Daily

daily@lists.cert.at

1 participants
3083 discussions

Tageszusammenfassung - 09.04.2024
by Daily end-of-shift report 09 Apr '24

09 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-04-2024 18:00 − Dienstag 09-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New SharePoint flaws help hackers evade detection when stealing files ∗∗∗ --------------------------------------------- Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. [..] Varonis disclosed these bugs in November 2023, and Microsoft added the flaws to a patch backlog for future fixing. However, the issues were rated as moderate severity, so they won't receive immediate fixes. Therefore, SharePoint admins should be aware of these risks and learn to identify and mitigate them until patches become available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-sharepoint-flaws-help-ha… ∗∗∗ Researchers Discover LG Smart TV Vulnerabilities Allowing Root Access ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. [..] The issues were fixed by LG as part of updates released on March 22, 2024. [..] "Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet," Bitdefender said. --------------------------------------------- https://thehackernews.com/2024/04/researchers-discover-lg-smart-tv.html ∗∗∗ Vorsicht vor falschen Nachrichten vom Finanzamt ∗∗∗ --------------------------------------------- Sie erwarten eine Nachricht vom Finanzamt? Wir raten zur Vorsicht: Derzeit sind zahlreiche gefälschte SMS- und E-Mail-Benachrichtigungen von FinanzOnline bzw. vom Finanzamt im Umlauf. Klicken Sie nicht voreilig auf Links und fragen Sie im Zweifelsfall bei der jeweiligen Behörde nach! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-nachrichten-vo… ∗∗∗ It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise ∗∗∗ --------------------------------------------- We describe the characteristics of malware-initiated scanning attacks. These attacks differ from direct scanning and are increasing according to our data. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/ ∗∗∗ Notepad++: Entwickler warnt vor Parasiten-Webseite und bittet um Mithilfe ∗∗∗ --------------------------------------------- Die unautorisierte Webseite bezeichnet sich als "Fan-Projekt", der Notepad++-Entwickler fürchtet jedoch schädliche Auswirkungen. Die Community soll helfen. --------------------------------------------- https://heise.de/-9678725 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2024-04-09 ∗∗∗ --------------------------------------------- Fortinet has released 12 security advisories: FortiOS, FortiManager, FortiClientLinux, FortiClientMac, FortiProxy, FortiMai, FortiSandbox, FortiNAC-F (1x critical, 4x high, 7x medium) --------------------------------------------- https://www.fortiguard.com/psirt?product=FortiOS-6K7K%2CFortiOS&product=For… ∗∗∗ Fortinet: SMTP Smuggling ∗∗∗ --------------------------------------------- FortiMail may be susceptible to smuggling attacks if some measures are not put in place. We therefore recommend to adhere to the following indications in order to mitigate the potential risk associated to the smuggling attacks [..] --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-009 ∗∗∗ OpenSSL 3.3 Series Release Notes ∗∗∗ --------------------------------------------- Fixed unbounded memory growth with session handling in TLSv1.3 ([CVE-2024-2511]) --------------------------------------------- https://www.openssl.org/news/openssl-3.3-notes.html ∗∗∗ Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224) ∗∗∗ --------------------------------------------- Ollama is an open-source system for running and managing large language models (LLMs). [..] Ollama fixed this issue in release v0.1.29. --------------------------------------------- https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebi… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/969141/ ∗∗∗ ICS Patch Tuesday: Siemens Addresses Palo Alto Networks Product Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric release their ICS Patch Tuesday advisories for April 2024, informing customers about dozens of vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-palo-alto-… ∗∗∗ SSA-885980 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-885980.html ∗∗∗ SSA-822518 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW before V11.0.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-822518.html ∗∗∗ SSA-730482 V1.0: Denial of Service Vulnerability in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-730482.html ∗∗∗ SSA-556635 V1.0: Multiple Vulnerabilities in Telecontrol Server Basic before V3.1.2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-556635.html ∗∗∗ SSA-455250 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-455250.html ∗∗∗ SSA-265688 V1.0: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-265688.html ∗∗∗ SSA-222019 V1.0: X_T File Parsing Vulnerabilities in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-222019.html ∗∗∗ SSA-128433 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-128433.html ∗∗∗ Xen: XSA-454 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-454.html ∗∗∗ Welotec: Two vulnerabilities in TK500v1 router series ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-009/ ∗∗∗ SUBNET PowerSYSTEM Server and Substation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-100-01 ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Ninja Forms" ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50361500/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SAP-Patchday: Zehn Sicherheitsmitteilungen im April ∗∗∗ --------------------------------------------- https://heise.de/-9678796 ∗∗∗ HP Poly CCX IP-Telefone erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- https://heise.de/-9679027 ∗∗∗ Robot Operating System: Zahlreiche Schwachstellen gefunden und geschlossen ∗∗∗ --------------------------------------------- https://heise.de/-9679260 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2024
by Daily end-of-shift report 08 Apr '24

08 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-04-2024 18:00 − Montag 08-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Rund 16.500 VPN-Instanzen von Ivanti potenziell angreifbar ∗∗∗ --------------------------------------------- Scans zeigen, dass weltweit tausende VPN-Instanzen von Ivanti des Typs Connect Secure und Policy Secure Gateway verwundbar sind. [..] Eigenen Angaben zufolge sind Sicherheitsforscher von Shadowserver weltweit auf rund 16.500 VPN-Instanzen gestoßen, die mit hoher Wahrscheinlichkeit für Attacken empfänglich sind (CVE-2024-21894 „hoch“, CVE-2024-22053 „hoch“). Sind Angriffe erfolgreich, kann Schadcode auf Appliances gelangen. Im Anschluss gelten Systeme in der Regel als vollständig kompromittiert. --------------------------------------------- https://heise.de/-9677551 ∗∗∗ Over 92,000 exposed D-Link NAS devices have a backdoor account ∗∗∗ --------------------------------------------- A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-n… ∗∗∗ Fake Facebook MidJourney AI page promoted malware to 1.2 million people ∗∗∗ --------------------------------------------- Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAIs SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-… ∗∗∗ Tastatursteuerung: Amazon untersucht Sicherheitslücke in Fire-TV-Funktion ∗∗∗ --------------------------------------------- Amazon hat eine Komfort-Funktion für Fire-TV-Geräte aufgrund möglicher Sicherheitsbedenken von Green Line Analytics vorübergehend zurückgezogen. --------------------------------------------- https://www.golem.de/news/tastatursteuerung-amazon-untersucht-sicherheitslu… ∗∗∗ Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites ∗∗∗ --------------------------------------------- Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites. The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way for arbitrary code execution. It was addressed by the company as part of security updates released on February 13, 2024. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-magento-bug-to-steal.html ∗∗∗ Automating Pikabot’s String Deobfuscation ∗∗∗ --------------------------------------------- Pikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis. --------------------------------------------- https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string… ∗∗∗ Confidential VMs Hacked via New Ahoi Attacks ∗∗∗ --------------------------------------------- New Ahoi attacks Heckler and WeSee target AMD SEV-SNP and Intel TDX with malicious interrupts to hack confidential VMs. --------------------------------------------- https://www.securityweek.com/confidential-vms-hacked-via-new-ahoi-attacks/ ∗∗∗ Vorsicht vor kostenlosen Diensten zur Anpassung und Veränderung von Dateien ∗∗∗ --------------------------------------------- Sie möchten Dateien konvertieren, verkleinern oder Dokumente zusammenfügen? Im Internet gibt es dafür zahlreiche vermeintlich kostenlose Dienste. Wir raten davon ab, denn hinter vielen Angeboten steckt eine Abofalle. Zudem ist oft unklar, was mit Ihren Dokumenten geschieht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kostenlosen-diensten-zu… ∗∗∗ IBIS-Hotel: Check-In-Terminal gibt Zugangsdaten fremder Zimmer aus ∗∗∗ --------------------------------------------- Nächster Sicherheitsunfall bei Hotels: Bei den Check-In-Terminals der IBIS-Hotels war es durch Eingabe einer speziellen nicht alphanumerischen Buchungsnummer möglich, die Tastencodes von fast die Hälfte der Zimmer abzurufen. Dritte hätten in die Zimmer eindringen und Wertsachen stehlen können. --------------------------------------------- https://www.borncity.com/blog/2024/04/06/ibis-hotel-check-in-terminal-gibt-… ∗∗∗ ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins ∗∗∗ --------------------------------------------- FortiGuard Labs uncovered a threat actor using ScrubCrypt to spread VenomRAT along with multiple RATs. --------------------------------------------- https://feeds.fortinet.com/~/875486669/0/fortinet/blogs~ScrubCrypt-Deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen). --------------------------------------------- https://lwn.net/Articles/968999/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2024
by Daily end-of-shift report 05 Apr '24

05 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-04-2024 18:00 − Freitag 05-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake AI law firms are sending fake DMCA threats to generate fake SEO gains ∗∗∗ --------------------------------------------- If you run a personal or hobby website, getting a copyright notice from a law firm about an image on your site can trigger some fast-acting panic. Ernie Smith, the prolific, ever-curious writer behind the newsletter Tedium, received a "DMCA Copyright Infringement Notice" in late March from "Commonwealth Legal," representing the "Intellectual Property division" of Tech4Gods. --------------------------------------------- https://arstechnica.com/?p=2014933 ∗∗∗ Continuation Flood: DoS-Angriffstechnik legt HTTP/2-Server ohne Botnetz lahm ∗∗∗ --------------------------------------------- Für einen erfolgreichen Angriff ist in einigen Fällen nur eine einzige TCP-Verbindung erforderlich. Es kommt zu einer Überlastung von Systemressourcen. --------------------------------------------- https://www.golem.de/news/continuation-flood-dos-angriffstechnik-legt-http-… ∗∗∗ AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks ∗∗∗ --------------------------------------------- New research has found that artificial intelligence (AI)-as-a-service providers such as Hugging Face are susceptible to two critical risks that could allow threat actors to escalate privileges, gain cross-tenant access to other customers models, and even take over the continuous integration and continuous deployment (CI/CD) pipelines. [..] To mitigate the issue, it's recommended to enable IMDSv2 with Hop Limit so as to prevent pods from accessing the Instance Metadata Service (IMDS) and obtaining the role of a Node within the cluster. --------------------------------------------- https://thehackernews.com/2024/04/ai-as-service-providers-vulnerable-to.html ∗∗∗ Bing ad for NordVPN leads to SecTopRAT ∗∗∗ --------------------------------------------- Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-n… ∗∗∗ Neue Dreiecksbetrugsmasche: Kriminelle bestellen in Ihrem Namen ∗∗∗ --------------------------------------------- Sie kaufen online ein, bezahlen und erhalten die gewünschte Ware. Doch nach einigen Wochen erreicht Sie plötzlich eine Mahnung, ein Inkassoschreiben oder sogar eine Betrugsanzeige. Der Grund: Eine nicht bezahlte Rechnung von einem Onlineshop, bei dem Sie gar nichts bestellt haben. In diesem Fall wurden Sie und der Onlineshop betrogen. Wir zeigen Ihnen wie diese neue Masche funktioniert und wie Sie sich schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/neue-dreiecksbetrugsmasche-kriminell… ∗∗∗ The Illusion of Privacy: Geolocation Risks in Modern Dating Apps ∗∗∗ --------------------------------------------- Key takeaways Introduction Dating apps traditionally utilize location data, offering the opportunity to connect with people nearby, and enhancing the chances of real-life meetings. Some apps can also display the distance of the user to other users. This feature is quite useful for coordinating meetups, indicating whether a potential match is just a short distance away or a kilometer apart. However, openly sharing your distance with other users can create serious security issues. The risks become apparent when you consider the potential misuse by a curious individual armed with advanced knowledge of techniques like trilateration. --------------------------------------------- https://research.checkpoint.com/2024/the-illusion-of-privacy-geolocation-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/968561/ ∗∗∗ Lexmark: Hochriskante Lücken erlauben Codeschmuggel auf Drucker ∗∗∗ --------------------------------------------- Lexmark warnt vor Sicherheitslücken in diversen Drucker-Firmwares. Angreifer können Schadcode einschleusen. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9675861 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2024
by Daily end-of-shift report 04 Apr '24

04 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-04-2024 18:00 − Donnerstag 04-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SurveyLama data breach exposes info of 4.4 million users ∗∗∗ --------------------------------------------- In early February, HIBP's creator, Troy Hunt, received information about a data breach impacting the service, which involved various data types, including: Dates of birth. Email addresses. IP addresses, Full Names, Passwords, Phone numbers, Physical addresses [..] The data set contains information about 4,426,879 accounts and was added to HIBP yesterday, so impacted users should have already received an email notification. --------------------------------------------- https://www.bleepingcomputer.com/news/security/surveylama-data-breach-expos… ∗∗∗ New HTTP/2 DoS attack can crash web servers with a single connection ∗∗∗ --------------------------------------------- Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-cr… ∗∗∗ Angriff mit neuer Ransomware: SEXi-Hacker verschlüsseln ESXi-Server ∗∗∗ --------------------------------------------- Die neue SEXi-Ransomware ist kürzlich in einem Rechenzentrum von Powerhost zum Einsatz gekommen. Betroffene Kundensysteme sind wohl teilweise nicht wiederherstellbar. [..] Bei der Bezeichnung scheint es sich um ein Wortspiel zu handeln, denn die Angreifer haben es damit offenkundig auf VMware ESXi-Server abgesehen. --------------------------------------------- https://www.golem.de/news/angriff-mit-neuer-ransomware-sexi-hacker-verschlu… ∗∗∗ Windows NTLM Credentials-Schwachstelle CVE-2024-21320: Fix durch 0patch ∗∗∗ --------------------------------------------- In Windows gibt es eine Schwachstelle (CVE-2024-21320), die NTLM-Anmeldeinformationen über Windows-Themen offen legt. Microsoft hat zwar im Januar 2024 die Schwachstelle CVE-2024-21320 mit einem Patch versehen. Dieser Patch stellt eine Richtlinie bereit, um das Abrufen der NTLM-Anmeldeinformationen zu verhindern, wenn Theme-Dateien auf Netzlaufwerken liegen. ACROS Security hat nun einen Micropatch für den 0patch-Agenten veröffentlicht, der die Schwachstelle generell (ohne Registrierungseingriff) schließt. --------------------------------------------- https://www.borncity.com/blog/2024/04/04/windows-ntlm-credentials-schwachst… ∗∗∗ Latrodectus: This Spider Bytes Like Ice ∗∗∗ --------------------------------------------- We share Proofpoint’s assessment that Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID.. This research highlights the value of collaborative work between commercial threat intelligence companies, piecing together distinct viewpoints to provide a more complete picture of malicious activities. --------------------------------------------- https://www.team-cymru.com/post/latrodectus-this-spider-bytes-like-ice ∗∗∗ Byakugan – The Malware Behind a Phishing Attack ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered the Byakugan malware behind a recent malware campaign distributed by malicious PDF files [..] In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published. Therefore, this report will only provide a brief analysis of the overlap between that attack and this and focus primarily on the details of the infostealer. --------------------------------------------- https://www.fortinet.com/blog/threat-research/byakugan-malware-behind-a-phi… ∗∗∗ Politische Parteien vor der EU-Wahl häufiger Ziel von Cyberangriffen ∗∗∗ --------------------------------------------- Cyberangreifer konzentrieren sich derzeit offenbar stark auf politische Akteure und Parteien. Gefahr bestehe besonders durch sogenannte Hack-and-Leak-Angriffe. --------------------------------------------- https://heise.de/-9674511 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks ∗∗∗ --------------------------------------------- IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-fixes-vpn-gateway-vul… ∗∗∗ Cisco Security Advisories 2024-04-03 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x High, 11x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-29745 Android Pixel Information Disclosure Vulnerability, CVE-2024-29748 Android Pixel Privilege Escalation Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/04/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Hitachi Energy Asset Suite 9 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-01 ∗∗∗ Schweitzer Engineering Laboratories SEL ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2024
by Daily end-of-shift report 03 Apr '24

03 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-04-2024 18:00 − Mittwoch 03-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NIS2-Begutachtungsverfahren gestartet ∗∗∗ --------------------------------------------- Die Regierung hat am 3. April 2024 das Cybersicherheitsgesetz zur europäischen NIS2-Verordnung in Begutachtung geschickt. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=7567384169746C75366D413D ∗∗∗ Kritik nach Cyberangriff: Microsoft hat seine Kronjuwelen nicht im Griff ∗∗∗ --------------------------------------------- Ein im Sommer 2023 festgestellter Cyberangriff auf Microsofts Server hatte für einige Kunden verheerende Folgen. Eine US-Kommission erhebt nun schwere Vorwürfe gegen den Konzern. --------------------------------------------- https://www.golem.de/news/us-kommission-aeussert-kritik-hackerangriff-auf-m… ∗∗∗ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind ∗∗∗ --------------------------------------------- As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. [..] The Jia Tan persona has vanished since the backdoor was discovered [..] In fact, the only real footprints Jia Tan appears to have left behind were their contributions to the open source development community, where they were a prolific contributor: Disturbingly, Jia Tan’s first code change was to the “libarchive” compression library, another very widely used open source component. [..] In total, Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024 [..] Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. --------------------------------------------- https://www.wired.com/story/jia-tan-xz-backdoor/ ∗∗∗ XZ Utils Backdoor Attack Brings Another Similar Incident to Light ∗∗∗ --------------------------------------------- In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident. --------------------------------------------- https://www.securityweek.com/xz-utils-backdoor-attack-brings-another-simila… ∗∗∗ Distinctive Campaign Evolution of Pikabot Malware ∗∗∗ --------------------------------------------- PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. [..] During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-e… ∗∗∗ Hohe Handyrechnung durch ungewolltes Abo? ∗∗∗ --------------------------------------------- Per E-Mail oder SMS werden Sie plötzlich von Ihrem Mobilfunkanbieter darüber informiert, dass Sie ein Abo abgeschlossen haben. Sie sind sich aber sicher, dass Sie keinem Vertrag zugestimmt haben und wissen auch nicht, wie es dazu gekommen ist? Wir zeigen Ihnen, was Sie gegen unseriöse Abbuchungen von Ihrer Handyrechnung tun können und wie Sie sich vor Abofallen schützen. --------------------------------------------- https://www.watchlist-internet.at/news/hohe-handyrechnung-durch-ungewolltes… ∗∗∗ Another Path to Exploiting CVE-2024-1212 in Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- Rhino Labs discovered a pre-authentication command injection vulnerability in the Progress Kemp LoadMaster. [..] This was a really cool find by Rhino Labs. Here I add one additional exploitation path and some additional ways to test for this vulnerability. --------------------------------------------- https://medium.com/tenable-techblog/another-path-to-exploiting-cve-2024-121… ∗∗∗ Unveiling the Fallout: Operation Cronos Impact on LockBit Following Landmark Disruption ∗∗∗ --------------------------------------------- Our new article provides key highlights and takeaways from Operation Cronos disruption of LockBits operations, as well as telemetry details on how LockBit actors operated post-disruption. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti). --------------------------------------------- https://lwn.net/Articles/968218/ ∗∗∗ Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites ∗∗∗ --------------------------------------------- A critical SQL injection vulnerability in the LayerSlider WordPress plugin allows attackers to extract sensitive information. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-layerslider-pl… ∗∗∗ CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED) ∗∗∗ --------------------------------------------- Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users. --------------------------------------------- https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-ar… ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Neben Google haben auch Samsung und weitere Hersteller wichtige Sicherheitsupdates für Androidgeräte veröffentlicht. --------------------------------------------- https://heise.de/-9673480 ∗∗∗ Codeschmuggellücke in VMware SD-WAN Edge und Orchestrator ∗∗∗ --------------------------------------------- Drei Sicherheitslücken in VMwares SD-WAN Edge und Orchestrator ermöglichen Angreifern unter anderem, Schadcode einzuschleusen. --------------------------------------------- https://heise.de/-9673416 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 124 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-17/ ∗∗∗ Unify: Credentials disclosure vulnerability in Unify OpenScape Desk Phones CP ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2404-01.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2024
by Daily end-of-shift report 02 Apr '24

02 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-03-2024 18:00 − Dienstag 02-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Staatlich gesponserte "Entwicklung" quelloffener Software ∗∗∗ --------------------------------------------- Wer auf der Suche nach einer kurzen Zusammenfassung der Geschehnisse rund um die (höchstwahrscheinliche) Backdoor in xz, CVE-2024-3094, ist, möge einen Blick auf diese durch den Sicherheitsforscher Thomas Roccia erstellte Grafik werfen. Darin sind die wichtigsten Details zusammengefasst, die in den folgenden Absätze wesentlich ausführlicher beleuchtet werden. Alternativ hätte dieser Blogpost auch einen deutlich knackigeren Titel haben können - "CVE-2024-3094", um jene geht es in diesem Beitrag nämlich. --------------------------------------------- https://cert.at/de/blog/2024/4/staatlich-gesponserte-entwicklung-quelloffen… ∗∗∗ The amazingly scary xz sshd backdoor, (Mon, Apr 1st) ∗∗∗ --------------------------------------------- The whole story around this is both fascinating and scary – and I’m sure will be told around numerous time, so in this diary I will put some technical things about the backdoor that I reversed for quite some time (and I have a feeling I could spend 2 more weeks on this). [..] Let’s take a look at couple of fascinating things in this backdoor. --------------------------------------------- https://isc.sans.edu/diary/rss/30802 ∗∗∗ On Cybersecurity Alert Levels ∗∗∗ --------------------------------------------- Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems. My answer was negative on both questions, and I think it might be useful if I explain my rationale here. --------------------------------------------- https://cert.at/en/blog/2024/4/on-cybersecurity-alert-levels ∗∗∗ Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed! ∗∗∗ --------------------------------------------- Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone. --------------------------------------------- https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed… ∗∗∗ From OneNote to RansomNote: An Ice Cold Intrusion ∗∗∗ --------------------------------------------- In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there were no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware. --------------------------------------------- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold… ∗∗∗ Adversaries are leveraging remote access tools now more than ever — here’s how to stop them ∗∗∗ --------------------------------------------- While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. --------------------------------------------- https://blog.talosintelligence.com/adversaries-are-leveraging-remote-access… ∗∗∗ Earth Freybug Uses UNAPIMON for Unhooking Critical APIs ∗∗∗ --------------------------------------------- This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html ===================== = Vulnerabilities = ===================== ∗∗∗ Update #1: Kritische Sicherheitslücke/Hintertüre in xz-utils (CVE-2024-3094) ∗∗∗ --------------------------------------------- In den Versionen 5.6.0 und 5.6.1 der weit verbreiteten Bibliothek xz-utils wurde eine Hintertür entdeckt. xz-utils wird häufig zur Komprimierung von Softwarepaketen, Kernel-Images und initramfs-Images verwendet. Die Lücke ermöglicht es nicht authentifizierten Angreifer:innen, die sshd-Authentifizierung auf verwundbaren Systemen zu umgehen und unauthorisierten Zugriff auf das gesamte System zu erlangen. Aktuell liegen uns keine Informationen über eine aktive Ausnutzung vor. --------------------------------------------- https://cert.at/de/warnungen/2024/3/kritische-sicherheitslucke-in-fedora-41… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton). --------------------------------------------- https://lwn.net/Articles/967851/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite). --------------------------------------------- https://lwn.net/Articles/967959/ ∗∗∗ Security Flaw in WP-Members Plugin Leads to Script Injection ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability in the WP-Members Membership plugin could allow attackers to inject scripts into user profile pages. --------------------------------------------- https://www.securityweek.com/security-flaw-in-wp-members-plugin-leads-to-sc… ∗∗∗ Bitdefender hat hochriskante Sicherheitslücke abgedichtet ∗∗∗ --------------------------------------------- Durch eine Sicherheitslücke konnten Angreifer auf Rechnern mit Bitdefender-Virenschutz ihre Rechte ausweiten. Die Lücke wurde geschlossen. --------------------------------------------- https://heise.de/-9672841 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000139092 : DNS vulnerability CVE-2023-50387 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139092 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2024
by Daily end-of-shift report 29 Mar '24

29 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-03-2024 18:00 − Freitag 29-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Doctor Web’s January 2024 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics collected by the Dr.Web for Android anti-virus, in January 2024, users were most likely to encounter Android.HiddenAds trojan applications; these were detected on protected devices 54.45% more often than in December 2023. At the same time, the activity of another adware trojan family, Android.MobiDash, remained virtually unchanged, increasing by only 0.90%. --------------------------------------------- https://news.drweb.com/show/review/?lng=en&i=14833 ∗∗∗ Quick Forensics Analysis of Apache logs, (Fri, Mar 29th) ∗∗∗ --------------------------------------------- Sometimes, you’ve to quickly investigate a webserver logs for potential malicious activity. If you're lucky, logs are already indexed in real-time in a log management solution and you can automatically launch some hunting queries. If that's not the case, you can download all logs on a local system or a cloud instance and index them manually. But it's not always the easiest/fastest way due to the amount of data to process. These days, I'm always trying to process data as close as possible of their location/source and only download the investigation results. --------------------------------------------- https://isc.sans.edu/diary/rss/30792 ∗∗∗ New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking ∗∗∗ --------------------------------------------- Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a users password or alter the clipboard on certain Linux distributions. The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. --------------------------------------------- https://thehackernews.com/2024/03/new-linux-bug-could-lead-to-user.html ∗∗∗ Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds ∗∗∗ --------------------------------------------- Security vulnerabilities discovered in Dormakabas Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms. [..] They were reported to the Zurich-based company in September 2022. [..] Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988. --------------------------------------------- https://thehackernews.com/2024/03/dormakaba-locks-used-in-millions-of.html ∗∗∗ Pentagon Outlines Cybersecurity Strategy for Defense Industrial Base ∗∗∗ --------------------------------------------- US Defense Department releases defense industrial base cybersecurity strategy with a focus on four key goals. [..] The cybersecurity strategy published this week covers fiscal years 2024 through 2027 and its primary mission is to ensure the generation, reliability and preservation of warfighting capabilities by protecting operational capabilities, sensitive information, and product integrity. --------------------------------------------- https://www.securityweek.com/pentagon-outlines-cybersecurity-strategy-for-d… ∗∗∗ E-Mail über „fragwürdige Transaktion“ führt zu Schadsoftware ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle wahllos E-Mails an Unternehmen mit dem Betreff „Questionable Transaction on Credit Card - Need Explanation“. Die Kriminellen bitten darum, auf die E-Mail zu antworten, um zu erklären, woher die „fragwürdige Transaktion“ auf der Kreditkarte kommt. Wer antwortet, erhält prompt eine neue E-Mail. Diesmal wird ein Kontoauszug als Beweis mitgeschickt. Das behaupten zumindest die Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-ueber-fragwuerdige-transaktio… ∗∗∗ Stories from the SOC Part 1: IDAT Loader to BruteRatel ∗∗∗ --------------------------------------------- In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. [..] In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-ida… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15). --------------------------------------------- https://lwn.net/Articles/967134/ ∗∗∗ 26 Security Issues Patched in TeamCity ∗∗∗ --------------------------------------------- TeamCity 2024.03, released on March 27, patches 26 ‘security problems’, according to JetBrains. The company highlighted that it’s not sharing the details of security-related issues “to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity”. --------------------------------------------- https://www.securityweek.com/26-security-issues-patched-in-teamcity/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000139084 : DNS vulnerability CVE-2023-50868 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139084 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2024
by Daily end-of-shift report 28 Mar '24

28 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-03-2024 18:00 − Donnerstag 28-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Darcula phishing service targets iPhone users via iMessage ∗∗∗ --------------------------------------------- A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service… ∗∗∗ Cisco warns of password-spraying attacks targeting VPN services ∗∗∗ --------------------------------------------- Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spra… ∗∗∗ DinodasRAT Linux implant targeting entities worldwide ∗∗∗ --------------------------------------------- In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022. --------------------------------------------- https://securelist.com/dinodasrat-linux-implant/112284/ ∗∗∗ From JavaScript to AsyncRAT, (Thu, Mar 28th) ∗∗∗ --------------------------------------------- It has been a while since I found an interesting piece of JavaScript. This one was pretty well obfuscated. It was called “_Rechnung_01941085434_PDF.js” (Invoice in German) with a low VT score. --------------------------------------------- https://isc.sans.edu/diary/rss/30788 ∗∗∗ Android Malware Vultur Expands Its Wingspan ∗∗∗ --------------------------------------------- The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. [..] In this blog we provide a comprehensive analysis of Vultur, beginning with an overview of its infection chain. --------------------------------------------- https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its… ∗∗∗ Netz-digitalisierung.com eröffnet Konten in Ihrem Namen! ∗∗∗ --------------------------------------------- Verlockende Nebenjob-Angebote als App-Tester:in oder Studienteilnehmer:in über die Seite netz-digitalisierung.com führen zu Identitätsdiebstahl! Die Kriminellen eröffnen Konten in Ihrem Namen und verwenden diese möglicherweise für kriminelle Zwecke. --------------------------------------------- https://www.watchlist-internet.at/news/jobbetrug-netz-digitalisierungcom/ ∗∗∗ Pre-Ransomware Aktivität: Schadakteure nutzen CitrixBleed (CVE-2023-4966) noch immer und verstärkt für Initialzugriff ∗∗∗ --------------------------------------------- Aktuell sind uns einige Ransomware-Vorfälle in Österreich bekannt, bei denen mit sehr hoher Wahrscheinlichkeit CitrixBleed (CVE-2023-4966) als primärer Angriffsvektor für den initialen Zugriff auf die Organisationsnetzwerke benutzt wurde. Ein Patch steht seit geraumer Zeit zur Verfügung. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/pre-ransomware-aktivitat-schadakteure-n… ∗∗∗ Schon wieder zu viel Schadcode: Keine neuen Projekte für Python-Registry PyPI ∗∗∗ --------------------------------------------- Ein Ansturm von Paketen mit Schadcode hat die Betreiber des Python Package Index dazu veranlasst, die Aufnahme neuer Projekte und User zu stoppen. --------------------------------------------- https://heise.de/-9670240 ===================== = Vulnerabilities = ===================== ∗∗∗ Nvidias newborn ChatRTX bot patched for security bugs ∗∗∗ --------------------------------------------- ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. [..] CVE‑2024‑0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/03/28/nvidia_chatr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux). --------------------------------------------- https://lwn.net/Articles/966961/ ∗∗∗ Splunk Patches Vulnerabilities in Enterprise Product ∗∗∗ --------------------------------------------- Splunk patches high-severity vulnerabilities in Enterprise, including an authentication token exposure issue. --------------------------------------------- https://www.securityweek.com/splunk-patches-vulnerabilities-in-enterprise-p… ∗∗∗ Neue SugarCRM-Versionen schließen kritische Lücken ∗∗∗ --------------------------------------------- Insgesamt 18, teils kritische Lücken schließen die neuen Versionen SugarCRM 13.03. und 12.05. --------------------------------------------- https://heise.de/-9670436 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Synology-SA-24:05 Synology Surveillance Station Client ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_05 ∗∗∗ Synology-SA-24:04 Surveillance Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2024
by Daily end-of-shift report 27 Mar '24

27 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-03-2024 18:00 − Mittwoch 27-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ransomware as a Service and the Strange Economics of the Dark Web ∗∗∗ --------------------------------------------- Ransomware is quickly changing in 2024, with massive disruptions and large gangs shutting down. Learn from Flare how affiliate competition is changing in 2024, and what might come next. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-as-a-service-and-… ∗∗∗ CISA tags Microsoft SharePoint RCE bug as actively exploited ∗∗∗ --------------------------------------------- CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-tags-microsoft-sharepoi… ∗∗∗ Row breaks out over true severity of two DNSSEC flaws ∗∗∗ --------------------------------------------- Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/03/26/software_ris… ∗∗∗ Gefälschte Booking.com-Kontaktnummern locken in die Falle! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen Telefonnummern in Acht, wenn Sie nach Booking.com Kontaktinfos googeln. Kriminelle erstellen Fake-Websites mit Booking-Logo und blenden Telefonnummern ein. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-bookingcom-kontaktnummer… ∗∗∗ Advanced Nmap Scanning Techniques ∗∗∗ --------------------------------------------- Beyond its fundamental port scanning capabilities, Nmap offers a suite of advanced techniques designed to uncover vulnerabilities, bypass security measures, and gather valuable insights about target systems. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/advanced-nmap-scann… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Ray framework flaw to breach servers, hijack resources ∗∗∗ --------------------------------------------- A new hacking campaign dubbed "ShadowRay" targets an unpatched vulnerability in Ray, a popular open-source AI framework, to hijack computing power and leak sensitive data from thousands of companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-ray-framewor… ∗∗∗ Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions ∗∗∗ --------------------------------------------- A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users systems and carry out malicious actions. --------------------------------------------- https://thehackernews.com/2024/03/microsoft-edge-bug-could-have-allowed.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow). --------------------------------------------- https://lwn.net/Articles/966835/ ∗∗∗ Exposing a New BOLA Vulnerability in Grafana ∗∗∗ --------------------------------------------- Unit 42 researchers discovered CVE-2024-1313, a broken object level authorization (BOLA) vulnerability in open-source data visualization platform Grafana. --------------------------------------------- https://unit42.paloaltonetworks.com/new-bola-vulnerability-grafana/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Security Advisories 2024-03-27 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Splunk Security Advisories ∗∗∗ --------------------------------------------- https://advisory.splunk.com/advisories ∗∗∗ Google Chrome: Kritische Schwachstelle bedroht Browser-Nutzer ∗∗∗ --------------------------------------------- https://heise.de/-9668035 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2024
by Daily end-of-shift report 26 Mar '24

26 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 25-03-2024 18:00 − Dienstag 26-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Free VPN apps on Google Play turned Android phones into proxies ∗∗∗ --------------------------------------------- Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-vpn-apps-on-google-play… ∗∗∗ New tool: linux-pkgs.sh, (Sun, Mar 24th) ∗∗∗ --------------------------------------------- During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do? --------------------------------------------- https://isc.sans.edu/diary/rss/30774 ∗∗∗ Agent Teslas New Ride: The Rise of a Novel Loader ∗∗∗ --------------------------------------------- This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-tesla… ∗∗∗ The Darkside of TheMoon ∗∗∗ --------------------------------------------- The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. [..] While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours. --------------------------------------------- https://blog.lumen.com/the-darkside-of-themoon/ ∗∗∗ Recent ‘MFA Bombing’ Attacks Targeting Apple Users ∗∗∗ --------------------------------------------- Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apples password reset feature. In this scenario, a targets Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Dont Allow" to each prompt. [..] But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line). --------------------------------------------- https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-ap… ∗∗∗ Suspicious NuGet Package Harvesting Information From Industrial Systems ∗∗∗ --------------------------------------------- A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon. --------------------------------------------- https://www.securityweek.com/suspicious-nuget-package-harvesting-informatio… ∗∗∗ Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script ∗∗∗ --------------------------------------------- This blog entry discusses the Agenda ransomware groups use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/966678/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23252, CVE-2024-23254,CVE-2024-23263, CVE-2024-23280,CVE-2024-23284, CVE-2023-42950,CVE-2023-42956, CVE-2023-42843. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0002.html ∗∗∗ macOS 14.4.1 mit jeder Menge Bugfixes – Sicherheitshintergründe zu iOS 17.4.1 ∗∗∗ --------------------------------------------- Apple hat am Montagabend ein weiteres Update für macOS 14 veröffentlicht. Es behebt diverse Fehler. Parallel gibt es Infos zu iOS 17.4.1 und dessen Fixes. --------------------------------------------- https://heise.de/-9666170 ∗∗∗ Loadbalancer: Sicherheitslücken in Loadmaster von Progress/Kemp ∗∗∗ --------------------------------------------- In der Loadbalancer-Software Loadmaster von Progress/Kemp klaffen Sicherheitslücken, durch die Angreifer etwa Befehle einschleusen können. --------------------------------------------- https://heise.de/-9666253 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Siemens: SSB-201698 V1.0: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-201698.html ∗∗∗ Rockwell Automation FactoryTalk View ME ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04 ∗∗∗ Rockwell Automation PowerFlex 527 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02 ∗∗∗ Rockwell Automation Arena Simulation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03 ∗∗∗ Automation-Direct C-MORE EA9 HMI ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily