Daily

daily@lists.cert.at

1 participants
3082 discussions

Tageszusammenfassung - 23.12.2024
by Daily end-of-shift report 23 Dec '24

23 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-12-2024 18:00 − Montag 23-12-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Middle East Cyberwar Rages On, With No End in Sight ∗∗∗ --------------------------------------------- Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/middle-east-cyberwar… ∗∗∗ Cloud Atlas seen using a new tool in its attacks ∗∗∗ --------------------------------------------- We analyze the latest activity by the Cloud Atlas gang. The attacks employ the PowerShower, VBShower and VBCloud modules to download victims data with various PowerShell scripts. --------------------------------------------- https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/ ∗∗∗ Modiloader From Obfuscated Batch File ∗∗∗ --------------------------------------------- My last investigation is a file called "Albertsons Payments.gz", received via email. The file looks like an archive but is identified as a picture by .. --------------------------------------------- https://isc.sans.edu/diary/Modiloader+From+Obfuscated+Batch+File/31540 ∗∗∗ Vulnerability & Patch Roundup - November 2024 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help .. --------------------------------------------- https://blog.sucuri.net/2024/12/vulnerability-patch-roundup-november-2024.h… ∗∗∗ Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service ∗∗∗ --------------------------------------------- An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm."It appears that the [Rockstar2FA] group running the service experienced at least a .. --------------------------------------------- https://thehackernews.com/2024/12/rockstar2fa-collapse-fuels-expansion-of.h… ∗∗∗ l+f: Sicherheitsforscher bestellt bei McDonalds für 1 Cent ∗∗∗ --------------------------------------------- Der McDonalds-Lieferservice in Indien war kaputt und Bestellungen waren umfangreich manipulierbar. --------------------------------------------- https://www.heise.de/news/l-f-Sicherheitsforscher-bestellt-bei-McDonald-s-f… ∗∗∗ Webbrowser: Chrome und Edge sollen mittels KI vor Spam-Seiten warnen ∗∗∗ --------------------------------------------- Um Nutzer vor betrügerischen Websites zu warnen, haben Chrome und Edge neuerdings einen KI-Schutz an Bord. Noch ist das Feature aber nicht standardmäßig aktiv. --------------------------------------------- https://www.heise.de/news/Webbrowser-Chrome-und-Edge-sollen-mittels-KI-vor-… ∗∗∗ Heels on fire. Hacking smart ski socks ∗∗∗ --------------------------------------------- TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks .. but only when in Bluetooth range AND when the owner’s phone is out of range of their feet! Having […]The post Heels on fire. Hacking smart ski socks first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/heels-on-fire-hacking-smart-s… ∗∗∗ Fast zwei Drittel aller gestohlenen Kryptogelder wanderten 2024 nach Nordkorea ∗∗∗ --------------------------------------------- Eine aktuelle Analyse zeigt, dass der Gesamtwert gestohlener Kryptowährungen heuer bisher um 21 Prozent auf 2,2 Milliarden Dollar gestiegen ist --------------------------------------------- https://www.derstandard.at/story/3000000250591/fast-zwei-drittel-aller-gest… ∗∗∗ NSO-Group für WhatsApp-Angriff mit Pegasus-Spyware schuldig gesprochen ∗∗∗ --------------------------------------------- Im Jahr 2019 wurden WhatsApp-Nutzer Opfer eines Angriffs durch Spyware, die über eine Schwachstelle auf Android und iOS-Geräte installiert werden konnte. WhatsApp verklagte die NSO Group, die den .. --------------------------------------------- https://www.borncity.com/blog/2024/12/22/nso-group-fuer-angriff-mit-pegasus… ∗∗∗ Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy ∗∗∗ --------------------------------------------- Virtual offices have revolutionized the way businesses operate. They provide cost-effective flexibility by eliminating the .. --------------------------------------------- https://www.team-cymru.com/post/how-virtual-offices-enable-a-facade-of-legi… ∗∗∗ A Primer on JA4+: Empowering Threat Analysts with Better Traffic Analysis ∗∗∗ --------------------------------------------- What is JA4+ and Why Does It Matter? Introduction Threat analysts and researchers are continually seeking tools and methodologies to gain .. --------------------------------------------- https://www.team-cymru.com/post/a-primer-on-ja4-empowering-threat-analysts-… ∗∗∗ Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner ∗∗∗ --------------------------------------------- Popular npm packages, Rspack and Vant, were recently compromised with malicious code. Learn about the attack, the impact, and how to protect your projects from similar threats. --------------------------------------------- https://hackread.com/supply-chain-attack-rspack-vant-npm-monero-miner/ ∗∗∗ Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition ∗∗∗ --------------------------------------------- A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners .. --------------------------------------------- https://www.greynoise.io/blog/checking-it-twice-profiling-benign-internet-s… ∗∗∗ Kritische Sicherheitslücken bedrohen Sophos-Firewalls ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Firewalls von Sophos erschienen. Mit den Standardeinstellungen installieren sie sich automatisch. --------------------------------------------- https://heise.de/-10218914 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, libxstream-java, php-laravel-framework, python-urllib3, and sqlparse), Fedora (chromium, libcomps, libdnf, mingw-directxmath, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-orc, ofono, prometheus-podman-exporter, .. --------------------------------------------- https://lwn.net/Articles/1003287/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 ∗∗∗ --------------------------------------------- Date Reported: December 22, 2024 Advisory ID: WSA-2024-0008 CVE identifiers: CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54534 Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2024-54479 Versions affected: WebKitGTK and WPE WebKit before 2.46.5. Credit to Seunghyun Lee. Impact: Processing maliciously .. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0008.html ∗∗∗ TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-91 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2024
by Daily end-of-shift report 20 Dec '24

20 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-12-2024 18:00 − Freitag 20-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Junior IT-Security Analyst:in (m/w/d - Vollzeit - Wien) ∗∗∗ --------------------------------------------- Für unsere laufenden Routinetätigkeiten suchen wir derzeit eine:n Berufsein- oder -umsteiger:in mit Interesse an IT-Security. --------------------------------------------- https://www.cert.at/de/ueber-uns/jobs/ ∗∗∗ BadBox malware botnet infects 192,000 Android devices despite disruption ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole operation that attempted to disrupt the operation in Germany. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infect… ∗∗∗ The Windows Registry Adventure #5: The regf file format ∗∗∗ --------------------------------------------- This post aimed to systematically explore the inner workings of the regf format, focusing on the hard requirements enforced by Windows. Due to my role and interests, I looked at the format from a strictly security-oriented angle rather than digital forensics, which is the context in which registry hives are typically considered. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventu… ∗∗∗ BellaCPP: Discovering a new BellaCiao variant written in C++ ∗∗∗ --------------------------------------------- While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed "BellaCPP". --------------------------------------------- https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/ ∗∗∗ Auslaufmodell NTLM: Aus Windows 11 24H2 und Server 2025 teils entfernt ∗∗∗ --------------------------------------------- Weitgehend unbemerkt wurden in Windows 11 24H2 und Server 2025 zudem NTLMv1 entfernt. --------------------------------------------- https://heise.de/-10217239 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1718: (0Day) Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-12830. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1718/ ∗∗∗ ZDI-24-1724: (0Day) Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12836. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1724/ ∗∗∗ Sophos: Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729) ∗∗∗ --------------------------------------------- Sophos has resolved three independent security vulnerabilities in Sophos Firewall (2x Critical, 1x High). To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and gunicorn), Fedora (jupyterlab), Oracle (bluez, containernetworking-plugins, edk2:20220126gitbb1bba3d77, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, and unbound:1.16.2), SUSE (avahi, docker, emacs, govulncheck-vulndb, haproxy, kernel, libmozjs-128-0, python-grpcio, python310-xhtml2pdf, sudo, and tailscale), and Ubuntu (dpdk, linux-hwe-5.15, and linux-iot). --------------------------------------------- https://lwn.net/Articles/1003019/ ∗∗∗ Autodesk: DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0027 ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0 and 6.4.5: SC-202412.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2024
by Daily end-of-shift report 19 Dec '24

19 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-12-2024 18:00 − Donnerstag 19-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers exploiting a patched FortiClient EMS vulnerability in the wild ∗∗∗ --------------------------------------------- During a recent incident response, Kaspersky’s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company’s networks by targeting a Fortinet vulnerability for which a patch was already available. --------------------------------------------- https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-t… ∗∗∗ HubPhish Abuses HubSpot Tools to Target 20,000 European Users for Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims Microsoft Azure cloud infrastructure. [..] Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe. [..] The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials. --------------------------------------------- https://thehackernews.com/2024/12/hubphish-exploits-hubspot-tools-to.html ∗∗∗ Spyware distributed through Amazon Appstore ∗∗∗ --------------------------------------------- Recently, we uncovered a seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-th… ∗∗∗ Achtung: AG Reparaturservice ist Betrug ∗∗∗ --------------------------------------------- Geschirrspüler kaputt? Die Website ag-reparaturservice.at bietet angeblich Reparaturen verschiedenster Geräte an. Von Kühlschränken über Waschmaschinen bis hin zu Backöfen repariert das Unternehmen angeblich Haushaltsgeräte. Wir raten zur Vorsicht: Die Reparatur wird trotz Bezahlung nicht durchgeführt. Sie verlieren Ihr Geld. Wir zeigen Ihnen, wie Sie die Betrugsmasche erkennen! --------------------------------------------- https://www.watchlist-internet.at/news/ag-reparaturservice-ist-betrug/ ∗∗∗ CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach ∗∗∗ --------------------------------------------- A 5-page advisory provided troves of guidance for both Apple and Android users, urging all “highly targeted individuals” to rely on the “consistent use of end-to-end encryption.” --------------------------------------------- https://therecord.media/cisa-urges-senior-officials-to-lock-down-devices-sa… ∗∗∗ Hacker könnten über Schwachstellen in Solaranlagen das europäische Stromnetz knacken ∗∗∗ --------------------------------------------- Unschöne, aber keineswegs neue Erkenntnis. Deutschland ist zwar "stolz" ob der installierten Leistung an Solarkollektoren. Aber ein griechischer White Hat-Hacker hat gezeigt, wie er sich mittels Notebook und Internet in zahlreiche europäischen Solaranlagen hacken und diese – auch in Deutschland – einfach ausknipsen könnte. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/hacker-koennten-ueber-schwachstell… ∗∗∗ Kritische LDAP-Schwachstelle in Windows (CVE-2024-49112) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag vom Dezember 2024-Patchday. Zum 10. Dezember 2024 hat Microsoft einen kritische Schwachstelle (CVE-2024-49112) im Lightweight Directory Access Protocol (LDAP) öffentlich gemacht. Diese ermöglicht Remote-Angriffe auf Windows-Clients und -Server, wurde aber gepatcht. [..] Hunter schreibt, dass jährlich 178.900 LDAP- und LDAPS-Dienste jährlich beim Scans über hunter.how gefunden würden. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/kritische-ldap-schwachstelle-in-wi… ∗∗∗ Exploring vulnerable Windows drivers ∗∗∗ --------------------------------------------- This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. --------------------------------------------- https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/ ∗∗∗ Betrugsmail: Cyberversicherung muss Schaden nicht ersetzen ∗∗∗ --------------------------------------------- Klassisches Mail-Spoofing kostete eine deutsche Firma 85.000 Euro. Ihre Cyberversicherung deckt den Schaden nicht, sagt das Landgericht Hagen. --------------------------------------------- https://heise.de/-10215212 ∗∗∗ Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages ∗∗∗ --------------------------------------------- Socket’s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. [..] Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction. --------------------------------------------- https://socket.dev/blog/skuld-infostealer-returns-to-npm ===================== = Vulnerabilities = ===================== ∗∗∗ FortiWLM Unauthenticated limited file read vulnerability ∗∗∗ --------------------------------------------- A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files. Severity: Critical, CVE-2023-34990 --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-23-144 ∗∗∗ FortiManager OS command injection ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. Severity: High, CVE-2024-48889 --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-425 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bluez, edk2:20220126gitbb1bba3d77, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, kernel-rt, mpg123, php:8.2, python3.11-urllib3, and tuned), Fedora (ColPack, glibc, golang-github-chainguard-dev-git-urls, golang-github-task, icecat, python-nbdime, python3.13, and python3.14), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, dwarves and kernel-linus), Red Hat (gstreamer1-plugins-base and gstreamer1-plugins-good), SUSE (curl, emacs, git-bug, glib2, helm, kernel, and traefik2), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, gstreamer1.0, libvpx, linux-gcp, phpunit, and yara). --------------------------------------------- https://lwn.net/Articles/1002903/ ∗∗∗ Delta Electronics DTM Soft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-03 ∗∗∗ Hitachi Energy SDM600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-02 ∗∗∗ Hitachi Energy RTU500 series CMU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-01 ∗∗∗ Ossur Mobile Logic Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01 ∗∗∗ Tibbo AggreGate Network Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.12.2024
by Daily end-of-shift report 18 Dec '24

18 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-12-2024 18:00 − Mittwoch 18-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical security hole in Apache Struts under exploit ∗∗∗ --------------------------------------------- A critical security hole in Apache Struts 2 [..] CVE-2024-53677 [..] is currently being exploited using publicly available proof-of-concept (PoC) code. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/17/critical_rce… ∗∗∗ How to Lose a Fortune with Just One Bad Click ∗∗∗ --------------------------------------------- Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device. --------------------------------------------- https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad… ∗∗∗ AI-generated malvertising “white pages” are fooling detection engines ∗∗∗ --------------------------------------------- In this blog post, we take a look at a couple of examples where threat actors are buying Google Search ads and using AI to create white pages. The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check. --------------------------------------------- https://www.malwarebytes.com/blog/cybercrime/2024/12/ai-generated-malvertis… ∗∗∗ Spotify: Vorsicht vor betrügerischen Phishing-Mails ∗∗∗ --------------------------------------------- Derzeit häufen sich Meldungen über betrügerische E-Mails, die angeblich von Spotify stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Spotify die Nutzungsgebühr nicht abbuchen konnte und daher den Account vorübergehend gesperrt hat. Um Spotify weiter nutzen zu können, werden Sie aufgefordert die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing! --------------------------------------------- https://www.watchlist-internet.at/news/spotify-vorsicht-vor-betruegerischen… ∗∗∗ Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger ∗∗∗ --------------------------------------------- Trend ZDI researchers have performed an analysis of the discrete hardware components found in the device. --------------------------------------------- https://www.thezdi.com/blog/2024/12/16/detailing-the-attack-surfaces-of-the… ∗∗∗ Phishing-Masche nimmt Nutzer von Google-Kalender ins Visier ∗∗∗ --------------------------------------------- Cyberkriminelle nutzen laut einer Analyse von Sicherheitsforschern offenbar verstärkt Google-Kalender-Invites, um Internetnutzer auf Phishingseiten zu locken. --------------------------------------------- https://heise.de/-10214705 ∗∗∗ [Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th) ∗∗∗ --------------------------------------------- TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence. On November 4th, 2024, my DShield sensor recorded suspicious activity targeting my web server. The attacker attempted to use a technique that tricks the server into running harmful commands. --------------------------------------------- https://isc.sans.edu/diary/rss/31530 ===================== = Vulnerabilities = ===================== ∗∗∗ BeyondTrust BT24-10: Command Injection Vulnerability / Severity: Critical ∗∗∗ --------------------------------------------- A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. CVE(s): CVE-2024-12356 --------------------------------------------- https://www.beyondtrust.com/trust-center/security-advisories/bt24-10 ∗∗∗ Juniper: 2024-12 Reference Advisory: Session Smart Router: Mirai malware found on systems when the default password remains unchanged ∗∗∗ --------------------------------------------- On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network. The impacted systems were all using default passwords. Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database. [..] This affects all versions of Session Smart Router (SSR) --------------------------------------------- https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Sess… ∗∗∗ Foxit PDF Editor und Reader: Attacken über präparierte PDF-Dateien möglich ∗∗∗ --------------------------------------------- PDF-Anwendungen von Foxit sind unter macOS und Windows verwundbar. Sicherheitsupdates stehen bereit. [..] Die Einstufung des Bedrohungsgrads der Lücken (CVE-2024-49576, CVE-2024-47810) steht zurzeit noch aus. --------------------------------------------- https://heise.de/-10211267 ∗∗∗ Windows-Sicherheitslösung Trend Micro Apex One als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in Trend Micro Apex One ansetzen. Sicherheitsupdates sind verfügbar. [..] Die darin geschlossenen Sicherheitslücken (CVE-2024-52048, CVE-2024-52049, CVE-2024-52050, CVE-2024-55631, CVE-2024-55632, CVE-2024-55917) sind mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-10213518 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11). --------------------------------------------- https://lwn.net/Articles/1002703/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben. --------------------------------------------- https://heise.de/-10202355 ∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗ --------------------------------------------- DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf… ∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗ --------------------------------------------- Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi… ∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in… ∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims. --------------------------------------------- https://isc.sans.edu/diary/rss/31524 ∗∗∗ Technical Analysis of RiseLoader ∗∗∗ --------------------------------------------- In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-riseload… ∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗ --------------------------------------------- APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel). --------------------------------------------- https://lwn.net/Articles/1002496/ ∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗ --------------------------------------------- Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar. --------------------------------------------- https://heise.de/-10202537 ∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-466.html ∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-465.html ∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03 ∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02 ∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01 ∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.3 ∗∗∗ BD Diagnostic Solutions Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

1 0

Tageszusammenfassung - 16.12.2024
by Daily end-of-shift report 16 Dec '24

16 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-12-2024 18:00 − Montag 16-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Update-Katalog: Kritische Lücke in Microsofts Webserver entdeckt ∗∗∗ --------------------------------------------- Angreifer konnten sich auf einem Webserver von Microsoft erweiterte Rechte verschaffen. Trotz versprochener Transparenz nennt der Konzern keine Details. --------------------------------------------- https://www.golem.de/news/microsoft-update-katalog-kritische-luecke-in-micr… ∗∗∗ Angriffe auf Citrix Netscaler Gateway: Hersteller gibt Hinweise zum Schutz ∗∗∗ --------------------------------------------- Seit Dezember 2024 gibt es ja massiven Angriffswellen Citrix Netscaler Gateways. [..] Nun hat Citrix reagiert, und gibt Tipps, wie sich Netscaler Gateways gegen die Angriffe … Weiterlesen →Quelle --------------------------------------------- https://www.borncity.com/blog/2024/12/15/angriffe-auf-citrix-netscaler-gate… ∗∗∗ 390,000 WordPress accounts stolen from hackers in supply chain attack ∗∗∗ --------------------------------------------- A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/390-000-wordpress-accounts-s… ∗∗∗ The Simple Math Behind Public Key Cryptography ∗∗∗ --------------------------------------------- The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure. --------------------------------------------- https://www.wired.com/story/how-public-key-cryptography-really-works-using-… ∗∗∗ NodeLoader Exposed: The Node.js Malware Evading Detection ∗∗∗ --------------------------------------------- Zscaler ThreatLabz discovered a malware campaign leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. We have named this malware family NodeLoader, since the attackers employ Node.js compiled executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. --------------------------------------------- https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-… ∗∗∗ Phishing-Nachricht „Ihr Konto wurde gesperrt“ im Namen von Meta ignorieren! ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht von Meta, in der Ihnen mitgeteilt wird, dass Ihr Facebook- oder Instagram-Konto demnächst gesperrt wird. Um dies zu verhindern, müssen Sie auf einen Link klicken und Ihr Konto verifizieren. Aber Vorsicht: Es handelt sich um eine Phishing-Nachricht von Kriminellen, die Ihre Daten stehlen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-nachricht-im-namen-von-meta/ ∗∗∗ Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation ∗∗∗ --------------------------------------------- Analysis of packer-as-a-service (PaaS) HeartCrypt reveals its use in over 2k malicious payloads across 45 malware families since its early 2024 appearance. --------------------------------------------- https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/ ∗∗∗ CoinLurker: The Stealer Powering the Next Generation of Fake Updates ∗∗∗ --------------------------------------------- The evolution of fake update campaigns has advanced significantly with the emergence of CoinLurker, a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyberattacks. --------------------------------------------- https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generat… ∗∗∗ Secure Coding: CWE 1123 – Sich selbst modifizierenden Code vermeiden ∗∗∗ --------------------------------------------- Die Common Weakness Enumeration CWE-1123 warnt vor dem übermäßigen Einsatz von sich selbst modifizierendem Code. Java-Entwickler sollten mit Bedacht agieren. --------------------------------------------- https://heise.de/-10194617 ∗∗∗ CISA and EPA Warn: Internet-Exposed HMIs Pose Serious Cybersecurity Risks to Water Systems ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have jointly released a crucial fact sheet highlighting the cybersecurity risks posed by Internet-exposed Human Machine Interfaces (HMIs) in the Water and Wastewater Systems (WWS) sector. --------------------------------------------- https://thecyberexpress.com/exposed-human-machine-interfaces-in-wws/ ∗∗∗ The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit ∗∗∗ --------------------------------------------- This blog post provides a technical analysis of exploit artifacts provided to us by Google's Threat Analysis Group (TAG) from Amnesty International. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpect… ∗∗∗ Tech Guide: Detecting NoviSpy spyware with AndroidQF and the Mobile Verification Toolkit (MVT) ∗∗∗ --------------------------------------------- Amnesty Security Lab has published Indicators of Compromise (IOCs) for the NoviSpy spyware application. This tutorial explains how to use AndroidQF Android Quick Forensics (androidqf) and Mobile Verification Toolkit (MVT) to examine an Android device for traces of these indicators. --------------------------------------------- https://securitylab.amnesty.org/latest/2024/12/tech-guide-detecting-novispy… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath). --------------------------------------------- https://lwn.net/Articles/1002338/ ∗∗∗ Siemens: SSA-928984 V1.0: Heap-based Buffer Overflow Vulnerability in User Management Component (UMC) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-928984.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2024
by Daily end-of-shift report 13 Dec '24

13 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-12-2024 18:00 − Freitag 13-12-2024 18:05 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Social Engineering nach Mailbombing ∗∗∗ --------------------------------------------- Rapid7 hat vor Kurzem einen Blogbeitrag zur Vorgehensweise einer Ransomwaregruppe veröffentlicht, wir haben inzwischen von mehreren Firmen in Österreich gehört, die dieses Angriffsmuster selber beobachten mussten: Zuerst wird ein Mitarbeiter der Zielfirma mit E-Mail überschüttet: in vielen Fällen sind das legitime Newsletter, die aber in der Masse ein echtes Problem sind. Danach wird dieser Angestellte per Teams oder über andere Kanäle kontaktiert: Man sei der Helpdesk und will ihm bei der Bewältigung der Mail-Lawine helfen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/12/social-engineering-nach-mailbombing ∗∗∗ Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion ∗∗∗ --------------------------------------------- In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html ∗∗∗ Germany sinkholes BadBox malware pre-loaded on Android devices ∗∗∗ --------------------------------------------- Germanys Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. [..] Germany's cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker's command and control servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-sinkholes-badbox-mal… ∗∗∗ Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat ∗∗∗ --------------------------------------------- The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasnt enforced them. Its unclear if they will help. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/efforts-secure-us-telco… ∗∗∗ IoT Cloud Cracked by Open Sesame Over-the-Air Attack ∗∗∗ --------------------------------------------- Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device. --------------------------------------------- https://www.darkreading.com/ics-ot-security/iot-cloud-cracked-open-sesame-a… ∗∗∗ Windows Tooling Updates: OleView.NET ∗∗∗ --------------------------------------------- This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/windows-tooling-updates-olev… ∗∗∗ New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. --------------------------------------------- https://thehackernews.com/2024/12/new-linux-rootkit-pumakit-uses-advanced.h… ∗∗∗ Attacking Entra Metaverse: Part 1 ∗∗∗ --------------------------------------------- This first blog post is a short one, and demonstrates how complete control of an Entra user is equal to compromise of the on-premises user. For the entire blog series the point I am trying to make is this: The Entra Tenant is the trust boundary --------------------------------------------- https://posts.specterops.io/attacking-entra-metaverse-part-1-c9cf8c4fb4ee?s… ===================== = Vulnerabilities = ===================== ∗∗∗ DevSecOps-Plattform Gitlab: Accountübernahme möglich ∗∗∗ --------------------------------------------- In einem Beitrag schreiben die Entwickler, dass auf Gitlab.com bereits die abgesicherten Ausgaben laufen. Für selbstverwaltete Gitlab-Installation sind nun die Ausgaben 17.4.6, 17.5.4 und 17.6.2 in der Community Edition und Enterprise Edition erschienen. [..] Insgesamt haben die Entwickler zwölf Sicherheitslücken geschlossen. Zwei davon sind mit dem Bedrohungsgrad "hoch" eingestuft (CVE-2024-11274, CVE-2024-8233). Im ersten Fall können Angreifer durch Manipulation von Kubernetes-Proxy-Responses Accounts übernehmen. --------------------------------------------- https://heise.de/-10198923 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, pgpool2, and smarty4), Fedora (chromium, linux-firmware, matrix-synapse, open62541, and thunderbird), Red Hat (kernel, kernel-rt, python3.11, python3.12, python3.9:3.9.18, python3.9:3.9.21, and ruby:2.5), SUSE (buildah, chromium, govulncheck-vulndb, java-1_8_0-ibm, libsvn_auth_gnome_keyring-1-0, python310-Django, qemu, and radare2), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, php7.0, php7.2, python-asyncssh, and smarty3). --------------------------------------------- https://lwn.net/Articles/1002036/ ∗∗∗ Schneider Electric Security Advisories 10.12.2024 ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.18 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-70/ ∗∗∗ F5: K000148969: Python vulnerability CVE-2024-7592 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148969 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2024
by Daily end-of-shift report 12 Dec '24

12 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-12-2024 18:00 − Donnerstag 12-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Apache issues patches for critical Struts 2 RCE bug ∗∗∗ --------------------------------------------- More details released after devs allowed weeks to apply fixes. We now know the remote code execution vulnerability in Apache Struts 2 disclosed back in November carries a near-maximum severity rating following the publication of the CVE. [..] Considering remote attackers could exploit the vulnerability without requiring any privileges, combined with the high impact to system confidentiality, integrity, and availability, it's likely the Apache Foundation withheld the juiciest details to allow customers to upgrade to a safe version (Struts 6.4.0 or greater). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/12/apache_strut… ∗∗∗ Cyber Resilience Act: Vernetzte Produkte müssen bald besser abgesichert sein ∗∗∗ --------------------------------------------- Die EU-Verordnung zur Cyber-Widerstandsfähigkeit ist in Kraft getreten. Hersteller vernetzter Produkte müssen künftig ein Mindestmaß an Cybersicherheit bieten. --------------------------------------------- https://heise.de/-10197273 ∗∗∗ Modular Java Backdoor Dropped in Cleo Exploitation Campaign ∗∗∗ --------------------------------------------- While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload. --------------------------------------------- https://www.rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropp… ∗∗∗ The Bite from Inside: The Sophos Active Adversary Report ∗∗∗ --------------------------------------------- A sea change in available data fuels fresh insights from the first half of 2024. --------------------------------------------- https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/ ∗∗∗ Vorsicht beim Online-Kauf von Weihnachtsbäumen: So erkennen Sie unseriöse Shops ∗∗∗ --------------------------------------------- Die Vorweihnachtszeit ist für viele mit Stress und hohen Ausgaben verbunden - da scheint ein günstiger und schnell aufgestellter Weihnachtsbaum verlockend. Besonders im Trend liegen faltbare Weihnachtsbäume, die in Rekordzeit aufgestellt sein sollen. Doch Vorsicht: Nicht alle Anbieter halten, was sie versprechen. Wir zeigen, woran man unseriöse Angebote erkennt. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-shops-beim-weihnachtsbaum… ∗∗∗ 300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks ∗∗∗ --------------------------------------------- In this research we highlighted vulnerabilities and flaws in the Prometheus stack. We highlight the risks associated with exposing Prometheus servers and exporters to the internet without authentication, which expose sensitive information and can be exploited to launch DoS attacks or even execute arbitrary code through compromised exporters. --------------------------------------------- https://blog.aquasec.com/300000-prometheus-servers-and-exporters-exposed-to… ∗∗∗ Bis zum Burn-out: Open-Source-Entwickler von KI-Bug-Reports genervt ∗∗∗ --------------------------------------------- Sie kommen freundlich und wohl durchdacht daher: Doch bei genauerer Prüfung stellen Open-Source-Maintainer fest, dass immer mehr Bugreports KI-Unsinn sind. --------------------------------------------- https://heise.de/-10195951 ===================== = Vulnerabilities = ===================== ∗∗∗ Hunk Companion WordPress plugin exploited to install vulnerable plugins ∗∗∗ --------------------------------------------- The issue impacts all versions of Hunk Companion before the latest 1.9.0, released yesterday, which addressed the problem. While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console. [..] By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hunk-companion-wordpress-plu… ∗∗∗ Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS), (Wed, Dec 11th) ∗∗∗ --------------------------------------------- Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited. --------------------------------------------- https://isc.sans.edu/diary/rss/31514 ∗∗∗ Atlassian schützt Confluence & Co. vor möglichen DoS-Attacken ∗∗∗ --------------------------------------------- Angreifer können an zehn Sicherheitslücken in Atlassian Bamboo, Bitbucket und Confluence ansetzen und unter anderem Abstürze provozieren. --------------------------------------------- https://heise.de/-10196643 ∗∗∗ Sicherheitspatch: Angreifer können über TeamViewer-Lücke Windows-Dateien löschen ∗∗∗ --------------------------------------------- Basierend auf einer Warnmeldung ist die Komponente TeamViewer Patch & Asset Management angreifbar (CVE-2024-12363 "hoch"). Die Komponente ist aber standardmäßig nicht installiert. Sie ist optional im Kontext des Remote-Management-Features installierbar. [..] Die Entwickler versichern, dass sich das Sicherheitsupdate automatisch installiert. --------------------------------------------- https://heise.de/-10196765 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsoup2.4, python-aiohttp, and upx-ucl), Fedora (iaito, python3.11, python3.9, and radare2), Red Hat (ruby, ruby:2.5, and ruby:3.1), Slackware (mozilla-thunderbird), SUSE (govulncheck-vulndb, nodejs18, nodejs20, and socat), and Ubuntu (ofono and python-tornado). --------------------------------------------- https://lwn.net/Articles/1001863/ ∗∗∗ Paloalto: PAN-SA-2024-0017 Chromium: Monthly Vulnerability Updates (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0017 ∗∗∗ Tenable: [R1] Security Center Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-20 ∗∗∗ Drupal: Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-076 ∗∗∗ Drupal: Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-075 ∗∗∗ Drupal: Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-074 ∗∗∗ Drupal: Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-073 ∗∗∗ Drupal: Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-072 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2024
by Daily end-of-shift report 11 Dec '24

11 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-12-2024 18:00 − Mittwoch 11-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Global Ongoing Phishing Campaign Targets Employees Across 12 Industries ∗∗∗ --------------------------------------------- Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions. [..] What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. [..] This campaign is ongoing therefore, companies need to watch out for what comes to their inbox. --------------------------------------------- https://hackread.com/ongoing-phishing-campaign-targets-employees/ ∗∗∗ AMD’s trusted execution environment blown wide open by new BadRAM attack ∗∗∗ --------------------------------------------- On Tuesday, an international team of researchers unveiled BadRAM, a proof-of-concept attack that completely undermines security assurances that chipmaker AMD makes to users of one of its most expensive and well-fortified microprocessor product lines. Starting with the AMD Epyc 7003 processor, a feature known as SEV-SNP—short for Secure Encrypted Virtualization and Secure Nested Paging—has provided the cryptographic means for certifying that a VM hasn’t been compromised by any sort of backdoor installed by someone with access to the physical machine running it. --------------------------------------------- https://arstechnica.com/information-technology/2024/12/new-badram-attack-ne… ∗∗∗ Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a "critical" security vulnerability in Microsofts multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victims account. [..] Following responsible disclosure, the issue – codenamed AuthQuake – was addressed by Microsoft in October 2024. --------------------------------------------- https://thehackernews.com/2024/12/microsoft-mfa-authquake-flaw-enabled.html ∗∗∗ Decrypting Full Disk Encryption with Dissect ∗∗∗ --------------------------------------------- Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. [..] One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft’s BitLocker or its Linux equivalent LUKS. Internally at Fox-IT we were able to already use these capabilities. With the release of Dissect version 3.17 these capabilities are now also available to the community at large. --------------------------------------------- https://blog.fox-it.com/2024/12/11/decrypting-full-disk-encryption-with-dis… ∗∗∗ The Stealthy Stalker: Remcos RAT ∗∗∗ --------------------------------------------- As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-r… ∗∗∗ How easily access cards can be cloned and why your PACS might be vulnerable ∗∗∗ --------------------------------------------- PACS can be bad, but also good if you configure them right. These systems protect your building, and control access to your most sensitive systems. Give them some love. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-easily-access-cards-can-b… ∗∗∗ Zeitplan veröffentlicht: Lets Encrypt schafft OCSP-Zertifikatsüberprüfung ab ∗∗∗ --------------------------------------------- Das Protokoll zur Echtzeit-Gültigkeitsprüfung hat Datenschutzprobleme. Die weltgrößte CA ersetzt es nun durch Zertifikats-Sperrlisten. --------------------------------------------- https://heise.de/-10195107 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti: December Security Update ∗∗∗ --------------------------------------------- Today, fixes have been released for the Ivanti solutions detailed below. [..] Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Policy Secure, Ivanti Sentry, Ivanti Patch SDK, Ivanti Application Control, Ivanti Automation, Ivanti Workspace Control, Ivanti Performance Manager, Ivanti Security Controls (iSec) [..] Ivanti Cloud Services Application (CSA) 10.0 (Critical): An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access. CVE-2024-11639 --------------------------------------------- https://www.ivanti.com/blog/december-security-update ∗∗∗ Microsoft Security Update Summary (10. Dezember 2024) ∗∗∗ --------------------------------------------- Am 10. Dezember 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 70 Schwachstellen (CVEs), davon 16 kritische Sicherheitslücken, davon eine als 0-day klassifiziert (bereits ausgenutzt). --------------------------------------------- https://www.borncity.com/blog/2024/12/10/microsoft-security-update-summary-… ∗∗∗ Solarwinds Web Help Desk: Software-Update schließt kritische Lücken ∗∗∗ --------------------------------------------- In Solarwinds Web Help Desk haben die Entwickler teils kritische Sicherheitslücken korrigiert. IT-Verantwortliche sollten rasch aktualisieren. --------------------------------------------- https://heise.de/-10195207 ∗∗∗ Patchday: Adobe schließt mehr als 160 Sicherheitslücken in Acrobat & Co. ∗∗∗ --------------------------------------------- Insgesamt hat der Softwarehersteller mehr als 160 Schwachstellen mit Updates für die Produkte geschlossen. --------------------------------------------- https://www.heise.de/-10194979 ∗∗∗ Synology-SA-24:28 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to read specific files. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_28 ∗∗∗ PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement ∗∗∗ --------------------------------------------- The CERT/CC is creating this Vulnerability Note to advise and make users of PDQ Deploy aware of potential avenues of attack through the deploy service. System administrators that are using PDQ Deploy should employ LAPS to mitigate this vulnerability. --------------------------------------------- https://kb.cert.org/vuls/id/164934 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro). --------------------------------------------- https://lwn.net/Articles/1001728/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 128.5.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-69/ ∗∗∗ F5: K000148931: Linux kernel vulnerability CVE-2024-26923 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148931 ∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-… ∗∗∗ Numerix: Reflected Cross-Site Scripting in Numerix License Server Administration System Login ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Splunk: SVD-2024-1207: Third-Party Package Updates in Splunk Universal Forwarder - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1207 ∗∗∗ Splunk: SVD-2024-1206: Third-Party Package Updates in Splunk Enterprise - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1206 ∗∗∗ Splunk: SVD-2024-1205: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1205 ∗∗∗ Splunk: SVD-2024-1204: Sensitive Information Disclosure through SPL commands ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1204 ∗∗∗ Splunk: SVD-2024-1203: Information Disclosure due to Username Collision with a Role that has the same Name as the User ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1203 ∗∗∗ Splunk: SVD-2024-1202: Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameter ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1202 ∗∗∗ Splunk: SVD-2024-1201: Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1201 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily