------------
Qualys hat nun (auf meinen Bericht) zum Hack des Unternehmensblogs reagiert und geantwortet. Keine Kunden- und Unternehmensdaten gefährdet, nur a bisserl Spam im Blog, der bei einem Drittanbieter lief.
---------------------------------------------
https://www.borncity.com/blog/2024/07/04/neues-zum-hack-des-qualys-blogs/
∗∗∗ Attack Cases Against HTTP File Server (HFS) (CVE-2024-23692) ∗∗∗
---------------------------------------------
HTTP File Server (HFS) is a program that provides a simple type of web service. [..] Recently, the remote code execution vulnerability CVE-2024-23692 in the HFS program that provides web services was announced. Attack cases against vulnerable versions of HFS continue to be detected ever since. Because HFS is exposed to the public in order to enable users to connect to the HFS web server and download files, it can be a target for external attacks if it has a vulnerability.
---------------------------------------------
https://asec.ahnlab.com/en/67650/
∗∗∗ WordPress User Enumeration: Risks & Mitigation Steps ∗∗∗
---------------------------------------------
In this post, we’re diving deep into WordPress user enumeration. We’ll break down what it is, why it’s a problem, and most importantly — how to prevent a compromise.
---------------------------------------------
https://blog.sucuri.net/2024/07/wordpress-user-enumeration.html
∗∗∗ The Not-So-Secret Network Access Broker x999xx ∗∗∗
---------------------------------------------
Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is "x999xx," the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups.
---------------------------------------------
https://krebsonsecurity.com/2024/07/the-not-so-secret-network-access-broker…
∗∗∗ Dissecting GootLoader With Node.js ∗∗∗
---------------------------------------------
We demonstrate effective methods to circumvent anti-analysis evasion techniques from GootLoader, a backdoor and loader malware distributed through fake forum posts.
---------------------------------------------
https://unit42.paloaltonetworks.com/javascript-malware-gootloader/
∗∗∗ No room for error: Don’t get stung by these common Booking.com scams ∗∗∗
---------------------------------------------
>From sending phishing emails to posting fake listings, here’s how fraudsters hunt for victims while you’re booking your well-earned vacation.
---------------------------------------------
https://www.welivesecurity.com/en/scams/common-bookingcom-scams/
∗∗∗ Senate leader demands answers from CISA on Ivanti-enabled hack of sensitive systems ∗∗∗
---------------------------------------------
Sen. Charles Grassley (R-IA) on Wednesday sent Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly a stern letter seeking documentation and answers relating to a January hack of the agency’s Chemical Security Assessment Tool (CSAT) along with the breach of a second sensitive system. Grassley noted that the cyberattack led to “malicious activity” potentially compromising some of the country’s most sensitive industrial and critical infrastructure information.
---------------------------------------------
https://therecord.media/senator-grassley-cisa-letter-hack
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (389-ds, c-ares, container-tools, cups, fontforge, go-toolset, iperf3, less, libreoffice, libuv, nghttp2, openldap, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, qemu-kvm, and xmlrpc-c), Debian (znc), Fedora (firmitas and libnbd), Mageia (dcmtk, krb5, libcdio, and openssh), Oracle (golang, openssh, pki-core, and qemu-kvm), Red Hat (openssh), SUSE (apache2-mod_auth_openidc, emacs, go1.21, go1.22, krb5, openCryptoki, and openssh), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-nvidia-6.5, linux-raspi, linux, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-xilinx-zynqmp, linux, linux-ibm, linux-lowlatency, linux-nvidia, linux-raspi, linux-aws, linux-aws-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure, linux-azure-6.5, linux-bluefield, linux-iot, linux-gcp, linux-intel, linux-hwe-5.15, and php7.0 and php7.2).
---------------------------------------------
https://lwn.net/Articles/980755/
∗∗∗ Citrix: Cloud Software Group Security Advisory for CVE-2024-6387 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX678072/cloud-software-group-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-07-2024 18:00 − Mittwoch 03-07-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Europol takes down 593 Cobalt Strike servers used by cybercriminals ∗∗∗
---------------------------------------------
Europol coordinated a joint law enforcement action known as Operation Morpheus, which led to the takedown of almost 600 Cobalt Strike servers used by cybercriminals to infiltrate victims networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/europol-takes-down-593-cobal…
∗∗∗ Cyberangriff: Hacker erbeuten Daten von TÜV Rheinland ∗∗∗
---------------------------------------------
Einer Ransomwarebande ist es gelungen, in ein Schulungsnetzwerk des TÜV Rheinland einzudringen. Dabei sind womöglich Zugangsdaten abgeflossen.
---------------------------------------------
https://www.golem.de/news/cyberangriff-hacker-erbeuten-daten-von-tuev-rhein…
∗∗∗ South Korean ERP Vendors Server Hacked to Spread Xctdoor Malware ∗∗∗
---------------------------------------------
An unnamed South Korean enterprise resource planning (ERP) vendors product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor.The AhnLab Security Intelligence Center (ASEC), which identified ..
---------------------------------------------
https://thehackernews.com/2024/07/south-korean-erp-vendors-server-hacked.ht…
∗∗∗ Hijacked: How hacked YouTube channels spread scams and malware ∗∗∗
---------------------------------------------
Here's how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform.
---------------------------------------------
https://www.welivesecurity.com/en/scams/hijacked-hacked-youtube-channels-sc…
∗∗∗ LockBit claims cyberattack on Croatia’s largest hospital ∗∗∗
---------------------------------------------
The LockBit ransomware gang has claimed responsibility for a cyberattack on Croatia’s largest hospital, which forced it to shut down IT systems for a day. The group claims to have gained access to patient and employee information, medical records, organ and donor data and contracts signed with external companies.
---------------------------------------------
https://therecord.media/lockbit-claims-cyberattack-croatia-hospital
∗∗∗ Wurde der Blog von Qualys gehackt? (2. Juli 2024) ∗∗∗
---------------------------------------------
Kurze Information zu Qualys, ein Technologieunternehmen mit Dienstleistungsangeboten im Bereich Cloud-Sicherheit und Compliance. Es steht die Frage im Raum, ob die mit ihrem Blog womöglich gehackt wurden.
---------------------------------------------
https://www.borncity.com/blog/2024/07/03/wurde-der-blog-von-qualys-gehackt-…
∗∗∗ Cisco NX-OS: Update gegen seit April angegriffene Sicherheitslücke ∗∗∗
---------------------------------------------
Im Cisco NX-OS mehrerer Nexus- und MDS-Switches wird eine Sicherheitslücke bereits seit April angegriffen. Jetzt stellt Cisco ein Update bereit.
---------------------------------------------
https://heise.de/-9787532
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerabilities in PanelView Plus devices could lead to remote code execution ∗∗∗
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/07/02/vulnerabilities-in…
∗∗∗ Unpatched RCE Vulnerabilities in Gogs: Argument Injection in the Built-In SSH Server ∗∗∗
---------------------------------------------
https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vu…
∗∗∗ Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ [R1] Tenable Identity Exposure Version 3.59.5 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-11
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 01-07-2024 18:00 − Dienstag 02-07-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Latest Intel CPUs impacted by new Indirector side-channel attack ∗∗∗
---------------------------------------------
Modern Intel processors, including chips from the Raptor Lake and the Alder Lake generations are susceptible to a new type of a high-precision Branch Target Injection (BTI) attack dubbed Indirector, which could be used to steal sensitive information from the CPU.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/latest-intel-cpus-impacted-b…
∗∗∗ Zahlungsaufforderung von Tecom für Erotikdienstleistungen ignorieren ∗∗∗
---------------------------------------------
In letzter Zeit werden uns vermehrt SMS-Nachrichten von Tecom gemeldet. Darin werden 90 Euro für Erotikdienstleistungen gefordert. Der Betrag soll auf ein tschechisches Konto überwiesen oder in bar per Einschreiben bezahlt werden. Bezahlen Sie nicht, es handelt sich um Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/zahlungsaufforderung-von-tecom-fuer-…
∗∗∗ Getting Unauthenticated Remote Code Execution on the Logsign Unified SecOps Platform ∗∗∗
---------------------------------------------
This blog looks at two separate vulnerabilities that can be combined to achieve remote, unauthenticated code execution on the web server via HTTP requests. [..] Logsign patched these and other vulnerabilities with version 6.4.8.
---------------------------------------------
https://www.thezdi.com/blog/2024/7/1/getting-unauthenticated-remote-code-ex…
∗∗∗ The End of Passwords? Embrace the Future with Passkeys. ∗∗∗
---------------------------------------------
Passkeys will become the new norm in a few years. Users will realize that passkeys simplify their lives, and companies and users alike will appreciate the reduced risk of breaches from phishing or brute-force attacks. However, building user trust in passkeys remains a challenge, like the adoption of password managers.
---------------------------------------------
https://blog.nviso.eu/2024/07/02/the-end-of-passwords-embrace-the-future-wi…
∗∗∗ Modern Cryptographic Attacks: A Guide for the Perplexed ∗∗∗
---------------------------------------------
In this write-up, we lay out in simple terms: “Classic Flavor” modern cryptanalysis (e.g. meet-in-the-middle attacks, Birthday Attack on CBC) [..] Side Channel Attacks (e.g. Timing Attacks, an honorable mention for SPECTRE) [..] Attacks on RSA (e.g. Bleichenbacher’s attack, related message attacks, Coppersmith’s method)
---------------------------------------------
https://research.checkpoint.com/2024/modern-cryptographic-attacks-a-guide-f…
∗∗∗ CocoaPods: Anfällig für Supply-Chain-Angriffe in "zahllosen" Mac- und iOS-Apps ∗∗∗
---------------------------------------------
Der Dependency-Manager auf Open-Source-Basis steckt in Millionen von Swift- und Objective-C-Programmen. [..] Eva Security fand heraus, dass CocoaPods bereits im Jahr 2014 alle Pods auf einen neuen "Trunk Server" auf GitHub migriert hat. Dabei wurden die Autoren jeder Bibliothek einfach zurückgesetzt. CocoaPods forderte die Entwickler dann auf, ihre jeweilige Bibliothek zu "claimen". Allerdings taten dies nicht alle.
---------------------------------------------
https://heise.de/-9786099
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. [..} To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. [..] In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. [..] CVE-2024-20399
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (httpd:2.4/httpd), Arch Linux (openssh), Fedora (cups, emacs, and python-urllib3), Gentoo (OpenSSH), Mageia (ffmpeg, gdb, openssl, python-idna, and python-imageio), Red Hat (golang and kernel), SUSE (booth, libreoffice, openssl-1_1-livepatches, podman, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, python-Js2Py, python310, python39, and squid), and Ubuntu (cups and netplan.io).
---------------------------------------------
https://lwn.net/Articles/980393/
∗∗∗ QNAP: Vulnerability in OpenSSH ∗∗∗
---------------------------------------------
A remote code execution (RCE) vulnerability in OpenSSH has been reported to affect QTS 5.2.0 Release Candidate and QuTS hero h5.2. [..] QNAP is actively investigating this issue and working on a solution. We will fix the issue in the official releases of QTS 5.2.0 and QuTS hero h5.2.0.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-24-31
∗∗∗ Juniper: Notfall-Update für Junos OS auf SRX-Baureihe ∗∗∗
---------------------------------------------
Juniper Networks schließt eine als hochriskant eingestufte DoS-Lücke im Juniper OS der SRX-Geräte mit einem Update außer der Reihe. [..] Nachdem bereits am Freitag Notfall-Updates von Juniper Networks für Session Smart Router nötig waren, legt das Unternehmen nun mit einem Update außer der Reihe für das Junos OS auf Geräten der SRX-Baureihe nach. Sie dichten eine Denial-of-Service-Sicherheitslücke ab. [..] CVE-2024-21586
---------------------------------------------
https://heise.de/-9785970
∗∗∗ Android: Google schließt teils kritische Lücken am Juli-Patchday ∗∗∗
---------------------------------------------
Google hat Updates für Android 12, 12L, 13 und 14 im Rahmen des Juli-Patchdays veröffentlicht. Sie schließen Rechteausweitungs-Lücken. [..] Wie immer müssen sich Smartphone-Besitzer etwas gedulden, bis die Android-Aktualisierungen sich als Firmware-Updates für ihr eingesetztes Gerät materialisieren. Selbst für Googles hauseigene Pixel-Smartphones steht das Juli-Update zum Meldungszeitpunkt noch aus.
---------------------------------------------
https://heise.de/-9786995
∗∗∗ Splunk Security Advisories 2024-07-01 ∗∗∗
---------------------------------------------
https://advisory.splunk.com/advisories
∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03
∗∗∗ Johnson Controls Kantech Door Controllers ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-01
∗∗∗ mySCADA myPRO ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily