Daily

daily@lists.cert.at

1 participants
3200 discussions

Tageszusammenfassung - 26.09.2024
by Daily end-of-shift report 26 Sep '24

26 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-09-2024 18:00 − Donnerstag 26-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Research team recently disclosed two vulnerabilities in Microsoft products that have been patched by the company over the past two Patch Tuesdays. One is a vulnerability in the High-Definition Audio Bus Driver in Windows systems that could lead to a denial of service, while the other is a memory corruption issue that exists in a multicasting protocol in Windows 10. [..] For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. --------------------------------------------- https://blog.talosintelligence.com/talos-discovers-denial-of-service-vulner… ∗∗∗ The Cyber Resilience Act, an Accidental European Alien Torts Statute? ∗∗∗ --------------------------------------------- What if someone is harmed by their own government, but the technology used against them was created by a company based in the United States? Should that person be able to hold the American company responsible? --------------------------------------------- https://www.lawfaremedia.org/article/the-cyber-resilience-act--an-accidenta… ∗∗∗ Threat landscape for industrial automation systems, Q2 2024 ∗∗∗ --------------------------------------------- In this report, we share statistics on threats to industrial control systems in Q2 2024, including statistics by region, industry, malware and other threat types. --------------------------------------------- https://securelist.com/industrial-threat-landscape-q2-2024/113981/ ∗∗∗ Direct Memory Access (DMA) attacks. Risks, techniques, and mitigations in hardware hacking ∗∗∗ --------------------------------------------- DMA allows input-output (I/O) devices to access memory without CPU involvement. Bypassing the Operating System (OS) by providing direct high-speed access to the system’s memory improves efficiency for Graphics processing units (GPUs), Network Interface Cards (NICs), storage devices (e.g. NVMe) and peripheral devices. DMA capable connections include PCI, PCI Express (PCIe), Thunderbolt, FireWire, ExpressCard. Without additional safeguards, DMA can make systems vulnerable to attacks. --------------------------------------------- https://www.pentestpartners.com/security-blog/direct-memory-access-dma-atta… ∗∗∗ Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy ∗∗∗ --------------------------------------------- We analyze new tools DPRK-linked APT Sparkling Pisces (aka Kimsuky) used in cyberespionage campaigns: KLogExe (a keylogger) and FPSpy (a backdoor variant). --------------------------------------------- https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/ ∗∗∗ Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam ∗∗∗ --------------------------------------------- Spammers are always looking for creative ways to bypass spam filters. As a spammer, one of the problems with creating your own architecture to deliver mail is that, once the spam starts flowing, these sources (IPs/domains) can be blocked. Spam can more easily find its way into the inbox if it is delivered from an unexpected or legitimate source. Realizing this, many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email. --------------------------------------------- https://blog.talosintelligence.com/simple-mail-transfer-pirates/ ∗∗∗ Phishing and Social Engineering: The Human Factor in Election Security ∗∗∗ --------------------------------------------- Discover how phishing and social engineering threaten the 2024 U.S. elections in part three of our Election Cybersecurity series. Learn how attackers exploit human vulnerabilities to compromise systems and how to defend against these evolving threats. --------------------------------------------- https://www.greynoise.io/blog/phishing-and-social-engineering-the-human-fac… ∗∗∗ Dell Hit by Third Data Leak in a Week Amid “grep” Cyberattacks ∗∗∗ --------------------------------------------- Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive internal files, including project documents and MFA data, were exposed. Dell has yet to issue a formal response. --------------------------------------------- https://hackread.com/dell-data-leak-in-week-amid-grep-cyberattacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ HPE Aruba Networking fixes critical flaws impacting Access Points ∗∗∗ --------------------------------------------- HPE Aruba Networking has fixed three critical vulnerabilities in the Command Line Interface (CLI) service of its Aruba Access Points, which could let unauthenticated attackers gain remote code execution on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-t… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, dovecot, emacs, expat, git-lfs, go-toolset:rhel8, golang, grafana, grafana-pcp, gtk3, kernel, kernel-rt, nano, python3, python3.11, python3.12, and virt:rhel and virt-devel:rhel), Debian (mediawiki and puredata), Fedora (chisel), Mageia (glib2.0, gtk+2.0 and gtk+3.0, and python-astropy), Red Hat (git-lfs, grafana, grafana-pcp, kernel, and kernel-rt), SUSE (kubernetes1.24, kubernetes1.25, kubernetes1.26, kubernetes1.27, kubernetes1.28, opensc, and python36), and Ubuntu (apparmor, apr, ca-certificates, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, openjpeg2, ruby-rack, and tomcat8, tomcat9). --------------------------------------------- https://lwn.net/Articles/991897/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0005 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23271, CVE-2024-27808, CVE-2024-27820, CVE-2024-27833, CVE-2024-27838, CVE-2024-27851, CVE-2024-40866, CVE-2024-44187 --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0005.html ∗∗∗ Cisco IOS XE Software for Wireless Controllers CWA Pre-Authentication ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 16, 2024 to September 22, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2024
by Daily end-of-shift report 25 Sep '24

25 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-09-2024 18:00 − Mittwoch 25-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ChatGPT macOS Flaw Couldve Enabled Long-Term Spyware via Memory Function ∗∗∗ --------------------------------------------- A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger said. --------------------------------------------- https://thehackernews.com/2024/09/chatgpt-macos-flaw-couldve-enabled-long.h… ∗∗∗ Schon wieder: Offizielles Twitter-Konto OpenAIs von Krypto-Betrügern übernommen ∗∗∗ --------------------------------------------- Der offizielle Twitter-Account der Pressestelle von ChatGPT-Anbieter OpenAI wurde von Betrügern übernommen und genutzt, um eine Fake-Kryptowährung zu promoten. --------------------------------------------- https://heise.de/-9953073 ∗∗∗ AI-Generated Malware Found in the Wild ∗∗∗ --------------------------------------------- HP has intercepted an email campaign comprising a standard malware payload delivered by an AI-generated dropper. --------------------------------------------- https://www.securityweek.com/ai-generated-malware-found-in-the-wild/ ∗∗∗ Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz ∗∗∗ --------------------------------------------- Delve into the infrastructure and tactics of phishing platform Sniper Dz, which targets popular brands and social media. We discuss its unique aspects and more. --------------------------------------------- https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tact… ∗∗∗ LummaC2: Obfuscation Through Indirect Control Flow ∗∗∗ --------------------------------------------- This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the malware now leverages customized control flow indirection to manipulate the execution of the malware. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscatio… ∗∗∗ Modified LockBit and Conti ransomware shows up in DragonForce gang’s attacks ∗∗∗ --------------------------------------------- The manufacturing, real estate and transportation industries are recent targets of the cybercrime operation known as DragonForce. Researchers say its serving up versions of LockBit and Conti to affiliates. --------------------------------------------- https://therecord.media/lockbit-conti-dragonforce-ransomware-cybercrime ∗∗∗ Shedding Light on Election Deepfakes ∗∗∗ --------------------------------------------- Contrary to popular belief, deepfakes — AI-crafted audio files, images, or videos that depict events and statements that never occurred; a portmanteau of “deep learning” and “fake” — are not all intrinsically malicious. [..] Let’s take a look at the state of deepfakes during the 2020 elections, how it’s currently making waves in the 2024 election cycle, and how voters can tell truth from digital deception. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/shedding-li… ===================== = Vulnerabilities = ===================== ∗∗∗ 20,000 WordPress Sites Affected by Privilege Escalation Vulnerability in WCFM – WooCommerce Frontend Manager WordPress Plugin ∗∗∗ --------------------------------------------- This vulnerability makes it possible for an authenticated attacker to change the email of any user, including an administrator, which allows them to reset the password and take over the account and website. [..] After providing full disclosure details, the developer released a patch on September 23, 2024. [..] CVE ID: CVE-2024-8290 --------------------------------------------- https://www.wordfence.com/blog/2024/09/20000-wordpress-sites-affected-by-pr… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma). --------------------------------------------- https://lwn.net/Articles/991701/ ∗∗∗ WatchGuard SSO and Moodle ∗∗∗ --------------------------------------------- rt-sa-2024-008: WatchGuard SSO Client Denial-of-Service, rt-sa-2024-007: WatchGuard SSO Agent Telnet Authentication Bypass, rt-sa-2024-006: WatchGuard SSO Protocol is Unencrypted and Unauthenticated, rt-sa-2024-009: Moodle: Remote Code Execution via Calculated Questions --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/ ∗∗∗ Teamviewer: Hochriskante Lücken ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- In den Teamviewer-Remote-Clients können Angreifer eine unzureichende kryptografische Prüfung von Treiberinstallationen missbrauchen, um ihre Rechte auszuweiten und Treiber zu installieren (CVE-2024-7479, CVE-2024-7481; beide CVSS 8.8, Risiko "hoch"). [..] Die seit Dienstag dieser Woche verfügbare Version 15.58.4 oder neuere schließen diese Sicherheitslücken. --------------------------------------------- https://heise.de/-9953034 ∗∗∗ XenServer and Citrix Hypervisor Security Update for CVE-2024-45817 ∗∗∗ --------------------------------------------- https://support.citrix.com/s/article/CTX691646-xenserver-and-citrix-hypervi… ∗∗∗ Schwachstelle in BlackBerry CylanceOPTICS Windows Installer Package ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/schwachstelle-in-blac… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2024
by Daily end-of-shift report 24 Sep '24

24 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 23-09-2024 18:00 − Dienstag 24-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackerangriff hier, Hackerangriff da? Nein. ∗∗∗ --------------------------------------------- Ein Kommentar zur aktuellen Berichterstattung rund um DDoS-Angriffe gegen die Webseiten politischer Parteien in Österreich. --------------------------------------------- https://datenrausch.substack.com/p/hackerangriff-hier-hackerangriff ∗∗∗ New Mallox ransomware Linux variant based on leaked Kryptina code ∗∗∗ --------------------------------------------- An affiliate of the Mallox ransomware operation, also known as TargetCompany, was spotted using a slightly modified version of the Kryptina ransomware to attack Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-… ∗∗∗ New Octo Android malware version impersonates NordVPN, Google Chrome ∗∗∗ --------------------------------------------- A new version of the Octo Android malware, named "Octo2," has been seen spreading across Europe under the guise of NordVPN, Google Chrome, and an app called Europe Enterprise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-octo-android-malware-ver… ∗∗∗ Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120, (Tue, Sep 24th) ∗∗∗ --------------------------------------------- Late in July, a researcher using the alias "NETSECFISH" published a blog post revealing a vulnerability in RASIECOM gateway devices [1]. The vulnerability affects the "vpn/list_base_Config.php" endpoint and allows for unauthenticated remote code execution. According to Shodan, about 25,000 vulnerable devices are exposed to the internet. With a simple proof of concept available, it is no surprise that we aseethe vulnerability exploited. --------------------------------------------- https://isc.sans.edu/diary/rss/31292 ∗∗∗ Untersuchung von Solaris / SunOS - Persistenz mit Systemprozessen ∗∗∗ --------------------------------------------- Im Vergleich zu Windows oder sogar Linux ist das öffentliche Wissen und die Anleitung zur digitalen Forensik für Solaris / SunOS eher dünn. Während dieses Einsatzes haben wir unser Wissen über Solaris erheblich erweitert und es auf verschiedene Angreifertechniken hin untersucht. In diesem Blog-Beitrag möchten wir unsere Erfahrungen mit der Untersuchung potenzieller Persistenz durch Systemprozesse im Zusammenhang mit der MITRE ATT&CK-Technik T1543 teilen. --------------------------------------------- https://sec-consult.com/de/blog/detail/investigating-solaris-sunos-persiste… ∗∗∗ Deloitte Says No Threat to Sensitive Data After Hacker Claims Server Breach ∗∗∗ --------------------------------------------- A notorious hacker has announced the theft of data from an improperly protected server allegedly belonging to Deloitte. {..] Deloitte says no sensitive data exposed after a notorious hacker leaked what he claimed to be internal communications. --------------------------------------------- https://www.securityweek.com/deloitte-says-no-threat-to-sensitive-data-afte… ∗∗∗ Kirchenaustritt nicht über kirchenaustritt-digital-beantragen.at beantragen ∗∗∗ --------------------------------------------- Wer Informationen zum Kirchenaustritt sucht, landet schnell bei kirchenaustritt-digital-beantragen.at. Wir raten jedoch davon ab, über diesen kostenpflichtigen Dienst den Austritt zu beantragen. Beschwerden zufolge wird die Kündigung trotz Bezahlung nicht an die Kirche übermittelt. Außerdem werden sehr viele Daten und eine Ausweiskopie verlangt. Wir raten generell davon ab, Kündigungen usw. über Drittanbieter abzuwickeln. --------------------------------------------- https://www.watchlist-internet.at/news/kirchenaustritt/ ∗∗∗ Inside SnipBot: The Latest RomCom Malware Variant ∗∗∗ --------------------------------------------- We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain. --------------------------------------------- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ ∗∗∗ Hacker Leaks 12,000 Alleged Twilio Call Records with Audio Recordings ∗∗∗ --------------------------------------------- A hacker has leaked 12,000 alleged Twilio call records, including phone numbers and audio recordings. The breach exposes personal data, creating significant privacy risks for businesses and individuals using the service. --------------------------------------------- https://hackread.com/hacker-leaks-twilio-call-records-audio-recordings/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Vulnerabilities Expose Riello UPSs to Hacking: Security Firm ∗∗∗ --------------------------------------------- Hackers can take control of Riello UPS devices by exploiting vulnerabilities that likely remain unpatched, according to CyberDanube, an Austria-based firm specializing in industrial cybersecurity. --------------------------------------------- https://www.securityweek.com/unpatched-vulnerabilities-expose-riello-upss-t… ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-24-268-01 OPW Fuel Management Systems SiteSentinel, ICSA-24-268-02 Alisonic Sibylla, ICSA-24-268-03 Franklin Fueling Systems TS-550 EVO, ICSA-24-268-04 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE, ICSA-24-268-05 Moxa MXview One, ICSA-24-268-06 OMNTEC Proteus Tank Monitoring, ICSA-24-156-01 Uniview NVR301-04S2-P4 (Update A), ICSA-19-274-01 Interpeak IPnet TCP/IP Stack (Update E) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-releases-eight-indu… ∗∗∗ Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions ∗∗∗ --------------------------------------------- Zyxel has released patches for some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions affected by post-authentication memory corruption vulnerabilities. Users are advised to install them for optimal protection. (CVE-2024-38266 CVE-2024-38267 CVE-2024-38268 CVE-2024-38269) --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Critical Vulnerabilities Discovered in Automated Tank Gauge Systems ∗∗∗ --------------------------------------------- In this blogpost, we will explore the ATG systems, their inherent risk when exposed to the Internet and the several critical vulnerabilities uncovered by Bitsight TRACE. By understanding these vulnerabilities, we hope that the reader can better appreciate the urgent need for enhanced security measures and the steps that need to be taken to protect these systems from exploitation. --------------------------------------------- https://www.bitsight.com/blog/critical-vulnerabilities-discovered-automated… ∗∗∗ Xen Security Advisory CVE-2024-45817 / XSA-462 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-462.html ∗∗∗ Keycloak Security Update Advisory (CVE-2024-8698) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83325/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2024
by Daily end-of-shift report 23 Sep '24

23 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-09-2024 18:00 − Montag 23-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hyper-V und VMware: Schwachstellen, Patches, PoCs ∗∗∗ --------------------------------------------- In Hyper-V wurde kürzlich eine Schwachstelle gepatcht – jetzt gibt es einen Proof of Concept (PoC) für diese Schwachstelle. Und bei VMware gibt es ebenfalls Schwachstellen sowie Infos, wie sich aus der VM ausbrechen lässt. --------------------------------------------- https://www.borncity.com/blog/2024/09/23/hyper-v-und-vmware-schwachstellen-… ∗∗∗ Android malware Necro infects 11 million devices via Google Play ∗∗∗ --------------------------------------------- A new version of the Necro Trojan malware for Android was installed on 11 million devices through Google Play in malicious SDK supply chain attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-necro-infect… ∗∗∗ Global infostealer malware operation targets crypto users, gamers ∗∗∗ --------------------------------------------- A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo." --------------------------------------------- https://www.bleepingcomputer.com/news/security/global-infostealer-malware-o… ∗∗∗ Phishing links with @ sign and the need for effective security awareness building, (Mon, Sep 23rd) ∗∗∗ --------------------------------------------- While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or because it used some completely new technique, but rather because its authors took advantage of one of the less commonly misused aspects of the URI format – the ability to specify information about a user in the URI before its "host" part (domain or IP address). --------------------------------------------- https://isc.sans.edu/diary/rss/31288 ∗∗∗ Staying a Step Ahead: Mitigating the DPRK IT Worker Threat ∗∗∗ --------------------------------------------- This report aims to increase awareness of the DPRK's efforts to obtain employment as IT workers and shed light on their operational tactics for obtaining employment and maintaining access to corporate systems. Understanding these methods can help organizations better detect these sorts of suspicious behaviors earlier in the hiring process. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it… ∗∗∗ Why Do Criminals Love Phishing-as-a-Service Platforms? ∗∗∗ --------------------------------------------- Phishing-as-a-Service (PaaS) platforms have become the go-to tool for cybercriminals, to launch sophisticated phishing campaigns targeting the general public and businesses, especially in the financial services sector. [..] In this blog, we’ll explore the key features offered by PaaS platforms, highlight the major platforms Trustwave SpiderLabs has recently observed, and cover effective phishing mitigation strategies. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/why-do-crim… ∗∗∗ CISA boss: Makers of insecure software are enablers of the real villains ∗∗∗ --------------------------------------------- Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued. "The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/20/cisa_sloppy_… ∗∗∗ Proxy Detection: Comparing Detection Services with the Truth ∗∗∗ --------------------------------------------- In our previous blog post, we looked at different (free and paid) solutions to detect the use of anonymity tools during attacks executed on our Remote Desktop Protocol (RDP) honeypots. Confronted with inconclusive outcomes, this blog post aims to evaluate the different proxy detector tools by analyzing their results with our dataset of Truth. --------------------------------------------- https://gosecure.ai/blog/2024/09/23/proxy-detection-comparing-detection-ser… ∗∗∗ Hackers Claim Second Dell Data Breach in One Week ∗∗∗ --------------------------------------------- Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident. --------------------------------------------- https://hackread.com/dell-hit-by-second-security-breach-in-week/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15). --------------------------------------------- https://lwn.net/Articles/991377/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2024
by Daily end-of-shift report 20 Sep '24

20 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-09-2024 18:00 − Freitag 20-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ever wonder how crooks get the credentials to unlock stolen phones? ∗∗∗ --------------------------------------------- iServer provided a simple service for phishing credentials to unlock phones. --------------------------------------------- https://arstechnica.com/?p=2051165 ∗∗∗ CISA warns of actively exploited Apache HugeGraph-Server bug ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache HugeGraph-Server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-explo… ∗∗∗ macOS Sequoia change breaks networking for VPN, antivirus software ∗∗∗ --------------------------------------------- Users of macOS 15 Sequoia are reporting network connection errors when using certain endpoint detection and response (EDR) or virtual private network (VPN) solutions, and web browsers. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/macos-sequoia-change-breaks-net… ∗∗∗ 1 In 10 Orgs Dumping Their Security Vendors After CrowdStrike Outage ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from The Register: Germanys Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrikes outage in July are dropping their current vendors products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to .. --------------------------------------------- https://it.slashdot.org/story/24/09/19/1721236/1-in-10-orgs-dumping-their-s… ∗∗∗ SAP Hash Cracking Techniques ∗∗∗ --------------------------------------------- Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive data. Hash functions convert input data into a fixed-size string of characters that are both uniform and deterministic, making them an excellent choice for maintaining data security. --------------------------------------------- https://redrays.io/blog/sap-hash-cracking-techniques/ ∗∗∗ This Windows PowerShell Phish Has Scary Potential ∗∗∗ --------------------------------------------- Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While its unlikely that many programmers fell for this .. --------------------------------------------- https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary… ∗∗∗ Ivanti Warns of Second CSA Vulnerability Exploited in Attacks ∗∗∗ --------------------------------------------- In addition to the Ivanti CSA flaw CVE-2024-8190, another vulnerability affecting the same product, tracked as CVE-2024-8963, has been exploited. --------------------------------------------- https://www.securityweek.com/ivanti-warns-of-second-csa-vulnerability-explo… ∗∗∗ Noise Storms: Massive Amounts of Spoofed Web Traffic Linked to China ∗∗∗ --------------------------------------------- GreyNoise has observed millions of spoofed IPs flooding internet providers with web traffic primarily focusing on TCP connections. --------------------------------------------- https://www.securityweek.com/noise-storms-massive-amounts-of-spoofed-web-tr… ∗∗∗ Vorsicht vor gefälschten Gewinnspielen von ÖAMTC und ADAC ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie per E-Mail ein Gewinnspiel für ein Auto-Notfallset erhalten. Kriminelle geben sich als ÖAMTC oder ADAC aus und behaupten, Sie hätten ein Auto-Notfallset gewonnen. Klicken Sie nicht auf den Link, Sie werden in eine Abo-Fall gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-gewinnspiele-oeamtc-adac/ ∗∗∗ Datendiebstahl via Slack, Disney stellt Nutzung des Messenger-Dienstes ein ∗∗∗ --------------------------------------------- Die Hackergruppe Nullbulge konnte Computercode und Details über unveröffentlichte Projekte stehlen und veröffentlichen --------------------------------------------- https://www.derstandard.at/story/3000000237370/datendiebstahl-disney-trennt… ∗∗∗ High-risk vulnerabilities in common enterprise technologies ∗∗∗ --------------------------------------------- Rapid7 is warning customers about high-risk vulnerabilities in Adobe ColdFusion, Broadcom VMware vCenter Server, and Ivanti Endpoint Manager (EPM). These CVEs are likely attack targets for APT and/or financially motivated adversaries. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/19/etr-high-risk-vulnerabilities-i… ∗∗∗ Jugendherbergen offenbar Opfer von Ransomware-Bande Hunters ∗∗∗ --------------------------------------------- Ende August kam es zu Störungen bei rund 450 deutschen Jugendherbergen. Die Ursache war unklar. Offenbar ist eine Ransomware-Attacke schuld. --------------------------------------------- https://heise.de/-9938226 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5773-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00186.html ∗∗∗ OpenSSH 9.9 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/991028/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2024
by Daily end-of-shift report 19 Sep '24

19 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-09-2024 18:00 − Donnerstag 19-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Clever GitHub Scanner campaign abusing repos to push malware ∗∗∗ --------------------------------------------- A clever threat campaign is abusing GitHub repositories to distribute the Lumma Stealer password-stealing malware targeting users who frequent an open source project repository or are subscribed to email notifications from it. [..] The domain, github-scanner[.]com is not affiliated with GitHub and is being used to deliver malware to visitors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clever-github-scanner-campai… ∗∗∗ Sicherheitsexperte: Müssen uns nicht vor explodierenden Handys fürchten ∗∗∗ --------------------------------------------- Nach Explosionswellen im Libanon sorgen sich manche nun um die eigenen Smartphones. Cyberexperte Joe Pichelmayr sieht da aber wenig Gefahr. --------------------------------------------- https://futurezone.at/digital-life/sicherheitsexperte-handys-smartphone-exp… ∗∗∗ Google Cloud Document AI flaw (still) allows data theft despite bounty payout ∗∗∗ --------------------------------------------- Overly permissive settings in Google Cloud's Document AI service could be abused by data thieves to break into Cloud Storage buckets and steal sensitive information. [..] A Google spokesperson has told us in response to the above: [..] We developed a fix and are actively working to roll it out. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/17/google_cloud… ∗∗∗ Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware ∗∗∗ --------------------------------------------- In this blog, we’ll examine the mechanics of AsyncRAT, how it spreads by masquerading as cracked software, and the steps you can take to protect yourself from this increasingly common cyber threat. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cracked-software-or-cy… ∗∗∗ Solar Cybersecurity And The Nuances Of Renewable Energy Integration ∗∗∗ --------------------------------------------- The modern age of renewable energy has seen a surge in solar panels and wind turbines. While these systems enhance sustainability, their digital technologies carry risks. Cybersecurity professionals must know the relevant nuances when integrating renewable systems. --------------------------------------------- https://www.tripwire.com/state-of-security/solar-cybersecurity-and-nuances-… ∗∗∗ Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool ∗∗∗ --------------------------------------------- Discover Splinter, a new post-exploitation tool with advanced features like command execution and file manipulation, detected by Unit 42 researchers. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/ ∗∗∗ Betrugsfall mit tegut teo-App und fiktiver Mitarbeiternummer ∗∗∗ --------------------------------------------- Im Prozess sagte der Angeklagte: "Ich war zu der Zeit arbeitslos. Für die Märkte gibt es eine App und da konnte man bei Bezahlungsmitteln die Mitarbeiternummer als Karte hinterlegen. Ich habe es einfach mit einer zufälligen Zahl probiert, und es hat direkt geklappt. --------------------------------------------- https://www.borncity.com/blog/2024/09/19/betrugsfall-mit-tegut-teo-app-und-… ∗∗∗ Aktuelle Phishing-Masche: Terminwunsch für Telefonat mit angeblicher Sparkasse ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt vor einer aktuellen Phishing-Masche. Angeblich will die Sparkasse einen Termin für ein Telefonat. --------------------------------------------- https://heise.de/-9909574 ∗∗∗ Discord startet Ende-zu-Ende-Verschlüsselung für Audio- und Video-Chats ∗∗∗ --------------------------------------------- Um die Privatsphäre zu wahren, verschlüsselt der Onlinedienst Discord ab sofort bestimmte Formen des Nachrichtenaustauschs Ende-zu-Ende. --------------------------------------------- https://heise.de/-9909594 ===================== = Vulnerabilities = ===================== ∗∗∗ VU#138043: A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server ∗∗∗ --------------------------------------------- CVE-2024-7490 There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution. --------------------------------------------- https://kb.cert.org/vuls/id/138043 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat and tinyproxy), Fedora (frr, microcode_ctl, python3.10, python3.12, python3.6, and ruby), Oracle (expat, fence-agents, firefox, ghostscript, java-1.8.0-openjdk, kernel, and thunderbird), Red Hat (firefox, openssl, ruby:3.3, and thunderbird), SUSE (clamav, ffmpeg-4, kernel, libmfx, python3, python312, runc, ucode-intel, and wireshark), and Ubuntu (apache2, git, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle). --------------------------------------------- https://lwn.net/Articles/990877/ ∗∗∗ GitLab Patches Critical Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- GitLab has patched a critical-severity SAML authentication bypass affecting both Community Edition (CE) and Enterprise Edition (EE) instances. [..] The issue, tracked as CVE-2024-45409 (CVSS score of 10/10), only affects GitLab CE/EE instances that have been configured to use SAML-based authentication. --------------------------------------------- https://www.securityweek.com/gitlab-patches-critical-authentication-bypass-… ∗∗∗ DSA-5772-1 libreoffice - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00185.html ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 9, 2024 to September 15, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ MegaSys Computer Technologies Telenium Online Web Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-04 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-02 ∗∗∗ Kastle Systems Access Control System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-05 ∗∗∗ IDEC CORPORATION WindLDR and WindO/I-NV4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-03 ∗∗∗ Rockwell Automation RSLogix 5 and RSLogix 500 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2024
by Daily end-of-shift report 18 Sep '24

18 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-09-2024 18:00 − Mittwoch 18-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Construction firms breached in brute force attacks on accounting software ∗∗∗ --------------------------------------------- Hackers are brute-forcing passwords for highly privileged accounts on exposed Foundation accounting servers, widely used in the construction industry, to breach corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/construction-firms-breached-… ∗∗∗ Temu denies breach after hacker claims theft of 87 million data records ∗∗∗ --------------------------------------------- Temu denies it was hacked or suffered a data breach after a threat actor claimed to be selling a stolen database containing 87 million records of customer information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/temu-denies-breach-after-hac… ∗∗∗ Sandbox scores are not an antivirus replacement ∗∗∗ --------------------------------------------- Automatic sandbox services should not be treated like "antivirus scanners" to determine maliciousness for samples. That’s not their intended use, and they perform poorly in that role. Unfortunately, providing an "overall score" or "verdict" is misleading. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/09/38031-sandbox-scores-are-not-an-… ∗∗∗ Vanir Locker: Deutsche Polizei übernimmt Tor-Seite einer Hackergruppe ∗∗∗ --------------------------------------------- Wer die Datenleckseite der Ransomwaregruppe Vanir Locker aufruft, findet dort nun eine Meldung des LKA vor. Die Seite wurde beschlagnahmt. --------------------------------------------- https://www.golem.de/news/lka-baden-wuerttemberg-polizei-uebernimmt-leak-se… ∗∗∗ Python Infostealer Patching Windows Exodus App, (Wed, Sep 18th) ∗∗∗ --------------------------------------------- A few months ago, I wrote a diary about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic applications that may handle sensitive information. Cryptocurrency wallets are another category of applications .. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Infostealer+Patching+Windows+Exodu… ∗∗∗ VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation ∗∗∗ --------------------------------------------- Bug reports made in China Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation. --------------------------------------------- https://www.theregister.com/2024/09/17/vmware_vcenter_patch/ ∗∗∗ Australian Police conducted supply chain attack on criminal collaborationware ∗∗∗ --------------------------------------------- Sting led to cuffing of alleged operator behind Ghost – an app for drug trafficking, money laundering, and violence-as-a-service Australias Federal Police (AFP) yesterday arrested and charged a man with creating and administering an app named Ghost that was allegedly "a dedicated encrypted communication platform … built solely for the criminal underworld" and .. --------------------------------------------- https://www.theregister.com/2024/09/18/afp_operation_kraken_ghost_crimeware… ∗∗∗ Did a Chinese University Hacking Competition Target a Real Victim? ∗∗∗ --------------------------------------------- Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there. --------------------------------------------- https://www.wired.com/story/china-hacking-competition-real-victim/ ∗∗∗ Scam ‘Funeral Streaming’ Groups Thrive on Facebook ∗∗∗ --------------------------------------------- Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any .. --------------------------------------------- https://krebsonsecurity.com/2024/09/scam-funeral-streaming-groups-thrive-on… ∗∗∗ Russian Security Firm Doctor Web Hacked ∗∗∗ --------------------------------------------- Antimalware company Doctor Web was recently targeted in a cyberattack that prompted it to disconnect all resources from its networks. --------------------------------------------- https://www.securityweek.com/russian-security-firm-doctor-web-discloses-tar… ∗∗∗ North Korean Hackers Lure Critical Infrastructure Employees With Fake Jobs ∗∗∗ --------------------------------------------- A North Korean group tracked as UNC2970 has been spotted trying to deliver new malware to people in the aerospace and energy industries. --------------------------------------------- https://www.securityweek.com/north-korean-hackers-lure-critical-infrastruct… ∗∗∗ Cyber threats to shipping explained ∗∗∗ --------------------------------------------- TL;DR Modern vessels are becoming increasingly connected. While it is unlikely that hackers could fully control a container ship remotely, they may be able to disrupt systems such as the […]The post Cyber threats to shipping explained first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-threats-to-shipping-exp… ∗∗∗ Vulnerabilities in Cellular Packet Cores Part IV: Authentication ∗∗∗ --------------------------------------------- Our research reveals two significant vulnerabilities in Microsoft Azure Private 5G Core (AP5GC). The first vulnerability (CVE-2024-20685) allows a crafted signaling message to crash the control plane, leading to potential service outages. The second (ZDI-CAN-23960) disconnects and replaces attached base stations, disrupting network operations. While these .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-… ∗∗∗ RAMBO Attack: Electromagnetic Waves Steal Data from Air-Gapped Systems ∗∗∗ --------------------------------------------- Air-gapped systems, once considered immune to attacks, are now vulnerable. Learn about a groundbreaking new method that .. --------------------------------------------- https://hackread.com/rambo-attack-electromagnetic-waves-data-air-gapped-sys… ∗∗∗ CISA KEV performance in the Financial Sector ∗∗∗ --------------------------------------------- I’ve had a number of requests to examine the finance sector in more detail including breakdowns of exactly what kind of financial organizations are experiencing greater risk and who is remediating more quickly. Heres some answers. --------------------------------------------- https://www.bitsight.com/blog/cisa-kev-performance-financial-sector ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce" ∗∗∗ --------------------------------------------- WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN19766555/ ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/18/apple-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2024
by Daily end-of-shift report 17 Sep '24

17 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-09-2024 18:00 − Dienstag 17-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploit code released for critical Ivanti RCE flaw, patch now ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, is now publicly released, making it crucial to update devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-code-released-for-cr… ∗∗∗ Emergency Accounts: Last Call! ∗∗∗ --------------------------------------------- Even if you have been out of office for the last couple of months, you should be aware that starting October 15th you will need to provide Multi Factor Authentication (MFA) to logon to Azure portal, Entra admin center and Intune admin center. This will be enforced to all users accessing these resources regardless of their role or permission level. [..] With Microsoft’s new MFA enforcement, you need a different approach for emergency accounts. --------------------------------------------- https://blog.nviso.eu/2024/09/17/emergency-accounts-last-call/ ∗∗∗ Secure Boot-neutering PKfail debacle is more prevalent than anyone knew ∗∗∗ --------------------------------------------- A supply chain failure that compromises Secure Boot protections on computing devices from across the device-making industry extends to a much larger number of models than previously known, including those used in ATMs, point-of-sale terminals, and voting machines. --------------------------------------------- https://arstechnica.com/?p=2050182 ∗∗∗ Check24 und Verivox: Sensible Daten von Kreditnehmern leicht zugänglich im Netz ∗∗∗ --------------------------------------------- Bei zwei namhaften Vergleichsportalen hat ein Experte Sicherheitslücken entdeckt. Dadurch sollen Kreditangebote mit sensiblen Daten frei abrufbar gewesen sein. [..] Genannt wurden Daten wie Namen und Adressen sowie Angaben zum jeweiligen Arbeitsverhältnis, Einkommen und die Anzahl der Kinder. --------------------------------------------- https://www.golem.de/news/check24-und-verivox-sensible-daten-von-kreditnehm… ∗∗∗ What to Do With Products Without SSO? ∗∗∗ --------------------------------------------- Let’s start with the role that SSO plays in modern defense architecture, and then cover how to implement similar security measures without such a centralized mechanism. --------------------------------------------- https://zeltser.com/products-without-sso/ ∗∗∗ Cyber predators target vulnerable victims: Hackers blackmail hospitals, trade patient data and find partners through darknet ads ∗∗∗ --------------------------------------------- According to data from Check Point Research (CPR), from January – September 2024, the global weekly average number of attacks per organization within the healthcare industry was 2,018, representing a 32% increase, compared to the same period last year. --------------------------------------------- https://blog.checkpoint.com/research/cyber-predators-target-vulnerable-vict… ∗∗∗ ‘Clipper’ malware is being used to steal crypto, Binance warns ∗∗∗ --------------------------------------------- Binance is warning customers that malware is being used to manipulate withdrawal addresses in order to steal cryptocurrency, in a campaign that has led to “significant financial losses for victims.” --------------------------------------------- https://therecord.media/clipper-malware-binance-stealing-crypto ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-twig and pymongo), Fedora (linux-firmware, microcode_ctl, and python3.13), Mageia (clamav, microcode, postgresql13 and postgresql15, python3-webob, suricata, tcpreplay, tgt, and wireshark), Oracle (httpd, kernel, and linux-kernel), Red Hat (firefox, kernel, kernel-rt, pcs, and thunderbird), SUSE (389-ds, chromium, golang-github-prometheus-prometheus, htmldoc, kernel, SUSE Manager Client Tools, and wireshark), and Ubuntu (clamav, curl, dcmtk, dovecot, nginx, openssh, and python3.10, python3.12, python3.8). --------------------------------------------- https://lwn.net/Articles/990588/ ∗∗∗ Apple Patches Major Security Flaws With iOS 18 Refresh ∗∗∗ --------------------------------------------- Apple warns that attackers can use Siri to access sensitive user data, control nearby devices, or view recent photos without authentication. According to a bulletin from Cupertino, iOS 18 has been fitted with fixes for vulnerabilities in core components including accessibility features, Bluetooth, Control Center, and Wi-Fi, with several flaws allowing unauthorized access to sensitive data or full device control. --------------------------------------------- https://www.securityweek.com/apple-patches-major-security-flaws-with-ios-18… ∗∗∗ Sicherheitspatch: Hintertür in einigen D-Link-Routern erlaubt unbefugte Zugriffe ∗∗∗ --------------------------------------------- Angreifer können bestimmte Router-Modelle von D-Link attackieren und kompromittieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-9870648 ∗∗∗ MISP 2.4.198 released with many bugs fixed, security fixes and improvements. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/09/17/MISP.2.4.198.released.html/ ∗∗∗ Yokogawa Dual-redundant Platform for Computer (PC2CKM) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-03 ∗∗∗ Millbeck Communications Proroute H685t-w ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2024
by Daily end-of-shift report 16 Sep '24

16 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-09-2024 18:00 − Montag 16-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 1.3 million Android-based TV boxes backdoored; researchers still don’t know how ∗∗∗ --------------------------------------------- Infection corrals devices running AOSP-based firmware into a botnet. --------------------------------------------- https://arstechnica.com/?p=2049773 ∗∗∗ Malware locks browser in kiosk mode to steal Google credentials ∗∗∗ --------------------------------------------- A malware campaign uses the unusual method of locking users in their browsers kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kio… ∗∗∗ Nach Cyberangriff: Hacker stellen Daten von Kawasaki ins Darknet ∗∗∗ --------------------------------------------- Kawasaki selbst behauptet, der Cyberangriff sei "nicht erfolgreich" gewesen. Dennoch sind im Darknet fast 500 GBytes an Unternehmensdaten aufgetaucht. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-stellen-daten-von-kawasa… ∗∗∗ Australia Threatens to Force Companies to Break Encryption ∗∗∗ --------------------------------------------- In 2018, Australia passed the Assistance and Access Act, which - among other things - gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include: Technical Assistance .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/09/australia-threatens-to-force… ∗∗∗ Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users credentials."Unlike other phishing webpage .. --------------------------------------------- https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.h… ∗∗∗ Prison just got rougher as band of heinously violent cybercrims sentenced to lengthy stints ∗∗∗ --------------------------------------------- Orchestrators of abductions, torture, crypto thefts, and more get their comeuppance One cybercriminal of the most violent kind will spend his best years behind bars, as will 11 of his thug pals for a string of cryptocurrency robberies in the US. --------------------------------------------- https://www.theregister.com/2024/09/16/prison_just_got_rougher_as/ ∗∗∗ Germany’s CDU still struggling to restore data months after June cyberattack ∗∗∗ --------------------------------------------- Putting a spanner in work for plans of opposition party to launch a comeback during next years elections One of Germanys major political parties is still struggling to restore member data more than three months after a June cyberattack targeting its systems. --------------------------------------------- https://www.theregister.com/2024/09/16/nein_luck_for_germanys_cdu/ ∗∗∗ Acquiring Malicious Browser Extension Samples on a Shoestring Budget ∗∗∗ --------------------------------------------- A friend of mine sent me a link to an article on malicious browser extensions that worked around Google Chrome Manifest V3 and asked if I had or could acquire a sample. In the process of getting a sample, I thought, if I was someone who didn’t have the paid resources that an enterprise might have, how would .. --------------------------------------------- https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-gene… ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit kurzem sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/ddos-angriffe-september-2024 ∗∗∗ German radio station forced to broadcast emergency tape following cyberattack ∗∗∗ --------------------------------------------- Radio Geretsried, a local station in Germany, has blamed “unknown attackers from Russia” after an apparent ransomware incident left it broadcasting music from emergency backups. --------------------------------------------- https://therecord.media/germany-cyberattack-radio-geretsried ∗∗∗ Small Devices, Big Threats: The Dark Side of Removable Devices ∗∗∗ --------------------------------------------- Our new article highlights the security risks of removable devices like USB drives and SD cards, exploring real-world threats and offering key cybersecurity tips to protect sensitive data. --------------------------------------------- https://www.emsisoft.com/en/blog/45977/small-devices-big-threats-the-dark-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git, nodejs, and ring), Fedora (apr, bubblewrap, chromium, clamav, flatpak, mingw-expat, python3-docs, python3.12, and thunderbird), Mageia (assimp, botan2, python-tqdm, and radare2), Slackware (libarchive), and SUSE (curl). --------------------------------------------- https://lwn.net/Articles/990455/ ∗∗∗ MISP 2.4.198 released with bug and security fixes. ∗∗∗ --------------------------------------------- Based on a set of fixes including a security fix, we are pleased to announce the immediate availability of MISP 2.4.198. You can find a list of the detailed changes along with new features further below. As with any security release, we highly encourage everyone to update their instance as soon as .. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.198 ∗∗∗ ZDI-24-1226: mySCADA myPRO Hard-Coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1226/ ∗∗∗ ZDI-24-1225: SolarWinds Access Rights Manager Hard-Coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1225/ ∗∗∗ ZDI-24-1224: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1224/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2024
by Daily end-of-shift report 13 Sep '24

13 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-09-2024 18:00 − Freitag 13-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media ∗∗∗ --------------------------------------------- With the US election on the horizon, it’s a good time to explore the concept of social media weaponization and its use in asymmetrically manipulating public opinion through bots, automation, AI, and shady new tools in what Trustwave SpiderLabs has dubbed the Distributed Denial of Truth (DDoT). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/distributed… ∗∗∗ Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data ∗∗∗ --------------------------------------------- A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online. [..] Fortinet has now published a blog post addressing the incident, which only affected less than 0.3% of its customers. --------------------------------------------- https://hackread.com/fortinet-confirms-data-breach-hacker-data-leak/ ∗∗∗ Nach CrowdStrike: Microsoft plant Security-Lösungen aus dem Windows-Kernel zu entfernen ∗∗∗ --------------------------------------------- Microsoft hat erste Pläne skizziert, wie sich Windows-Systeme so absichern lassen, dass ein kaputtes Update einer Endpunkt-Sicherheitslösung nicht das ganze Betriebssystem in den Abgrund reißt. --------------------------------------------- https://www.borncity.com/blog/2024/09/13/nach-crowdstrike-microsoft-plant-s… ∗∗∗ I stole 20 GB of data from Capgemini – and now Im leaking it, says cybercrook ∗∗∗ --------------------------------------------- A miscreant claims to have broken into Capgemini and leaked a large amount of sensitive data stolen from the technology services giant – including source code, credentials, and T-Mobile's virtual machine logs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/12/capgemini_br… ∗∗∗ 1.3 Million Android TV Boxes Infected by Vo1d Malware ∗∗∗ --------------------------------------------- Doctor Web warns of the new Vo1d Android malware infecting roughly 1.3 million TV boxes running older OS versions. --------------------------------------------- https://www.securityweek.com/1-3-million-android-tv-boxes-infected-by-vo1d-… ∗∗∗ CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. --------------------------------------------- https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-di… ∗∗∗ The Dark Nexus Between Harm Groups and ‘The Com’ ∗∗∗ --------------------------------------------- A cyberattack that shut down two of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023. It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others. --------------------------------------------- https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-… ∗∗∗ Woo Skimmer Uses Style Tags and Image Extension to Steal Card Details ∗∗∗ --------------------------------------------- This post starts the same way many others do on this blog, and it will be familiar to those who keep up with website security: A client came to us having been notified by their payment processor that credit cards were being stolen from the checkout page of their eCommerce website. The question of course was how? During this investigation we uncovered a very interesting (and in fact, creative) way that threat actors were pilfering credit card details from this compromised website. --------------------------------------------- https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-exten… ∗∗∗ We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders ∗∗∗ --------------------------------------------- I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-12-2024/ ∗∗∗ FBI and CISA Release Joint PSA, Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections ∗∗∗ --------------------------------------------- As observed through multiple election cycles, foreign actors and cybercriminals continue to spread false information through various platforms to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions. The FBI and CISA continue to work closely with federal, state, local, and territorial election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of the U.S. elections. --------------------------------------------- https://www.cisa.gov/news-events/news/fbi-and-cisa-release-joint-psa-just-s… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily