Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 04.04.2025
by Daily end-of-shift report 04 Apr '25

04 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-04-2025 18:00 − Freitag 04-04-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Europcar GitLab breach exposes data of up to 200,000 customers ∗∗∗ --------------------------------------------- A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications, as well as some personal information belonging to up to 200,000 users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/europcar-gitlab-breach-expos… ∗∗∗ Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457) ∗∗∗ --------------------------------------------- Exploitation is always a tricky subject. Vendors want to minimize disruption to their userbase and avoid unnecessary patching, but they also need to balance that with the userbase's safety. [..] It appears that this is what happened here - Ivanti made a judgment call, believing that exploiting the vulnerability, given the requirement that the payload must comprise only of 0123456789., was impossible. Unfortunately, an advanced attacker seems to have proved them wrong. --------------------------------------------- https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwa… ∗∗∗ NVD Quietly Sweeps 100K+ CVEs Into a “Deferred” Black Hole ∗∗∗ --------------------------------------------- Without much fanfare, the NVD has begun mass-labeling older CVEs as "Deferred," effectively giving up on enriching them with detailed metadata like CVSS scores, CWEs, and CPEs. In an April 2 update, the NVD announced that all CVEs published before 2018 will be marked as Deferred—a move thats already resulted in 20,000 Deferred CVEs overnight, with potentially 100,000 more to come: All CVEs with a published date prior to 01/01/2018 will be marked as Deferred within the NVD. --------------------------------------------- https://socket.dev/blog/nvd-quietly-sweeps-100k-cves-into-a-deferred-black-… ∗∗∗ Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads ∗∗∗ --------------------------------------------- North Korean threat actors behind the Contagious Interview operation have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the previously identified BeaverTail malware and introducing new packages with remote access trojan (RAT) loader functionality. These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors’ obfuscation techniques. --------------------------------------------- https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packa… ===================== = Vulnerabilities = ===================== ∗∗∗ DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- Autodesk Navisworks is affected by multiple DWFX vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0002 ∗∗∗ Kritische Lücke mit Höchstwertung in Apache Parquet geschlossenen ∗∗∗ --------------------------------------------- Wie aus einem Eintrag in der Openwall-Mailingliste hervorgeht, haben die Entwickler die Schwachstelle in der Version 1.15.1 geschlossen. Alle vorigen Ausgaben sind verwundbar. Die Lücke (CVE-2025-30065) gilt als "kritisch" und ist mit dem höchstmöglichen CVSS Score 10 von 10 eingestuft. Sie betrifft konkret das parquet-avro-Modul der Java-Bibliothek von Apache Parquet. --------------------------------------------- https://www.heise.de/news/Kritische-Luecke-mit-Hoechstwertung-in-Apache-Par… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox), Debian (atop and thunderbird), Fedora (webkitgtk), Mageia (microcode), Oracle (expat), SUSE (apparmor, assimp-devel, aws-efs-utils, expat, firefox, ghostscript, go1.23, gotosocial, govulncheck-vulndb, GraphicsMagick, headscale, libmozjs-128-0, libsaml-devel, openvpn, perl-Data-Entropy, and xz), and Ubuntu (gnupg2, kernel, linux-azure-fips, linux-iot, openvpn, ruby-saml, and xz-utils). --------------------------------------------- https://lwn.net/Articles/1016484/ ∗∗∗ Cisco: Hochriskante Lücken in Meraki und Enterprise Chat ∗∗∗ --------------------------------------------- In der Anyconnect-VPN-Software von Ciscos Meraki MX- und Z-Reihen sowie in Enterprise Chat and Email haben die Entwickler Sicherheitslücken mit hohem Risiko entdeckt. Aktualisierte Firm- und Software steht bereit, um sie zu schließen. Admins sollten sie zügig installieren. --------------------------------------------- https://heise.de/-10340333 ∗∗∗ Hitachi Energy TRMTracker ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-02 ∗∗∗ B&R APROL ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-05 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2025
by Daily end-of-shift report 03 Apr '25

03 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-04-2025 18:00 − Donnerstag 03-04-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitHub expands security tools after 39 million secrets leaked in 2024 ∗∗∗ --------------------------------------------- Over 39 million secrets like API keys and account credentials were leaked on GitHub throughout 2024, exposing organizations and users to significant security risks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-expands-security-tool… ∗∗∗ Hersteller warnt: Gefährliche Cisco-Backdoor wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Durch die Backdoor erhalten Angreifer dank statischer Zugangsdaten Admin-Zugriff auf ein Lizenzierungstool für Cisco-Produkte. --------------------------------------------- https://www.golem.de/news/hersteller-warnt-hacker-nutzen-eine-von-ciscos-ba… ∗∗∗ Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say ∗∗∗ --------------------------------------------- A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years. --------------------------------------------- https://www.wired.com/story/xiaofeng-wang-indiana-university-research-probe… ∗∗∗ Belohnung für gefundene Sicherheitslücken in Fediverse-Software ausgelobt ∗∗∗ --------------------------------------------- Für Mastodon, Pixelfed & Co. sind einzelne und kleine Teams verantwortlich. Um deren Dienste sicherer zu machen, wird jetzt etwas Geld zur Verfügung gestellt. --------------------------------------------- https://www.heise.de/news/Belohnung-fuer-gefundene-Sicherheitsluecken-in-Fe… ∗∗∗ Vorsicht Phishing: Fake-SMS zu angeblichen Mahnungen des Finanzministeriums ∗∗∗ --------------------------------------------- Haben Sie eine SMS im Namen des Bundesministeriums für Finanzen (BMF) erhalten, in der Ihnen offene Schulden vorgeworfen werden? Droht die Nachricht mit einer bevorstehenden Pfändung, weil Sie angeblich schon mehrfach gemahnt wurden? Achtung: Zahlen Sie die Forderung nicht! Die Nachricht kommt nicht vom Finanzministerium und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-sms-zu-mahnungen-des-finanzmini… ∗∗∗ NSA, CISA, FBI, and International Partners Release Cybersecurity Advisory on “Fast Flux,” a National Security Threat ∗∗∗ --------------------------------------------- Today, CISA—in partnership with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/03/nsa-cisa-fbi-and-interna… ∗∗∗ New guidance on securing HTTP-based APIs ∗∗∗ --------------------------------------------- Why it’s essential to secure your APIs to build trust with your customers and partners. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/new-guidance-on-securing-http-based-apis ∗∗∗ DPRK IT Workers Expanding in Scope and Scale ∗∗∗ --------------------------------------------- Since our September 2024 report outlining the Democratic Peoples Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-ex… ∗∗∗ Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) ∗∗∗ --------------------------------------------- On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploi… ∗∗∗ RolandSkimmer: Silent Credit Card Thief Uncovered ∗∗∗ --------------------------------------------- Web-based credit card skimming remains a widespread and persistent threat, known for its ability to adapt and evolve over time. FortiGuard Labs recently observed a sophisticated campaign dubbed “RolandSkimmer,” named .. --------------------------------------------- https://www.fortinet.com/blog/threat-research/rolandskimmer-silent-credit-c… ∗∗∗ Malicious PyPI Package Targets WooCommerce Stores with Automated Carding Attacks ∗∗∗ --------------------------------------------- The Socket research team recently discovered a malicious Python package on PyPI named disgrasya, which contains a fully automated carding script targeting WooCommerce stores. Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate. It was openly malicious, abusing PyPI as a distribution .. --------------------------------------------- https://socket.dev/blog/malicious-pypi-package-targets-woocommerce-stores-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-029 ∗∗∗ Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-028 ∗∗∗ SVD-2025-0402: Third-Party Package Updates in Splunk/UniversalForwarder Docker - April 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0402 ∗∗∗ SVD-2025-0401: Third-Party Package Updates in Splunk/Splunk Docker - April 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0401 ∗∗∗ Security Update: Pulse Connect Secure, Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-pulse-connect-secure-ivanti-con… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2025
by Daily end-of-shift report 02 Apr '25

02 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-04-2025 18:00 − Mittwoch 02-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unitree Go1: Gefährliche Backdoor in populärem Roboterhund entdeckt ∗∗∗ --------------------------------------------- Konkret geht es um das Modell Go1, das in der Vergangenheit bereits von den US-Marines für Testzwecke mit einem Waffensystem ausgestattet wurde. [..] Anhand der Backdoor konnte der Hersteller sowie auch jeder andere Akteur, der im Besitz des erforderlichen API-Schlüssels war, aus der Ferne die vollständige Kontrolle über den Unitree Go1 übernehmen. Der Zugriff erfolgte dabei über einen Cloudsail genannten Fernwartungsdienst. --------------------------------------------- https://www.golem.de/news/unitree-go1-gefaehrliche-backdoor-in-populaerem-r… ∗∗∗ Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform ∗∗∗ --------------------------------------------- On the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks. The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox later this year. --------------------------------------------- https://thehackernews.com/2025/04/enterprise-gmail-users-can-now-send-end.h… ∗∗∗ Administrative Windows Shares (C$, ADMIN$) mit Revoke-SmbShareAccess absichern ∗∗∗ --------------------------------------------- Windows erstellt standardmäßig spezielle, versteckte Freigaben (z. B. C$, ADMIN$, IPC$) für den Remote-Zugriff von Administratoren. Diese sind im Explorer grundsätzlich nicht sichtbar (ausgeblendet), können aber z.B. mittels folgendem PowerShell-CmdLet angezeigt werden: Was vielen nicht bewusst ist: Auch interaktiv angemeldet Benutzer (ohne Administrator-Rechte) können auf diese administrativen Freigaben lokal zugreifen ... --------------------------------------------- https://hitco.at/blog/administrative-windows-shares-c-admin-mit-revoke-smbs… ∗∗∗ Konzert der Lieblingsband ausverkauft? Vorsicht vor Fake-Angeboten auf Facebook! ∗∗∗ --------------------------------------------- Egal ob Superstars in riesigen Arenen oder interessante Newcomer in kleinen Clubs – Musik zieht Menschen an. Ist das Konzert der Lieblingsband allerdings ausverkauft, ist guter Rat teuer – und Vorsicht geboten! Betrüger:innen nutzen besonders die Anonymität sozialer Medien und locken dort Musikfans auf der Suche nach Tickets in die Falle. Woran die Fake-Angebote zu erkennen sind und wann unbedingt eine Anzeige bei der Polizei nötig ist. --------------------------------------------- https://www.watchlist-internet.at/news/lieblingsband-ausverkauft-faketicket… ∗∗∗ European Commission takes aim at end-to-end encryption and proposes Europol become an EU FBI ∗∗∗ --------------------------------------------- The Commission said it would create roadmaps regarding both the “lawful and effective access to data for law enforcement” and on encryption. --------------------------------------------- https://therecord.media/european-commission-takes-aim-encryption-europol-fb… ∗∗∗ Deutsche Industrie warnt vor Ende des EU-US-Datentransfer-Abkommens ∗∗∗ --------------------------------------------- Der Datentransfer in die US-Cloud oder zu US-Unternehmen von Daten europäischer Nutzer ist durch ein Abkommen zwischen der EU und den USA geregelt. Nun droht dieses Abkommen durch die USA gekippt zu werden – und deutsche Unternehmen geraten dadurch in arge Probleme, wenn sie auf US-Tech-Produkte und die Cloud gesetzt haben. Verbände "warnen vor dem Ende des Abkommens" – die europäischen Cloud-Anbieter (CISPE) sehen aber eine Chance, in Europa digital souverän zu werden. --------------------------------------------- https://www.borncity.com/blog/2025/04/02/deutsche-industrie-zittert-vor-end… ∗∗∗ Jailbreaking Every LLM With One Simple Click ∗∗∗ --------------------------------------------- In the past two years, large language models (LLMs), especially chatbots, have exploded onto the scene. Everyone and their grandmother are using them these days. Generative AI is pervasive in movies, academic papers, legal briefs and much more. There is intense competition among major players, ranging from closed-model vendors such as OpenAI, Anthropic, Google and xAI to open-source providers like Meta, Mistral, Alibaba and DeepSeek. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/jailbreaking-every-… ∗∗∗ Heightened In-The-Wild Activity On Key Technologies Observed On March 28 ∗∗∗ --------------------------------------------- On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools. --------------------------------------------- https://www.greynoise.io/blog/heightened-in-the-wild-activity-key-technolog… ∗∗∗ Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks ∗∗∗ --------------------------------------------- News headlines reported that it took just 30 hours for attackers to exploit a newly discovered vulnerability in Apache Tomcat servers. But what does this mean for workloads relying on Tomcat? Aqua Nautilus researchers discovered a new attack campaign targeting Apache Tomcat. In this blog, we shed light on newly discovered malware that targets Tomcat servers to hijack resources. --------------------------------------------- https://blog.aquasec.com/new-campaign-against-apache-tomcat ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, openjpeg2, and tomcat9), Fedora (dokuwiki, firefox, php-kissifrot-php-ixr, php-phpseclib3, and rust-zincati), Red Hat (kernel and pki-core), Slackware (mozilla), SUSE (apparmor, atop, docker, docker-stable, firefox, govulncheck-vulndb, libmodsecurity3, openvpn, upx, and warewulf4), and Ubuntu (inspircd, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws, linux-aws-5.4, linux-aws-fips, linux-azure-6.8, linux-hwe-6.8, linux-raspi, linux-realtime, nginx, phpseclib, and vim). --------------------------------------------- https://lwn.net/Articles/1016205/ ∗∗∗ Sicherheitsupdates: Netzwerkmonitoringtool Zabbix bietet Angriffsfläche ∗∗∗ --------------------------------------------- Fünf Sicherheitslücken gefährden Computer, auf denen Zabbix installiert ist. [..] Am gefährlichsten gilt eine Schwachstelle (CVE-2024-36465 "hoch") in Zabbix API. Hier könnte ein Angreifer mit einem regulären Nutzerkonto ansetzen, um eigene SQL-Befehle auszuführen. Außerdem sind Reflected-XSS-Attacken (CVE-2024-45699 "hoch") möglich. Über diesen Weg können Angreifer Schadcode in Form einer JavaScript-Payload ausführen. --------------------------------------------- https://heise.de/-10337461 ∗∗∗ VMware Aria Operations: Sicherheitslücke erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtern die VMware-Entwickler die Schwachstelle. Demnach wurde in einer "Responsible Disclosure" eine lokale Rechteausweitungslücke an VMware gemeldet. "Bösartige Akteure können ihre Rechte zu 'root' auf der Appliance ausweiten, auf der VMware Aria Operations läuft", erklärt das Unternehmen (CVE-2025-22231, CVSS 7.8, Risiko "hoch"). --------------------------------------------- https://heise.de/-10336721 ∗∗∗ VPN-Lücken in HPE Aruba Networking Virtual Intranet Access Client geschlossen ∗∗∗ --------------------------------------------- In einer Warnmeldung führen die Entwickler aus, dass der VIA-Client bis inklusive Version 4.7.0 verwundbar ist. Sie geben an, in der Ausgabe 4.7.2 zwei Sicherheitslücken (CVE-2024-3661 "hoch", CVE-2025-25041 "hoch") geschlossen zu haben. --------------------------------------------- https://heise.de/-10336851 ∗∗∗ Rockwell Automation Lifecycle Services with Veeam Backup and Replication ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-091-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2025
by Daily end-of-shift report 01 Apr '25

01 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 31-03-2025 18:00 − Dienstag 01-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing ∗∗∗ --------------------------------------------- A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android. Lucids unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms. --------------------------------------------- https://thehackernews.com/2025/04/lucid-phaas-hits-169-targets-in-88.html ∗∗∗ Rechnung ohne Auftrag: Betreiber gefälschter Firmenverzeichnisse versenden Mahnungen ∗∗∗ --------------------------------------------- Fake-Portale nehmen Unternehmen ohne deren Wissen in ihr Firmenverzeichnis auf und stellen anschließend per E-Mail eine Rechnung zu. Diese Schreiben sorgen für Verunsicherung, sind grundsätzlich aber substanzlos. Wer keine Registrierung beantragt hat, muss auch nichts bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/rechnungen-fake-firmenverzeichnisse/ ∗∗∗ Hacker Claims Breach of Check Point Cybersecurity Firm, Sells Access ∗∗∗ --------------------------------------------- Hacker claims breach of Israeli cybersecurity firm Check Point, offering network access and sensitive data for sale; company denies any recent incident. --------------------------------------------- https://hackread.com/hacker-breach-check-point-cybersecurity-firm-access/ ∗∗∗ Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats ∗∗∗ --------------------------------------------- Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation. --------------------------------------------- https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity ∗∗∗ CPU_HU: Fileless cryptominer targeting exposed PostgreSQL with over 1.5K victims ∗∗∗ --------------------------------------------- Wiz Threat Research identified a new variant of an ongoing malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers. [..] Based on our analysis, the threat actor is assigning a unique mining worker to each victim. --------------------------------------------- https://www.wiz.io/blog/postgresql-cryptomining ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices ∗∗∗ --------------------------------------------- Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems. The vulnerabilities in question are listed below -CVE-2025-24085 (CVSS score: 7.3) --------------------------------------------- https://thehackernews.com/2025/04/apple-backports-critical-fixes-for-3.html ∗∗∗ Apple security releases ∗∗∗ --------------------------------------------- Safari 18.4, Xcode 16.3, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, iOS 16.7.11 and iPadOS 16.7.11, iOS 15.8.4 and iPadOS 15.8.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4 --------------------------------------------- https://support.apple.com/en-us/100100 ∗∗∗ CVE-2025-22398: Dell Unity Hit by 9.8 CVSS Root-Level Command Injection Flaw ∗∗∗ --------------------------------------------- Dell has released a security update for Unity OS version 5.4 and earlier, addressing a set of critical vulnerabilities that expose the popular enterprise storage systems—Unity, UnityVSA, and Unity XT—to unauthenticated remote command execution, file deletion, open redirects, and privilege escalation. --------------------------------------------- https://securityonline.info/cve-2025-22398-dell-unity-hit-by-9-8-cvss-root-… ∗∗∗ Websites kompromittierbar: Lücken in WordPress-Plug-in WP Ultimate CSV Importer ∗∗∗ --------------------------------------------- In einem Bericht warnen Sicherheitsforscher von Wordfence vor zwei Schwachstellen (CVE-2025-2007 "hoch", CVE-2025-2008 "hoch"). In beiden Fällen können entfernte Angreifer aufgrund unzureichender Überprüfungen Schadcode auf Websites laden und ausführen. Dafür müssen sie aber bereits authentifiziert sein (Subscriber-Level). [..] Ein Sicherheitspatch steht zum Download. --------------------------------------------- https://www.heise.de/news/Websites-kompromittierbar-Luecken-in-WordPress-Pl… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (freetype, grub2, kernel, kernel-rt, and python-jinja2), Debian (freetype, linux-6.1, suricata, tzdata, and varnish), Fedora (mingw-libxslt and qgis), Mageia (elfutils, mercurial, and zvbi), Oracle (grafana, kernel, libxslt, nginx:1.22, and postgresql:12), Red Hat (opentelemetry-collector), SUSE (corosync, opera, and restic), and Ubuntu (aom, libtar, mariadb, ovn, php7.4, php8.1, php8.3, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1016076/ ∗∗∗ Reparierter Sicherheitspatch schließt Schadcode-Lücke in IBM App Connect ∗∗∗ --------------------------------------------- Die Schwachstelle (CVE-2025-1302 "kritisch") betrifft das jsonpath-plus-Modul zum Verarbeiten von JSON-Konfigurationen. [..] Das wurde schon mal gepatcht, das Sicherheitsupdate war aber unvollständig. Nun haben die Entwickler einen reparierten Patch veröffentlicht. --------------------------------------------- https://heise.de/-10335184 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird ESR 128.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-24/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 137 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-23/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 128.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-22/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.22 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-21/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 137 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-20/ ∗∗∗ Canon CVE-2025-1268 Vulnerability: A Buffer Overflow Threatening Printer Security ∗∗∗ --------------------------------------------- https://thecyberexpress.com/canon-printer-vulnerability-cve-2025-1268/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2025
by Daily end-of-shift report 31 Mar '25

31 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-03-2025 18:00 − Montag 31-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Crocodilus malware steals Android users’ crypto wallet keys ∗∗∗ --------------------------------------------- A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steal… ∗∗∗ Smoked out - Emmenhtal spreads SmokeLoader malware ∗∗∗ --------------------------------------------- We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal [..] also referred to by Google as Peaklight. --------------------------------------------- https://feeds.feedblitz.com/~/915916022/0/gdatasecurityblog-en~Smoked-out-E… ∗∗∗ Hidden Malware Strikes Again: Mu-Plugins Under Attack ∗∗∗ --------------------------------------------- Recently, we’ve uncovered multiple cases where threat actors are leveraging the mu-plugins directory to hide malicious code. This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks. --------------------------------------------- https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-und… ∗∗∗ BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability ∗∗∗ --------------------------------------------- In whats an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. --------------------------------------------- https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html ∗∗∗ BSI-Studie: Zahlreiche Schwachstellen in Krankenhausinformationssystemen ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben im BSI-Auftrag IT-Systemen für Kliniken auf den Zahn gefühlt und Lücken gefunden, etwa bei Verschlüsselung und Zertifikaten. --------------------------------------------- https://www.heise.de/news/BSI-Studie-Zahlreiche-Schwachstellen-in-Krankenha… ∗∗∗ Backdoor in the Backplane. Doing IPMI security better ∗∗∗ --------------------------------------------- IPMI remains a powerful but dangerously overlooked protocols in many enterprise environments. Whilst its ability to manage out of band systems is invaluable, there are significant security trade-offs – especially when outdated firmware, default credentials, and exposed interfaces are in play. As demonstrated, IPMI can lead, or aid, in a malicious actor compromising the full domain with little more than network access. --------------------------------------------- https://www.pentestpartners.com/security-blog/backdoor-in-the-backplane-doi… ∗∗∗ Preparing for the EU Radio Equipment Directive security requirements ∗∗∗ --------------------------------------------- UK & EU IoT manufacturers have more security regulation coming. [..] From 1st August 2025, mandatory cybersecurity requirements come into effect under the EU’s Radio Equipment Directive (2014/53/EU), or RED. --------------------------------------------- https://www.pentestpartners.com/security-blog/preparing-for-the-eu-radio-eq… ∗∗∗ Oracle Health gehackt, US-Patientendaten abgeflossen ∗∗∗ --------------------------------------------- Cyberkriminelle sind laut Berichten nach dem 22. Januar 2025 in die Server des US-Tech-Unternehmens Cerner Oracle Health eingedrungen. Es besteht der Verdacht, dass Patientendaten von US-Bürgern abgezogen wurden. Das FBI untersucht den Vorfall, der Fragen nach der Sicherheit bei Oracle aufkommen lässt. Denn es ist der zweite Sicherheitsvorfall binnen weniger Tage, der bekannt wird. --------------------------------------------- https://www.borncity.com/blog/2025/03/30/oracle-health-gehackt-us-patienten… ∗∗∗ SVG Phishing Malware Being Distributed with Analysis Obstruction Feature ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. --------------------------------------------- https://asec.ahnlab.com/en/87078/ ∗∗∗ Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service ∗∗∗ --------------------------------------------- Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities — including being transparent and open. The moment where this is tested at Oracle has arrived, as they have a serious cybersecurity incident playing out in a service they manage for customers. --------------------------------------------- https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incid… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, linux-hwe-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-azure-fips, linux-gcp-fips, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-intel-iot-realtime, linux-xilinx-zynqmp, opensc, and ruby-doorkeeper). --------------------------------------------- https://lwn.net/Articles/1015968/ ∗∗∗ IBM InfoSphere Information Server: Unbefugte Zugriffe möglich ∗∗∗ --------------------------------------------- Die Datenintegrationsplattform IBM InfoSphere Information Server ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/IBM-InfoSphere-Information-Server-Unbefugte-Zugri… ∗∗∗ ZendTo NDay Vulnerability Hunting - Unauthenticated RCE in v5.24-3 <= v6.10-4 ∗∗∗ --------------------------------------------- Discovering NDay flaws in ZendTo filesharing software highlighted an interesting fact: without the issuance of CVEs, vulnerabilities can easily go unpatched. --------------------------------------------- https://projectblack.io/blog/zendto-nday-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2025
by Daily end-of-shift report 28 Mar '25

28 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-03-2025 18:00 − Freitag 28-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing-as-a-service operation uses DNS-over-HTTPS for evasion ∗∗∗ --------------------------------------------- A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. -------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-as-a-service-operat… ∗∗∗ Notfallupdate: Kritische Sandbox-Lücke in Firefox und Tor-Browser entdeckt ∗∗∗ --------------------------------------------- Nicht nur Chrome-Nutzer sollten dieser Tage ihren Browser updaten. Eine aktiv ausgenutzte Sicherheitslücke betrifft auch die Windows-Version von Firefox. --------------------------------------------- https://www.golem.de/news/notfallupdate-kritische-sandbox-luecke-in-firefox… ∗∗∗ Stealing user credentials with evilginx ∗∗∗ --------------------------------------------- A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there's hope. --------------------------------------------- https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evi… ∗∗∗ Quick Guide to Magento Security Patches ∗∗∗ --------------------------------------------- Magento remains a popular ecommerce platform in 2025 and its security patches play a vital role in addressing vulnerabilities that could otherwise be exploited by attackers. These patches help prevent issues like data breaches, website defacement, or unauthorized access, ensuring the safety of customer data and store operations. Given the platform’s .. --------------------------------------------- https://blog.sucuri.net/2025/03/quick-guide-to-magento-security-patches.html ∗∗∗ China’s FamousSparrow flies back into action, breaches US org after years off the radar ∗∗∗ --------------------------------------------- Crew also cooked up two fresh SparrowDoor backdoor variants, says ESET The China-aligned FamousSparrow crew has resurfaced after a long period of presumed inactivity, compromising a US financial-sector trade group and a Mexican research institute. The gang also likely targeted a governmental institution in Honduras, along with other yet-to-be-identified victims. --------------------------------------------- https://www.theregister.com/2025/03/27/china_famoussparrow_back/ ∗∗∗ Storage-Appliances: Dell schließt unzählige Sicherheitslücken in Unity-Serien ∗∗∗ --------------------------------------------- Die Dell-Entwickler haben unter anderem eine 19 Jahre alte Schwachstelle in diversen Unity-Modellen geschlossen. --------------------------------------------- https://www.heise.de/news/Storage-Appliances-Dell-schliesst-unzaehlige-Sich… ∗∗∗ New security requirements adopted by HTTPS certificate industry ∗∗∗ --------------------------------------------- The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying .. --------------------------------------------- http://security.googleblog.com/2025/03/new-security-requirements-adopted-by… ∗∗∗ Money Laundering 101, and why Joe is worried ∗∗∗ --------------------------------------------- In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime. --------------------------------------------- https://blog.talosintelligence.com/money-laundering-101-and-why-joe-is-worr… ∗∗∗ Gamaredon campaign abuses LNK files to distribute Remcos backdoor ∗∗∗ --------------------------------------------- Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024. --------------------------------------------- https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/ ∗∗∗ Obfuscation 101: Unmasking the Tricks Behind Malicious Code ∗∗∗ --------------------------------------------- “The malicious package was right in front of our eyes, but we didnt see it until it was too late.”Attackers frequently rely on obfuscation—the technique of deliberately making source code confusing and unreadable—to sneak malicious payloads past security defenses and code reviewers alike. Understanding these obfuscation techniques across .. --------------------------------------------- https://socket.dev/blog/obfuscation-101-the-tricks-behind-malicious-code ∗∗∗ NVD Concedes Inability to Keep Pace with Surging CVE Disclosures in 2025 ∗∗∗ --------------------------------------------- The National Vulnerability Database (NVD) issued a new status update on March 19, attempting to clarify the current state of its vulnerability processing pipeline. The agency says it has resumed processing new CVEs at the same rate it maintained before last year’s slowdown, but with vulnerability volumes surging, that’s no longer enough.We are currently .. --------------------------------------------- https://socket.dev/blog/nvd-backlog-crisis-deepens-amid-surging-cve-disclos… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mercurial and opensaml), Fedora (augeas, mingw-libxslt, and nodejs-nodemon), Mageia (chromium-browser-stable), Red Hat (grafana, kernel, kernel-rt, opentelemetry-collector, and podman), SUSE (apache-commons-vfs2, python3, and python36), and Ubuntu (ghostscript, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, .. --------------------------------------------- https://lwn.net/Articles/1015718/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2025
by Daily end-of-shift report 27 Mar '25

27 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-03-2025 18:00 − Donnerstag 27-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Dozens of solar inverter flaws could be exploited to attack power grids ∗∗∗ --------------------------------------------- Dozens of vulnerabilities in products from three leading makers of solar inverters, Sungrow, Growatt, and SMA, could be exploited to control devices or execute code remotely on the vendors cloud platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-fla… ∗∗∗ Cybercrime-Tool Atlantis AIO soll automatisierte Passwort-Attacken optimieren ∗∗∗ --------------------------------------------- Dahinter stecken organisierte Profi-Verbrecher, die ihre Werkzeuge im Darknet mit Werbeanzeigen und Support anpreisen. So auch im Fall des jüngst von Sicherheitsforschern entdeckten Tools Atlantis AIO. --------------------------------------------- https://www.heise.de/news/Cybercrime-Tool-Atlantis-AIO-soll-automatisierte-… ∗∗∗ Abonnement gekündigt? Achtung: Phishing-Versuch mit Disney+! ∗∗∗ --------------------------------------------- Mit einer angeblich von Disney+ stammenden E-Mail versuchen Kriminelle ihre Opfer auf eine Fake-Loginseite zu locken. Dort fragen sie die Anmeldeinformationen des Abos und Kreditkartendaten ab. Woran Sie den Phishing-Versuch ganz einfach erkennen können, zeigen wir Ihnen hier. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-versuch-disney/ ===================== = Vulnerabilities = ===================== ∗∗∗ Backuplösung SnapCenter: Angreifer können als Admin Systeme übernehmen ∗∗∗ --------------------------------------------- Die Backupsoftware SnapCenter ist verwundbar und Angreifer können sich durch das erfolgreiche Ausnutzen einer „kritischen“ Sicherheitslücke Admin-Rechte verschaffen. In einem Beitrag zur Schwachstelle (CVE-2025-26512) führen die Entwickler aus, die Versionen 6.0.1P1 und 6.1P1 repariert zu haben. Alle vorigen Ausgaben sind attackierbar. --------------------------------------------- https://www.heise.de/news/Backuploesung-SnapCenter-Angreifer-koennen-als-Ad… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode). --------------------------------------------- https://lwn.net/Articles/1015589/ ∗∗∗ Security Vulnerability fixed in Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1 ∗∗∗ --------------------------------------------- Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/ ∗∗∗ Splunk: Teils hochriskante Sicherheitslecks in mehreren Produkten ∗∗∗ --------------------------------------------- Splunk hat eine Reihe an Sicherheitslücken in mehreren Produkten gemeldet. Aktualisierte Software-Pakete stehen zum Herunterladen bereit, mit denen Admins diese Sicherheitslecks stopfen können. --------------------------------------------- https://heise.de/-10330630 ∗∗∗ DSA-5888-1 ghostscript - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00050.html ∗∗∗ ABB: Cyber Security Advisory - ABB Low Voltage DC Drives and Power Controllers CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9494&Lan… ∗∗∗ ABB: Cyber Security Advisory - ABB ACS880 +N8010 Drives CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9491&Lan… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 17, 2025 to March 23, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2025
by Daily end-of-shift report 26 Mar '25

26 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-03-2025 18:00 − Mittwoch 26-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New npm attack poisons local packages with backdoors ∗∗∗ --------------------------------------------- Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the victim removes the malicious packages, the backdoor remains on their system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local… ∗∗∗ NCSC taps influencers to make 2FA go viral ∗∗∗ --------------------------------------------- The world's biggest brands have benefited from influencer marketing for years – now the UK's National Cyber Security Centre (NCSC) has hopped on the bandwagon to preach two-factor authentication (2FA) to the masses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/03/26/ncsc_influen… ∗∗∗ CoffeeLoader: A Brew of Stealthy Techniques ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. --------------------------------------------- https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-… ∗∗∗ Have I Been Pwned: Projektbetreiber Troy Hunt gepwned ∗∗∗ --------------------------------------------- Troy Hunt, Betreiber des Dienstes Have-I-Been-Pwned (HIBP), wurde Opfer einer Phishing-Attacke und damit selbst "Pwned". Es sind 16.627 E-Mail-Adressen der Mailingliste für den Newsletter zu Troys persönlichen Blog dadurch in unbefugte Hände abgeflossen. In einem Blog-Beitrag erklärt Hunt, wie es zu dem Vorfall kommen konnte. --------------------------------------------- https://heise.de/-10328970 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in Kubernetes Ingress NGINX Controller - Updates verfügbar ∗∗∗ --------------------------------------------- Im Kubernetes Ingress NGINX Controller, einer Kernkomponente von Kubernetes, wurden mehrere kritische Sicherheitslücken entdeckt. Diese ermöglichen unter anderem unauthentifizierte Remote Code Execution (RCE) und unberechtigten Zugriff auf Secrets. --------------------------------------------- https://www.cert.at/de/warnungen/2025/3/kubernetes-ingress-nginx-controller… ∗∗∗ Dringend patchen: Gefährliche Zero-Day-Lücke in Chrome für Spionage ausgenutzt ∗∗∗ --------------------------------------------- Nachdem Google in seinem Webbrowser Chrome erst in der vergangenen Woche eine kritische Sicherheitslücke geschlossen hatte, legt der Konzern jetzt nochmal nach. Mit einem am Dienstag veröffentlichten Update beseitigt Google eine Schwachstelle, die bereits im Rahmen gezielter Spionageangriffe aktiv ausgenutzt wird. [..] Die Ausnutzung der als CVE-2025-2783 registrierten Chrome-Lücke wurde Mitte März von Sicherheitsforschern von Kaspersky entdeckt. [..] Den Angaben zufolge lässt sich die Sicherheitslücke durch speziell präparierte Webseiten ausnutzen, die die jeweilige Zielperson lediglich aufrufen muss. [..] Einen Bericht mit weiteren technischen Details wollen die Sicherheitsforscher zu einem späteren Zeitpunkt veröffentlichen. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gefaehrliche-zero-day-luecke-in-… ∗∗∗ VMware Tools ermöglichen Rechteausweitung in VMs ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung von Broadcom erörtern die Autoren, dass aufgrund unzureichender Zugriffskontrollen die Umgehung der Authentifizierung möglich ist (CVE-2025-22230, CVSS 7.8, Risiko "hoch"). Bösartige Akteure mit nicht-administrativen Rechten in einem Windows-Gastsystem können dadurch Operationen, die höhere Zugriffsrechte benötigen, ausführen. --------------------------------------------- https://www.heise.de/-10328819 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx and ruby-rack), Fedora (expat and libxslt), Mageia (bluez, dcmtk, ffmpeg, and radare2), Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman), SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), and Ubuntu (freerdp2 and varnish). --------------------------------------------- https://lwn.net/Articles/1015464/ ∗∗∗ MISP v2.4.206 and v2.5.8 Released - new workflow modules, improved graph object relationship management and many other improvements ∗∗∗ --------------------------------------------- [security] Fixed stored XSS in event reports (mermaid rendering function). --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.8 ∗∗∗ ZDI-25-181: (0Day) Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Minimal user interaction is required to exploit this vulnerability. CVE-2025-2767 --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-181/ ∗∗∗ Huawei: Security Advisory - Authentication Bypass Vulnerability in Huawei PC Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-20250325-… ∗∗∗ ZDI-25-180: (0Day) 70mai A510 Use of Default Password Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-180/ ∗∗∗ ZDI-25-178: (0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-178/ ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2025
by Daily end-of-shift report 25 Mar '25

25 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-03-2025 18:00 − Dienstag 25-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Browser-in-the-Browser attacks target CS2 players Steam accounts ∗∗∗ --------------------------------------------- A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steams login page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attac… ∗∗∗ Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH ∗∗∗ --------------------------------------------- OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project. --------------------------------------------- https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating… ∗∗∗ Zero Day: Russische Firma zahlt für Telegram-Lücken Millionen ∗∗∗ --------------------------------------------- Die stetig wachsende Nutzerbasis macht die Plattform auch für Cyberangriffe immer interessanter. Aus diesem Grund bietet der russische Schwachstellenhändler Operation Zero mittlerweile bis zu vier Millionen US-Dollar für ungepatchte Sicherheitslücken in Telegram. --------------------------------------------- https://www.golem.de/news/zero-day-russische-firma-zahlt-millionen-fuer-tel… ∗∗∗ Achtung: Phishing-Mails im Namen des Wiener Tourismusverbands! ∗∗∗ --------------------------------------------- Aktuell kursieren E-Mails im Namen der Buchhaltung, die dazu auffordern, Rechnungen aufgrund technischer Probleme direkt per E-Mail zu senden. Vorsicht: Diese E-Mails stammen nicht von Mitarbeitenden des Wiener Tourismusverband sondern von Kriminellen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-mails-im-namen-des-… ∗∗∗ Oracle angeblich gehackt: Nutzerdaten im Darknet zum Verkauf ∗∗∗ --------------------------------------------- Sicherheitsforscher von CloudSEK berichten, dass im Darknet sensible Daten von rund 140.000 Oracle-Kunden zum Verkauf stehen. Diese Informationen sollen aus einer Cyberattacke stammen. Dem Hard- und Softwarehersteller zufolge hat es keinen IT-Sicherheitsvorfall gegeben. --------------------------------------------- https://heise.de/-10327980 ∗∗∗ US-Behörde stoppt Gelder für Lets Encrypt und Tor ‒ Open Tech Fund wehrt sich ∗∗∗ --------------------------------------------- Nach einem Dekret von US-Präsident Trump erhält der Open Technology Fund keine Fördermittel mehr. Deswegen zieht die Organisation jetzt vor Gericht. --------------------------------------------- https://heise.de/-10328226 ∗∗∗ Fake Hiring Challenge for Developers Steals Sensitive Data ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have uncovered a GitHub repository masquerading as a hiring coding challenge that tricks developers into downloading a backdoor to steal sensitive data. [..] There is evidence that the campaign may be expanding beyond a fake hiring challenge for developers, as Cyble Research and Intelligence Labs (CRIL) researchers also found invoice-themed lures. --------------------------------------------- https://thecyberexpress.com/fake-hiring-challenge-targets-developers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP ∗∗∗ --------------------------------------------- On Friday, March 21, 2025, file transfer software maker CrushFTP disclosed a new vulnerability to customers via email. While the email [...] indicates only CrushFTP v11 is affected by the still-CVE-less (as of March 25) unauthenticated port access vulnerability, the extremely sparse vendor advisory indicates that both CrushFTP v10 and v11 are affected. According to the vendor, the issue is not exploitable if customers have the DMZ function of CrushFTP in place. --------------------------------------------- https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-… ∗∗∗ RCE Vulnerabilities in k8s Ingress NGINX (9.8 CVE for ingress-nginx) ∗∗∗ --------------------------------------------- Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover. --------------------------------------------- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities ∗∗∗ Kubernetes: CVE-2025-1974 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131009 ∗∗∗ Kubernetes: CVE-2025-1098 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131008 ∗∗∗ Kubernetes: CVE-2025-1097 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131007 ∗∗∗ Kubernetes: CVE-2025-24514 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131006 ∗∗∗ Kubernetes: CVE-2025-24513 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131005 ∗∗∗ Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it ∗∗∗ --------------------------------------------- https://blog.0patch.com/2025/03/scf-file-ntlm-hash-disclosure.html ∗∗∗ Rockwell Automation 440G TLS-Z ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-03 ∗∗∗ Rockwell Automation Verve Asset Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-02 ∗∗∗ ABB RMC-100 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-01 ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER Mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2025
by Daily end-of-shift report 24 Mar '25

24 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-03-2025 18:00 − Montag 24-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ FBI warnings are true—fake file converters do push malware ∗∗∗ --------------------------------------------- The FBI is warning that fake online document converters are being used to steal peoples information and, in worst-case scenarios, lead to ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-f… ∗∗∗ Cloudflare now blocks all unencrypted traffic to its API endpoints ∗∗∗ --------------------------------------------- Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-un… ∗∗∗ Trusted Signing: Hacker signieren Windows-Malware über Microsoft-Plattform ∗∗∗ --------------------------------------------- Forscher haben Malware entdeckt, die über Microsofts neue Trusted-Signing-Plattform signiert wurde. Windows-Systeme lassen sich damit leichter infizieren. --------------------------------------------- https://www.golem.de/news/trusted-signing-microsoft-dienst-zum-signieren-vo… ∗∗∗ Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories CI/CD Secrets Exposed ∗∗∗ --------------------------------------------- The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbases open-source projects, before evolving into something more widespread in scope."The payload was focused on .. --------------------------------------------- https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html ∗∗∗ Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 .. --------------------------------------------- https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html ∗∗∗ Oracle Cloud says its not true someone broke into its login servers and stole data ∗∗∗ --------------------------------------------- Despite evidence to the contrary as alleged pilfered info goes on sale Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen. --------------------------------------------- https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credenti… ∗∗∗ Verfassungsschutz: Deutsche NGOs Ziel von russischen Cyberangriffen ∗∗∗ --------------------------------------------- Das Bundesamt für Verfassungsschutz hat einige zivilgesellschaftliche Organisationen alarmiert, dass sie verstärkt im Fokus russischer Cyberattacken stünden. --------------------------------------------- https://www.heise.de/news/Verfassungsschutz-warnt-NGOs-vor-zunehmenden-russ… ∗∗∗ Google Maps: Falsche Schlüsseldienste und Co. spähen Nutzer aus ∗∗∗ --------------------------------------------- Der Navigationsdienst Google Maps klagt gegen unechte Geschäfte auf seiner Plattform, die Nutzerdaten abschöpften und verkauften. --------------------------------------------- https://heise.de/-10325360 ∗∗∗ How to find Next.js on your network ∗∗∗ --------------------------------------------- On March 22nd, 2025, Next.js disclosed an authentication bypass vulnerability in the middleware layer. Exploitation is trivial and can be achieved by sending an extra HTTP header. For specifics, please see .. --------------------------------------------- https://www.runzero.com/blog/next-js/ ∗∗∗ Next.js Patches Critical Middleware Vulnerability (CVE-2025-29927) ∗∗∗ --------------------------------------------- This weekend, the Next.js team released emergency patches addressing a critical vulnerability (CVE-2025-29927) that allowed attackers to bypass middleware-based security checks, including authentication and .. --------------------------------------------- https://socket.dev/blog/next-js-patches-critical-middleware-vulnerability -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily