Daily

daily@lists.cert.at

1 participants
3119 discussions

Tageszusammenfassung - 04.06.2024
by Daily end-of-shift report 04 Jun '24

04 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 03-06-2024 18:00 − Dienstag 04-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vorsicht vor betrügerischen Seiten zu Digitaler Euro und Bundesschatz! ∗∗∗ --------------------------------------------- Der Watchlist Internet werden aktuell massenhaft E-Mails gemeldet, die im Namen von der Österreichischen Nationalbank ein Pilotprogramm zum digitalen Euro ankündigen. Dabei wird mit „einmaligen Renditechancen“ geworben und durch den Hinweis auf die Kooperation von bundesschatz.at und der Europäischen Zentralbank Seriosität und Vertrauenswürdigkeit vorgetäuscht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-seiten-… ∗∗∗ Azure Service Tags tagged as security risk, Microsoft disagrees ∗∗∗ --------------------------------------------- Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tags that could allow attackers to access customers private data. [..] Tenable's Liv Matan explained that threat actors can use the vulnerability to craft malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, often used to secure Azure services and sensitive data without authentication checks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/azure-service-tags-tagged-a… ∗∗∗ PoC for Progress Telerik RCE chain released (CVE-2024-4358, CVE-2024-1800) ∗∗∗ --------------------------------------------- Security researchers have published a proof-of-concept (PoC) exploit that chains together two vulnerabilities (CVE-2024-4358, CVE-2024-1800) to achieve unauthenticated remote code execution on Progress Telerik Report Servers. Telerik Report Server is a centralized enterprise platform for report creation, management, storage and delivery/distribution. [..] It was reported by an anonymous researcher and fixed earlier this year by Progress Software. --------------------------------------------- https://www.helpnetsecurity.com/2024/06/04/cve-2024-4358-cve-2024-1800-poc/ ∗∗∗ Details of Atlassian Confluence RCE Vulnerability Disclosed ∗∗∗ --------------------------------------------- Successful exploitation of the bug, however, requires that the attacker has the privileges required for adding new macro languages, and to upload a malicious language file using the ‘Add a new language’ function in the ‘Configure Code Macro’ section. According to Atlassian, which rolled out patches for the vulnerability a couple of weeks ago, the issue was introduced in Confluence version 5.2. --------------------------------------------- https://www.securityweek.com/details-of-atlassian-confluence-rce-vulnerabil… ∗∗∗ Aktuelle Phishingwelle bei Hetzner (Juni 2024) ∗∗∗ --------------------------------------------- Behauptet wird, dass die Domain nicht mehr zugreifbar sei, weil es ein Problem mit einem Zahlungsversuch gegeben habe. Ziel ist es, die Zahlungsinformationen des Opfers abzugreifen. Wer bei Hetzner hostet, könnte möglicherweise darauf hereinfallen. --------------------------------------------- https://www.borncity.com/blog/2024/06/04/aktuelle-phishingwelle-bei-hetzner… ∗∗∗ 122 Gigabyte persönliche Nutzerdaten über Telegram-Messenger geleakt ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein großes Archiv mit persönlichen Daten aus Telegram-Kanälen zusammengetragen. Darunter sind neben E-Mail-Adressen auch Passwörter. [..] Einem Bericht zufolge wurde das Archiv dem Betreiber des Onlineservices Have I Been Pwned (HIBP) zugespielt. Der Service sammelt aus Cyberattacken geleakte Daten. Dort kann man anonymisiert etwa durch die Eingabe der eigenen E-Mail-Adresse prüfen, ob man in einem Datenleak auftaucht. --------------------------------------------- https://heise.de/-9746825 ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Management-Plattform SolarWinds über mehrere Wege angreifbar ∗∗∗ --------------------------------------------- Wie aus einer Mitteilung zur aktuellen abgesicherten Version 2024.2 hervorgeht, haben die Entwickler in der Managementplattform direkt drei Lücken (CVE-2024-28996 "hoch", CVE-2024-28999 "mittel", CVE-2024-29004 "hoch") geschlossen. Darunter können Angreifer unter anderem für eine persistente XSS-Attacke ansetzen. In diesem Fall können sie beim Aufruf der Webkonsole eigenen Code ausführen. Dafür benötigt ein Angreifer aber bereits im Vorfeld hohe Nutzerrechte und zudem muss ein Opfer mitspielen. --------------------------------------------- https://heise.de/-9747340 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (chromium-browser-stable, git, libreoffice, microcode, python-requests, webkit2, and wireshark), Oracle (container-tools:ol8, glibc, go-toolset:ol8, idm:DL1 and idm:client, less, python39:3.9 and python39-devel:3.9, ruby:3.0, and virt:ol and virt-devel:rhel), Red Hat (nodejs, nodejs:18, python-idna, and ruby:3.1), and SUSE (389-ds, ffmpeg, ffmpeg-4, gnutls, gstreamer-plugins-base, libhtp, mariadb104, poppler, python-python-jose, squid, and unbound). --------------------------------------------- https://lwn.net/Articles/976977/ ∗∗∗ Zyxel security advisory for multiple vulnerabilities in NAS products ∗∗∗ --------------------------------------------- Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ CODESYS: Vulnerability can cause a DoS on CODESYS OPC UA products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-026/ ∗∗∗ CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-027/ ∗∗∗ Uniview NVR301-04S2-P4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-156-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2024
by Daily end-of-shift report 03 Jun '24

03 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-05-2024 18:00 − Montag 03-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Sicherheitsbehörde warnt: Schwachstelle im Linux-Kernel wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Die US-amerikanische Cybersicherheitsbehörde Cisa hat kürzlich eine Warnung vor der aktiven Ausnutzung einer Schwachstelle im Linux-Kernel herausgegeben. Die Sicherheitslücke ist als CVE-2024-1086 registriert und ermöglicht es Angreifern mit lokalem Zugriff auf ein anfälliges System, ihre Rechte auszuweiten und dadurch einen Root-Zugriff zu erlangen. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-schwachstelle-im-linux-… ∗∗∗ Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions ∗∗∗ --------------------------------------------- Now-patched authorization bypass issues impacting Cox modems that could have been abused as a starting point to gain unauthorized access to the devices and run malicious commands. --------------------------------------------- https://thehackernews.com/2024/06/researcher-uncovers-flaws-in-cox-modems.h… ∗∗∗ PoC Published for Exploited Check Point VPN Vulnerability ∗∗∗ --------------------------------------------- PoC code targeting a recent Check Point VPN zero-day has been released as Censys identifies 14,000 internet-accessible appliances. --------------------------------------------- https://www.securityweek.com/poc-published-for-exploited-check-point-vpn-vu… ∗∗∗ Resilience isnt enough, NATO must be proactive for cyberdefense, warns official ∗∗∗ --------------------------------------------- NATO allies need to allow their militaries to be proactive in cyberspace to ensure the alliance isn't affected by a cyberattack that could disrupt the deployment of forces if a conflict was to occur, Christian-Marc Lifländer, the head of NATO's cyber and hybrid policy section, warned on Friday. --------------------------------------------- https://therecord.media/nato-resilience-cyberdefense-liflander-cycon ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2017-3506 Oracle WebLogic Server OS Command Injection Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/03/cisa-adds-one-known-expl… ∗∗∗ Hacks bei Santander und Ticketmaster über Snowflake-Konten ∗∗∗ --------------------------------------------- Die Woche wurden Hacks der Santander Bank und des Anbieters von Tickets, Ticketmaster, bekannt. Bei beiden Hacks wurden Benutzerdaten im großen Umfang erbeutet, die nun in Untergrundforen verkauft werden. Brisant wird die Geschichte, weil diese Hacks wohl über kompromittierte Benutzerkonten beim Cloud-Anbieter Snowflake möglich werden. --------------------------------------------- https://www.borncity.com/blog/2024/06/01/hacks-bei-santander-und-ticketmast… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python39:3.9 and python39-devel:3.9 and ruby:3.0), Debian (chromium, gst-plugins-base1.0, and kernel), Fedora (chromium, glances, glycin-loaders, gnome-tour, helix, helvum, kitty, libarchive, libipuz, librsvg2, loupe, maturin, ntpd-rs, plasma-workspace, and a huge list of Rust-based packages due to a ""mini-mass-rebuild"" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (gifsicle, netatalk, openssl, python-jinja2, and unbound), Red Hat (kernel and kernel-rt), SUSE (bind, glibc, gstreamer-plugins-base, squid, and tiff), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/976782/ ∗∗∗ Sicherheitsupdate: Schadcode-Attacken auf Autodesk AutoCAD möglich ∗∗∗ --------------------------------------------- Die CAD-Softwares Advance Steel, Civil 3D und AutoCAD von Autodesk sind verwundbar. Das Sicherheitsrisiko gilt als hoch. [..] In allen Fällen müssen Angreifer Opfern präparierte Dateien (etwa X_B oder CARPTODUCT) unterschieben. --------------------------------------------- https://heise.de/-9745419 ∗∗∗ 2024-06-03: Cyber Security Advisory - ABB WebPro SNMP card PowerValue Cross-Site Scripting (XSS) vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2CMT006108&Language… ∗∗∗ ifm: moneo password reset can be exploited ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-028/ ∗∗∗ Vulnerability Summary for the Week of May 27, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-155 ∗∗∗ Baxter Welch Allyn Connex Spot Monitor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2024
by Daily end-of-shift report 31 May '24

31 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-05-2024 18:00 − Freitag 31-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Operation Endgame: Großer Schlag gegen weltweite Cyberkriminalität ∗∗∗ --------------------------------------------- Die "Operation Endgame" richtete sich hauptsächlich gegen die Gruppierungen hinter den Botnetzen der sechs Schadsoftware-Familien IcedID, SystemBC, Bumblebee, Smokeloader, Pikabot und Trickbot. [..] Zehn internationale Haftbefehle wurden erlassen, vier Personen vorläufig festgenommen. [..] An der Aktion waren demnach unter der Leitung des BKA Strafverfolger aus den Niederlanden, Frankreich, Dänemark, Großbritannien, Österreich sowie den USA beteiligt. --------------------------------------------- https://heise.de/-9741012 ∗∗∗ Cybercriminals pose as "helpful" Stack Overflow users to push malware ∗∗∗ --------------------------------------------- Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware—answering users questions by promoting a malicious PyPi package that installs Windows information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-helpf… ∗∗∗ Over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours ∗∗∗ --------------------------------------------- The Chalubo trojan destroyed over 600,000 SOHO routers from a single ISP, researchers from Lumen Technologies reported. [..] Black Lotus did not name the impacted ISP, however, Bleeping Computer speculates the attack is linked to the Windstream outage that occurred during the same timeframe. --------------------------------------------- https://securityaffairs.com/163939/malware/chalubo-destroyed-600000-soho-ro… ∗∗∗ Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/05/researchers-uncover-active-exploitation.h… ∗∗∗ Microsoft Warns of Surge in Cyber Attacks Targeting Internet-Exposed OT Devices ∗∗∗ --------------------------------------------- Microsoft has emphasized the need for securing internet-exposed operational technology (OT) devices following a spate of cyber attacks targeting such environments since late 2023. "These repeated attacks against OT devices emphasize the crucial need to improve the security posture of OT devices and prevent critical systems from becoming easy targets," the Microsoft Threat Intelligence team said. --------------------------------------------- https://thehackernews.com/2024/05/microsoft-warns-of-surge-in-cyber.html ∗∗∗ CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud ∗∗∗ --------------------------------------------- Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them. So why am I writing a blog post about an XXE? --------------------------------------------- https://www.thezdi.com/blog/2024/5/29/cve-2024-30043-abusing-url-parsing-co… ∗∗∗ LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader ∗∗∗ --------------------------------------------- Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.” Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups. --------------------------------------------- https://blog.talosintelligence.com/lilacsquid/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 7.0, .NET 8.0, 389-ds:1.4, ansible-core bug fix, enhancement, and, bind and dhcp, container-tools:rhel8, edk2, exempi, fence-agents, freeglut, frr, gdk-pixbuf2, ghostscript, git-lfs, glibc, gmp, go-toolset:rhel8, grafana, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd:2.4, Image builder components bug fix, enhancement and, kernel, kernel-rt, krb5, less, LibRaw, libsndfile, libssh, libXpm, linux-firmware, motif, mutt, nghttp2, openssh, pam, pcp, pcs, perl-Convert-ASN1, perl-CPAN, perl:5.32, pki-core:10.6 and pki-deps:10.6, pmix, poppler, python-dns, python-jinja2, python-pillow, python27:2.7, python3, python3.11, python3.11-cryptography, python3.11-urllib3, python39:3.9 and python39-devel:3.9, qt5-qtbase, resource-agents, squashfs-tools, sssd, systemd, tigervnc, traceroute, vorbis-tools, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), Debian (gst-plugins-base1.0), Fedora (cacti, cacti-spine, roundcubemail, and wireshark), Oracle (.NET 7.0, .NET 8.0, bind and dhcp, gdk-pixbuf2, git-lfs, glibc, grafana, krb5, pcp, python-dns, python3, sssd, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (edk2, less, nghttp2, and ruby:3.0), SUSE (gstreamer-plugins-base, Java, kernel, and python-requests), and Ubuntu (ffmpeg, node-browserify-sign, postgresql-14, postgresql-15, postgresql-16, and python-pymysql). --------------------------------------------- https://lwn.net/Articles/976209/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-pymysql), Fedora (chromium, mingw-python-requests, and thunderbird), Mageia (perl-Email-MIME and qtnetworkauth5 & qtnetworkauth6), Red Hat (gdisk and python39:3.9 and python39-devel:3.9 modules), SUSE (freerdp, gdk-pixbuf, gifsicle, glib2, java-1_8_0-ibm, kernel, libfastjson, libredwg, nodejs16, python, python3, python36, rpm, warewulf4, and xdg-desktop-portal), and Ubuntu (gst-plugins-base1.0, python-werkzeug, and tpm2-tss). --------------------------------------------- https://lwn.net/Articles/976006/ ∗∗∗ IT-Monitoring: Checkmk schließt Lücke, die Änderung von Dateien ermöglicht ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Monitoring-Software Checkmk ermöglicht Angreifern, unbefugt lokale Dateien auf dem Checkmk-Server zu lesen und zu schreiben. --------------------------------------------- https://heise.de/-9741274 ∗∗∗ Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-022 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.05.2024
by Daily end-of-shift report 29 May '24

29 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-05-2024 18:00 − Mittwoch 29-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Okta warns of credential stuffing attacks targeting its CORS feature ∗∗∗ --------------------------------------------- Okta warns that a Customer Identity Cloud (CIC) feature is being targeted in credential stuffing attacks, stating that numerous customers have been targeted since April. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-warns-of-credential-stu… ∗∗∗ Per Passwortmanager generiert: 20-stelliges Passwort einer Kryptowallet geknackt ∗∗∗ --------------------------------------------- Auf der Wallet befanden sich 43,6 Bitcoins, die heute rund 2,8 Millionen Euro wert sind. Der Besitzer hatte den Zugriff verloren. Zwei Experten konnten ihm helfen. --------------------------------------------- https://www.golem.de/news/per-passwortmanager-generiert-20-stelliges-passwo… ∗∗∗ BreachForums Returns Just Weeks After FBI Seizure - Honeypot or Blunder? ∗∗∗ --------------------------------------------- The online criminal bazaar BreachForums has been resurrected merely two weeks after a U.S.-led coordinated law enforcement action dismantled and seized control of its infrastructure. [..] However, the possibility that it may be a honeypot has not been lost among members of the cybersecurity community. --------------------------------------------- https://thehackernews.com/2024/05/breachforums-returns-just-weeks-after.html ∗∗∗ EU Is Tightening Cybersecurity for Energy Providers ∗∗∗ --------------------------------------------- On March 11th, 2024, the European Commission adopted new cybersecurity rules—the EU network code on cybersecurity for the electricity sector (C/2024/1383)—to “establish a recurrent process of cybersecurity risk assessments in the electricity sector.” If you’re a cybersecurity professional, this news is cause for celebration; if you’re an electricity provider, maybe not so much. --------------------------------------------- https://www.tripwire.com/state-of-security/eu-tightening-cybersecurity-ener… ∗∗∗ Stromspargerät „SmartEnergy“ ist Betrug! ∗∗∗ --------------------------------------------- Aktuell bewerben Kriminelle massenhaft ein Gerät namens „SmartEnergy“. Damit sollen Sie Ihren Stromverbrauch um bis zu 90 Prozent reduzieren können. Wir garantieren Ihnen: Hier sparen Sie nicht 90% Strom, sondern verschwenden zu 100% Geld! --------------------------------------------- https://www.watchlist-internet.at/news/stromspargeraet-smartenergy-betrug/ ===================== = Vulnerabilities = ===================== ∗∗∗ Check Point releases emergency fix for VPN zero-day exploited in attacks ∗∗∗ --------------------------------------------- Check Point has released hotfixes for a VPN zero-day vulnerability exploited in attacks to gain remote access to firewalls and attempt to breach corporate networks. [..] Tracked as CVE-2024-24919, the high-severity information disclosure vulnerability enables attackers to read certain information on internet-exposed Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/check-point-releases-emergen… ∗∗∗ Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919) ∗∗∗ --------------------------------------------- mnemonic has several observations of the exploit being used in the wild. [..] We have observed threat actors extracting ntds.dit from compromised customers within 2-3 hours after logging in with a local user. [..] The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown. The following IOCs have been observed in customer environments between April 30, 2024, and today (May 29, 2024) ... --------------------------------------------- https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-v… ∗∗∗ Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution ∗∗∗ --------------------------------------------- Vulnerabilities in the real-time IoT operating system Eclipse ThreadX before version 6.4 could lead to denial-of-service and code execution.The post Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/vulnerabilities-in-eclipse-threadx-could-lead-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc and tomcat), Fedora (chromium, fcitx5-qt, python-pyqt6, qadwaitadecorations, qgnomeplatform, qt6, qt6-qt3d, qt6-qt5compat, qt6-qtbase, qt6-qtcharts, qt6-qtcoap, qt6-qtconnectivity, qt6-qtdatavis3d, qt6-qtdeclarative, qt6-qtgraphs, qt6-qtgrpc, qt6-qthttpserver, qt6-qtimageformats, qt6-qtlanguageserver, qt6-qtlocation, qt6-qtlottie, qt6-qtmqtt, qt6-qtmultimedia, qt6-qtnetworkauth, qt6-qtopcua, qt6-qtpositioning, qt6-qtquick3d, qt6-qtquick3dphysics, qt6-qtquicktimeline, qt6-qtremoteobjects, qt6-qtscxml, qt6-qtsensors, qt6-qtserialbus, qt6-qtserialport, qt6-qtshadertools, qt6-qtspeech, qt6-qtsvg, qt6-qttools, qt6-qttranslations, qt6-qtvirtualkeyboard, qt6-qtwayland, qt6-qtwebchannel, qt6-qtwebengine, qt6-qtwebsockets, qt6-qtwebview, and zeal), Red Hat (glibc, kernel, kernel-rt, kpatch-patch, linux-firmware, mod_http2, pcp, pcs, protobuf, python3, rpm-ostree, and rust), SUSE (git, glibc-livepatches, kernel, libxml2, openssl-1_1, SUSE Manager Client Tools, SUSE Manager Client Tools, salt, and xdg-desktop-portal), and Ubuntu (amavisd-new, firefox, flask-security, frr, git, intel-microcode, jinja2, libreoffice, linux-intel-iotg, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/975737/ ∗∗∗ WordPress Vulnerability & Patch Roundup May 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/05/wordpress-vulnerability-patch-roundup-may-2… ∗∗∗ ZDI-24-516: Progress Software WhatsUp Gold HttpContentActiveController Server-Side Request Forgery Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-516/ ∗∗∗ Vulnerability Summary for the Week of May 20, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-149 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2024
by Daily end-of-shift report 28 May '24

28 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 27-05-2024 18:00 − Dienstag 28-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Trusted relationship attacks: trust, but verify ∗∗∗ --------------------------------------------- We analyze the tactics and techniques of attackers targeting organizations through trusted relationships – that is, through contractors and external IT service providers. --------------------------------------------- https://securelist.com/trusted-relationship-attack/112731/ ∗∗∗ Threat landscape for industrial automation systems, Q1 2024 ∗∗∗ --------------------------------------------- The full global and regional reports have been published on the Kaspersky ICS CERT website. --------------------------------------------- https://securelist.com/industrial-threat-landscape-q1-2024/112683/ ∗∗∗ Kriminelle geben sich als Europäische Verbraucherzentren aus ∗∗∗ --------------------------------------------- Sie haben auf einer betrügerischen Investmentplattform Geld verloren? Ihre persönliche Beratung war nicht mehr erreichbar oder Ihr Konto wurde plötzlich gesperrt? Vorsicht, wenn Sie von Institutionen wie den Europäischen Verbraucherzentren kontaktiert werden, die Ihnen versprechen, Ihr Geld zurückzuholen. Es handelt sich erneut um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-geben-sich-als-europaeisc… ∗∗∗ Ivanti EPM Cloud Services Appliance - Taking advantage of a backdoor to detect a vulnerability ∗∗∗ --------------------------------------------- This blog post details how `CVE-2021-44529` was researched as well as the current method being used to detect it. --------------------------------------------- https://www.bitsight.com/blog/ivanti-epm-cloud-services-appliance-taking-ad… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (less), Mageia (chromium-browser-stable), SUSE (apache2, java-1_8_0-openj9, kernel, libqt5-qtnetworkauth, and openssl-3), and Ubuntu (netatalk and python-cryptography). --------------------------------------------- https://lwn.net/Articles/975529/ ∗∗∗ Kritische Sicherheitslücke gewährt Angreifern Zugriff auf TP-Link-Router C5400X ∗∗∗ --------------------------------------------- Der TP-Link-WLAN-Router C5400X ist verwundbar. Ein Sicherheitspatch schließt eine kritische Schwachstelle. --------------------------------------------- https://heise.de/-9736602 ∗∗∗ WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites ∗∗∗ --------------------------------------------- https://thehackernews.com/2024/05/wordpress-plugin-exploited-to-steal.html ∗∗∗ Citrix Workspace app for Mac Security Bulletin for CVE-2024-5027 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX675851/citrix-workspace-app-for-mac-s… ∗∗∗ Campbell Scientific CSI Web Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-149-01 ∗∗∗ TI Bluetooth stack can fail to generate a resolvable Random Private Address (RPA) leading to DoS for already bonded peer devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-466062.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2024
by Daily end-of-shift report 27 May '24

27 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-05-2024 18:00 − Montag 27-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google-Security-Manager: Phishing-Tests bringen nichts und nerven Mitarbeiter ∗∗∗ --------------------------------------------- Mitarbeiter fühlten sich durch Phishing-Simulationen oftmals hintergangen, erklärt ein Security-Experte. Dadurch werde das Vertrauen in die Sicherheitsteams untergraben. --------------------------------------------- https://www.golem.de/news/google-security-manager-phishing-tests-bringen-ni… ∗∗∗ Speichersicherheit: Fast 20 Prozent aller Rust-Pakete sind potenziell unsicher ∗∗∗ --------------------------------------------- Nach Angaben der Rust Foundation verwendet etwa jedes fünfte Rust-Paket das Unsafe-Keyword. Meistens werden dadurch Code oder Bibliotheken von Drittanbietern aufgerufen. --------------------------------------------- https://www.golem.de/news/speichersicherheit-fast-20-prozent-aller-rust-pak… ∗∗∗ Kommentar: Schluss mit falschen Pentests! ∗∗∗ --------------------------------------------- Wir wollen einen Pentest machen. So begannen für einige Zeit viele meiner Kundengespräche – manchmal mit der Variation "müssen" statt "wollen". Doch warum pentesten wir überhaupt? --------------------------------------------- https://heise.de/-9718811 ∗∗∗ Checkpoint: Important Security Update – Enhance your VPN Security Posture! ∗∗∗ --------------------------------------------- Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises. [..] By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method. [..] Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure. Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts. --------------------------------------------- https://blog.checkpoint.com/security/enhance-your-vpn-security-posture/ ∗∗∗ Hackers phish finance orgs using trojanized Minesweeper clone ∗∗∗ --------------------------------------------- Hackers are utilizing code from a Python clone of Microsoft's venerable Minesweeper game to hide malicious scripts in attacks on European and US financial organizations. Ukraine's CSIRT-NBU and CERT-UA attribute the attacks to a threat actor tracked as 'UAC-0188,' who is using the legitimate code to hide Python scripts that download and install the SuperOps RMM. Superops RMM is a legitimate remote management software that gives remote actors direct access to the compromised systems. [..] The attack begins with an email sent from the address "support(a)patient-docs-mail.com," impersonating a medical center with the subject "Personal Web Archive of Medical Documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-phish-finance-orgs-u… ∗∗∗ Message board scams ∗∗∗ --------------------------------------------- Here’s how scams target buyers and sellers on online message boards, and how the gangs behind them operate. [..] The gang under study also operates in Canada, Austria, France, and Norway. --------------------------------------------- https://securelist.com/message-board-scam/112691/ ∗∗∗ New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI ∗∗∗ --------------------------------------------- Cybersecurity researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. --------------------------------------------- https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html ∗∗∗ Technical Analysis of Anatsa Campaigns: An Android Banking Malware Active in the Google Play Store ∗∗∗ --------------------------------------------- At Zscaler ThreatLabz, we regularly monitor the Google Play store for malicious applications. [..] These malware-infected applications have collectively garnered over 5.5 million installs. [..] In this blog, we provide a technical analysis of Anatsa attack campaigns that leveraged themes like PDF readers and QR code readers to distribute malware in the Google Play store. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-c… ∗∗∗ Linguistic Lumberjack: Understanding CVE-2024-4323 in Fluent Bit ∗∗∗ --------------------------------------------- This vulnerability was discovered by the Tenable research team who described in their blog, that the flaw is due to improper validation of input names in requests, which can be exploited to cause memory corruption. This can result in denial-of-service attacks or information exposure, with remote code execution being possible under certain conditions. [..] This proof-of-concept script demonstrates how a denial of service is used CVE-2024-4323 is a memory corruption vulnerability in Fluent Bit versions 2.0.7 through 3.0.3. --------------------------------------------- https://blog.aquasec.com/linguistic-lumberjack-understanding-cve-2024-4323-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, bluez, chromium, fossil, libreoffice, python-pymysql, redmine, and ruby-rack), Fedora (buildah, crosswords, dotnet7.0, glycin-loaders, gnome-tour, helix, helvum, libipuz, loupe, maturin, mingw-libxml2, ntpd-rs, perl-Email-MIME, and a huge list of Rust-based packages due to a ""mini-mass-rebuild"" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (chromium-browser-stable, mariadb, and roundcubemail), Oracle (kernel, libreoffice, nodejs, and tomcat), and SUSE (cJSON, libfastjson, opera, postgresql15, python3, and qt6-networkauth). --------------------------------------------- https://lwn.net/Articles/975399/ ∗∗∗ Multiple vulnerabilities in HAWKI ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Synology-SA-24:07 Synology Camera ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_07 ∗∗∗ F5: K000139764: Apache HTTPD vulnerability CVE-2023-38709 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139764 ∗∗∗ F5: K000139525: Libexpat vulnerability CVE-2022-43680 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139525 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2024
by Daily end-of-shift report 24 May '24

24 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-05-2024 18:00 − Freitag 24-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft spots gift card thieves using cyber-espionage tactics ∗∗∗ --------------------------------------------- Microsoft has published a "Cyber Signals" report sharing new information about the hacking group Storm-0539 and a sharp rise in gift card theft as we approach the Memorial Day holiday in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-spots-gift-card-th… ∗∗∗ DKIM/BIMI: Die Zombies des Debian-OpenSSL-Bugs ∗∗∗ --------------------------------------------- Vor 16 Jahren sorgte ein Bug dafür, dass mit Debian und OpenSSL erstellte Schlüssel unsicher waren. Viele DKIM-Setups nutzten auch 16 Jahre später solche Schlüssel. --------------------------------------------- https://www.golem.de/news/dkim-bimi-die-zombies-des-debian-openssl-bugs-240… ∗∗∗ Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered that the malware known as BLOODALCHEMY used in attacks targeting government organizations in Southern and Southeastern Asia is in fact an updated version of Deed RAT, which is believed to be a successor to ShadowPad. --------------------------------------------- https://thehackernews.com/2024/05/japanese-experts-warn-of-bloodalchemy.html ∗∗∗ Fake Antivirus Websites Deliver Malware to Android and Windows Devices ∗∗∗ --------------------------------------------- Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. --------------------------------------------- https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.h… ∗∗∗ Google Chrome: Vierte bereits missbrauchte Zero-Day-Lücke in zwei Wochen ∗∗∗ --------------------------------------------- Google schließt eine Zero-Day-Lücke im Chrome-Webbrowser, die bereits angegriffen wird. Die vierte in zwei Wochen. --------------------------------------------- https://heise.de/-9730530 ===================== = Vulnerabilities = ===================== ∗∗∗ Dringend patchen: Gitlab-Schwachstelle ermöglicht Übernahme fremder Konten ∗∗∗ --------------------------------------------- Die Sicherheitslücke ist über ein Bug-Bounty-Programm gemeldet worden. Der Entdecker erhielt dafür mehr als 10.000 US-Dollar von Gitlab. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gitlab-schwachstelle-ermoeglicht… ∗∗∗ Mehrere Schwachstellen entdeckt: Qnap verschläft Patches und gelobt Besserung ∗∗∗ --------------------------------------------- Nach der Entdeckung teils schwerwiegender Sicherheitslücken in QTS und QuTS Hero liefert Qnap Patches und entschuldigt sich für die Verspätung. --------------------------------------------- https://www.golem.de/news/mehrere-schwachstellen-entdeckt-qnap-verschlaeft-… ∗∗∗ CISA Warns of Actively Exploited Apache Flink Security Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting Apache Flink, an open-source, unified stream-processing and batch-processing framework, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. --------------------------------------------- https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-apache.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, libreoffice, and thunderbird), Red Hat (.NET 7.0, .NET 8.0, gdk-pixbuf2, git-lfs, glibc, python3, and xorg-x11-server-Xwayland), SUSE (firefox, opensc, and ucode-intel), and Ubuntu (cjson and gnome-remote-desktop). --------------------------------------------- https://lwn.net/Articles/974913/ ∗∗∗ Splunk Config Explorer vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN56781258/ ∗∗∗ WordPress Plugin "WP Booking" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35838128/ ∗∗∗ Exposed Serial Shell on multiple PLCs in Siemens CP-XXXX Series ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/exposed-serial-shell-on-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2024
by Daily end-of-shift report 23 May '24

23 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-05-2024 18:00 − Donnerstag 23-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ State hackers turn to massive ORB proxy networks to evade detection ∗∗∗ --------------------------------------------- Security researchers are warning that state-backed hackers are increasingly relying on vast proxy networks of virtual private servers and compromised connected devices for cyberespionage operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massiv… ∗∗∗ ShrinkLocker: Turning BitLocker into ransomware ∗∗∗ --------------------------------------------- The Kaspersky GERT has detected a new group that has been abusing Microsoft Windows features by modifying the system to lower the defenses and using the local MS BitLocker utility to encrypt entire drives and demand a ransom. --------------------------------------------- https://securelist.com/ransomware-abuses-bitlocker/112643/ ∗∗∗ Ihre Website läuft über Jimdo? Vorsicht vor Phishing-Mails zu Zahlungsproblemen! ∗∗∗ --------------------------------------------- Website- und Online-Shop-Betreiber:innen aufgepasst: Wenn Ihre Website über Jimdo läuft, haben es Kriminelle aktuell vermehrt auf Ihre Daten und Ihr Geld abgesehen. Sie versenden dazu Phishing-Mails in denen Probleme mit Ihren laufenden Zahlungen vorgegaukelt werden. --------------------------------------------- https://www.watchlist-internet.at/news/jimdo-phishing-mails/ ∗∗∗ Format String Exploitation: A Hands-On Exploration for Linux ∗∗∗ --------------------------------------------- This blogpost covers a Capture The Flag challenge that was part of the 2024 picoCTF event. --------------------------------------------- https://blog.nviso.eu/2024/05/23/format-string-exploitation-a-hands-on-expl… ∗∗∗ New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea ∗∗∗ --------------------------------------------- Unfading Sea Hazes modus operandi spans over five years, with evidence dating back to 2018, reveals Bitdefender Labs investigation. --------------------------------------------- https://www.hackread.com/unfading-sea-haze-military-target-south-china-sea/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (chromium, libxml2, pgadmin4, and python-libgravatar), Mageia (ghostscript), Red Hat (389-ds:1.4, ansible-core, bind and dhcp, container-tools:rhel8, edk2, exempi, fence-agents, freeglut, frr, ghostscript, glibc, gmp, go-toolset:rhel8, grafana, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd:2.4, idm:DL1, idm:DL1 and idm:client modules, kernel, kernel-rt, krb5, LibRaw, [...] --------------------------------------------- https://lwn.net/Articles/974824/ ∗∗∗ Aptos Wisal Payroll Accounting Uses Hardcoded Database Credentials ∗∗∗ --------------------------------------------- Aptos WISAL payroll accounting uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-007/ ∗∗∗ CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack ∗∗∗ --------------------------------------------- Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. --------------------------------------------- https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justic… ∗∗∗ Cisco: Root-Zugriff durch SQL-Injection-Lücke in Firepower möglich ∗∗∗ --------------------------------------------- Cisco warnt vor Sicherheitslücken in ASA- und Firepower-Appliances. Angreifer können mit SQL-Injection Firepower-Geräte kompromittieren. --------------------------------------------- https://heise.de/-9729121 ∗∗∗ Sicherheitsupdates VMware: Schadcode kann aus VM ausbüchsen ∗∗∗ --------------------------------------------- Admins sollten zeitnah mehrere Sicherheitspatches für diverse VMware-Produkte installieren. --------------------------------------------- https://heise.de/-9729288 ∗∗∗ LCDS LAquis SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-142-01 ∗∗∗ Vulnerabilities in Autodesk InfraWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0008 ∗∗∗ AutomationDirect Productivity PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-144-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2024
by Daily end-of-shift report 22 May '24

22 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-05-2024 18:00 − Mittwoch 22-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GhostEngine mining attacks kill EDR security using vulnerable drivers ∗∗∗ --------------------------------------------- A malicious crypto mining campaign codenamed REF4578, has been discovered deploying a malicious payload named GhostEngine that uses vulnerable drivers to turn off security products and deploy an XMRig miner. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ghostengine-mining-attacks-k… ∗∗∗ Sicherheitsexperte warnt: Neue Windows-Funktion ist ein "Security-Alptraum" ∗∗∗ --------------------------------------------- Mit Recall sollen Windows-Nutzer in die Vergangenheit reisen können. Unter Sicherheits- und Datenschutzexperten stößt das neue Feature auf Unverständnis. --------------------------------------------- https://www.golem.de/news/sicherheitsexperte-warnt-neue-windows-funktion-is… ∗∗∗ Stealers, stealers and more stealers ∗∗∗ --------------------------------------------- In this report, we discuss two new stealers: Acrid and ScarletStealer, and an evolution of the known Sys01 stealer, with the latter two dividing stealer functionality across several modules. --------------------------------------------- https://securelist.com/crimeware-report-stealers/112633/ ∗∗∗ Risky Biz News: DNSBomb attack is here! Pew pew pew!!! ∗∗∗ --------------------------------------------- A team of academics from Tsinghua University in Beijing, China has discovered a new method of launching large-scale DDoS attacks using DNS traffic. --------------------------------------------- https://news.risky.biz/risky-biz-news-dnsbomb-attack-is-here-pew-pew-pew/ ∗∗∗ Gehacktes Brawl Stars Konto: Was tun, wenn ich erpresst werde? ∗∗∗ --------------------------------------------- Ihr eigenes oder das Spielekonto Ihres Kindes wurde gehackt? Die Kriminellen fordern nun Geld oder Gutscheinkarten, um den Zugriff zurückzubekommen? Lassen Sie sich nicht erpressen. Wir zeigen Ihnen, was Sie tun können! --------------------------------------------- https://www.watchlist-internet.at/news/gehacktes-brawl-stars-konto-was-tun-… ∗∗∗ Microsoft Exchange Server: Keylogger infiziert Regierungsorganisationen weltweit ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf einen Keylogger gestoßen, der weltweit Regierungsorganisation, aber auch Banken oder andere Institutionen über Microsoft Exchange Server infiziert. --------------------------------------------- https://www.borncity.com/blog/2024/05/22/microsoft-exchange-server-keylogge… ∗∗∗ Rockwell Automation Encourages Customers to Assess and Secure Public-Internet-Exposed Assets ∗∗∗ --------------------------------------------- Rockwell Automation has released guidance encouraging users to remove connectivity on all Industrial Control Systems (ICS) devices connected to the public-facing internet to reduce exposure to unauthorized or malicious cyber activity. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/21/rockwell-automation-enco… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (kernel), Mageia (chromium-browser-stable, djvulibre, gdk-pixbuf2.0, nss & firefox, postgresql15 & postgresql13, python-pymongo, python-sqlparse, stb, thunderbird, and vim), Red Hat (go-toolset:rhel8, nodejs, and varnish:6), SUSE (gitui, glibc, and kernel), and Ubuntu (libspreadsheet-parseexcel-perl, linux-aws, linux-aws-5.15, linux-gke, linux-gcp, python-idna, and thunderbird). --------------------------------------------- https://lwn.net/Articles/974572/ ∗∗∗ Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager ∗∗∗ --------------------------------------------- Ivanti has released product updates to resolve multiple vulnerabilities, including critical code execution flaws in Endpoint Manager. --------------------------------------------- https://www.securityweek.com/ivanti-patches-critical-code-execution-vulnera… ∗∗∗ Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution ∗∗∗ --------------------------------------------- Claroty shows how Honeywell ControlEdge Virtual UOC vulnerability can be exploited for unauthenticated remote code execution. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-in-honeywell-virtual-co… ∗∗∗ Kritische Lücke gewährt Angreifern Zugriff auf Veeam Backup Enterprise Manager ∗∗∗ --------------------------------------------- In einer aktuellen Version von Veeam Backup & Replication haben die Entwickler mehrere Schwachstellen geschlossen. --------------------------------------------- https://heise.de/-9726433 ∗∗∗ Patchday: Atlassian rüstet Data Center gegen Schadcode-Attacken ∗∗∗ --------------------------------------------- Admins sollten aus Sicherheitsgründen unter anderem Jira Data Center and Server und Service Management auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-9728466 ∗∗∗ K000139685: Python vulnerability CVE-2023-40217 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139685 ∗∗∗ K000139700: Linux kernel usbmon vulnerability CVE-2022-43750 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139700 ∗∗∗ NextGen Healthcare Mirth Connect RCE (CVE-2023-43208, CVE-2023-37679) ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5460 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2024
by Daily end-of-shift report 21 May '24

21 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-05-2024 18:00 − Dienstag 21-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising ∗∗∗ --------------------------------------------- A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-wind… ∗∗∗ Banking malware Grandoreiro returns after police disruption ∗∗∗ --------------------------------------------- The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-… ∗∗∗ CISA warns of hackers exploiting Chrome, EoL D-Link bugs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its Known Exploited Vulnerabilities catalog, one impacting Google Chrome and two affecting some D-Link routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ New BiBi Wiper version also destroys the disk partition table ∗∗∗ --------------------------------------------- A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-bibi-wiper-version-also-… ∗∗∗ GitHub warns of SAML auth bypass flaw in Enterprise Server ∗∗∗ --------------------------------------------- GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-by… ∗∗∗ Ungeschützte API: Sicherheitslücke macht Studenten zu Wäsche-Millionären ∗∗∗ --------------------------------------------- In vielen Hochschulen und Wohnheimen stehen Wäscheautomaten von CSC Serviceworks. Zwei Studenten haben darin eine Sicherheitslücke entdeckt - mit erheblichem Missbrauchspotenzial. --------------------------------------------- https://www.golem.de/news/ungeschuetzte-api-sicherheitsluecke-macht-student… ∗∗∗ Fluent Bit: Kritische Schwachstelle betrifft alle gängigen Cloudanbieter ∗∗∗ --------------------------------------------- Mit der Schwachstelle lassen sich nicht nur Ausfälle provozieren und Daten abgreifen. Auch eine Schadcodeausführung aus der Ferne ist unter gewissen Umständen möglich. --------------------------------------------- https://www.golem.de/news/fluent-bit-kritische-schwachstelle-betrifft-alle-… ∗∗∗ Analyzing MSG Files, (Mon, May 20th) ∗∗∗ --------------------------------------------- .msg email files are ole files and can be analyzed with my tool oledump.py. --------------------------------------------- https://isc.sans.edu/diary/Analyzing+MSG+Files/30940 ∗∗∗ Latrodectus Malware Loader Emerges as IcedIDs Successor in Phishing Campaigns ∗∗∗ --------------------------------------------- Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware."These campaigns typically involve a .. --------------------------------------------- https://thehackernews.com/2024/05/latrodectus-malware-loader-emerges-as.html ∗∗∗ Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail ∗∗∗ --------------------------------------------- A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible .. --------------------------------------------- https://thehackernews.com/2024/05/cyber-criminals-exploit-github-and.html ∗∗∗ SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure ∗∗∗ --------------------------------------------- The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from .. --------------------------------------------- https://thehackernews.com/2024/05/solarmarker-malware-evolves-to-resist.html ∗∗∗ Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users ∗∗∗ --------------------------------------------- A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads."The VBScript and PowerShell scripts in the .. --------------------------------------------- https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html ∗∗∗ Vorsicht vor Telegram-Gruppe „Scammerpayback“ ∗∗∗ --------------------------------------------- Kriminelle verbreiten in Foren, auf Facebook-Seiten oder Gruppen, in denen Betrugsopfer Unterstützung oder Informationen suchen, falsche Hilfsangebote. Mit gefälschten oder gekaperten Profilen kommentieren sie Facebook-Beiträge der Watchlist Internet und locken in eine Telegram-Gruppe, in der Opfer angeblich ihr Geld zurückbekommen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-telegram-gruppe-scammer… ∗∗∗ Sicherheitsupdate: DoS-Lücken in Netzwerkanalysetool Wireshark geschlossen ∗∗∗ --------------------------------------------- In der aktuellen Version von Wireshark haben die Entwickler drei Sicherheitslücken geschlossen und mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9725317 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, and thunderbird), Fedora (buildah, chromium, firefox, mingw-python-werkzeug, and suricata), Mageia (golang), Oracle (firefox and nodejs:20), Red Hat (firefox, httpd:2.4, nodejs, and thunderbird), and SUSE (firefox, git-cliff, and ucode-intel). --------------------------------------------- https://lwn.net/Articles/974339/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, nodejs, and thunderbird), Fedora (uriparser), Oracle (firefox and thunderbird), Slackware (mariadb), SUSE (cairo, gdk-pixbuf, krb5, libosinfo, postgresql14, and python310), and Ubuntu (firefox, linux-aws, linux-aws-5.15, and linux-azure). --------------------------------------------- https://lwn.net/Articles/974450/ ∗∗∗ WAGO: Vulnerability in WAGO Navigator ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-021/ ∗∗∗ WAGO: Multiple Vulnerabilities in e!Cockpit and e!Runtime / CODESYS Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-068/ ∗∗∗ Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates 1.6.7 and 1.5.7 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily