Daily

daily@lists.cert.at

1 participants
3154 discussions

Tageszusammenfassung - 23.07.2024
by Daily end-of-shift report 23 Jul '24

23 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-07-2024 18:00 − Dienstag 23-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US-Ausschuss lädt ein: Crowdstrike-CEO soll für IT-Panne Rede und Antwort stehen ∗∗∗ --------------------------------------------- Millionen von Windows-PCs konnten am Freitag plötzlich nicht mehr starten. Der Heimatschutzausschuss des US-Repräsentantenhauses will genau wissen, wie es dazu kam. --------------------------------------------- https://www.golem.de/news/us-ausschuss-laedt-ein-crowdstrike-ceo-soll-fuer-… ∗∗∗ Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign targeting a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. --------------------------------------------- https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html ∗∗∗ Law Enforcement Disrupts DDoS-for-Hire Service DigitalStress ∗∗∗ --------------------------------------------- Authorities in the UK infiltrated and disrupted the DDoS-for-hire service DigitalStress, and one suspect was arrested. --------------------------------------------- https://www.securityweek.com/law-enforcement-disrupts-ddos-for-hire-service… ∗∗∗ FrostyGoop ICS Malware Left Ukrainian City’s Residents Without Heating ∗∗∗ --------------------------------------------- The FrostyGoop ICS malware was used recently in an attack against a Ukrainian energy firm that resulted in loss of heating for many buildings. --------------------------------------------- https://www.securityweek.com/frostygoop-ics-malware-left-ukrainian-citys-re… ∗∗∗ Kriminelle nutzen weltweite IT-Ausfälle für Betrugsmaschen ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie Anrufe oder E-Mails im Namen von Crowdstrike oder Microsoft erhalten. Die weltweiten IT-Ausfälle, die durch Crowdstrike verursacht wurden, werden nun von Kriminellen als Vorwand für verschiedene Betrugsmaschen genutzt. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nutzen-weltweite-it-ausfa… ∗∗∗ Vorsicht vor gefälschten Anfragen im Namen der PORR ∗∗∗ --------------------------------------------- Kriminelle geben sich als Firma PORR aus und versenden betrügerische E-Mail-Anfragen. Sie werden gebeten, ein Angebot zu stellen und dazu die Ausschreibungsunterlagen auf www.ausschreibungen-porr.at zu verwenden. Dieser Link führt jedoch zu einem gefälschten Ondrive-Ordner! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-anfragen-i… ∗∗∗ Vulnerabilities in LangChain Gen AI ∗∗∗ --------------------------------------------- This article is a detailed study of CVE-2023-46229 and CVE-2023-44467, two vulnerabilities discovered by our researchers affecting generative AI framework LangChain. --------------------------------------------- https://unit42.paloaltonetworks.com/langchain-vulnerabilities/ ∗∗∗ Daggerfly: Espionage Group Makes Major Update to Toolset ∗∗∗ --------------------------------------------- APT group appears to be using a shared framework to create Windows, Linux, macOS, and Android threats. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfl… ∗∗∗ Learning from the Recent Windows/Falcon Sensor Outage: Causes and Potential Improvement Strategies in Linux Using Open Source Solutions ∗∗∗ --------------------------------------------- How can a configuration file crash an OS? Because the real issue is not the configuration file itself, but the kernel driver using it. Let’s take a quick, non-technical tour of the potential reasons behind this situation, how it is addressed in the Linux kernel, and what you as users or customers can do to avoid such issues. --------------------------------------------- https://www.circl.lu/pub/learning-from-falcon-sensor-outage/ ∗∗∗ Exploiting CVE-2024-21412: A Stealer Campaign Unleashed ∗∗∗ --------------------------------------------- FortiGuard Labs has observed a stealer campaign spreading multiple files that exploit CVE-2024-21412 to download malicious executable files. --------------------------------------------- https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-ste… ∗∗∗ So nicht: Wie sich ein Netzbetreiber in den Totalausfall manövriert hat ∗∗∗ --------------------------------------------- 26 Stunden lang sind die Kunden eines großen Netzbetreibers offline. Damit auch Notruf, Banken, Kassen. 2 Jahre später wird deutlich, was schiefgelaufen ist. --------------------------------------------- https://heise.de/-9808767 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gtk3 and jpegxl), Red Hat (kpatch-patch and thunderbird), SUSE (apache2, git, gnome-shell, java-11-openjdk, java-21-openjdk, kernel, kernel-firmware, kernel-firmware-nvidia-gspx-G06, libgit2, mozilla-nss, nodejs20, python-Django, and python312), and Ubuntu (linux-aws, linux-aws, linux-aws-5.4, linux-iot, linux-aws-5.15, pymongo, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/982939/ ∗∗∗ Software-Distributionssystem TeamCity erinnert sich an gelöschte Zugangstoken ∗∗∗ --------------------------------------------- Angreifer können an sechs mittlerweile geschlossenen Sicherheitslücken in JetBrain TeamCity ansetzen. --------------------------------------------- https://heise.de/-9810746 ∗∗∗ 10,000 WordPress Sites Affected by High Severity Vulnerabilities in BookingPress WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/07/10000-wordpress-sites-affected-by-hi… ∗∗∗ National Instruments IO Trace ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-01 ∗∗∗ RADIUS Protocol Forgery Vulnerability (Blast-RADIUS) ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014 ∗∗∗ Hitachi Energy AFS/AFR Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-02 ∗∗∗ National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2024
by Daily end-of-shift report 22 Jul '24

22 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-07-2024 18:00 − Montag 22-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers Abuse Swap File to Steal Credit Cards ∗∗∗ --------------------------------------------- Bad actors exploited the humble swap file to maintain a persistent credit card skimmer on a Magento e-commerce site. This clever tactic allowed the malware to survive multiple cleanup attempts. --------------------------------------------- https://blog.sucuri.net/2024/07/attackers-abuse-swap-file-to-steal-credit-c… ∗∗∗ Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix. --------------------------------------------- https://thehackernews.com/2024/07/cybercriminals-exploit-crowdstrike.html ∗∗∗ SocGholish Malware Exploits BOINC Project for Covert Cyberattacks ∗∗∗ --------------------------------------------- The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. --------------------------------------------- https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html ∗∗∗ PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing ∗∗∗ --------------------------------------------- A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. --------------------------------------------- https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html ∗∗∗ From RA Group to RA World: Evolution of a Ransomware Group ∗∗∗ --------------------------------------------- Ransomware gang RA World rebranded from RA Group. We discuss their updated tactics from leak site changes to an analysis of their operational tools. --------------------------------------------- https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-… ∗∗∗ Addressing CrowdStrike on Cloud VMs in AWS with Automated Remediation ∗∗∗ --------------------------------------------- Published guidance instructs administrators to reboot the machine in Safe Mode, delete a specific file, and reboot back to normal mode. Obviously, this isn’t a viable resolution on virtual machines hosted in the public cloud as there is no way to get to Safe Mode. --------------------------------------------- https://orca.security/resources/blog/crowdstrike-cloud-vm-automated-remedia… ∗∗∗ Crowdstrike-Ausfälle: Microsoft veröffentlicht Wiederherstellungstool ∗∗∗ --------------------------------------------- Microsoft hat ein Image für USB-Sticks veröffentlicht, mit dem sich betroffene Systeme wiederherstellen lassen. Vorausgesetzt, man hat den BitLocker-Key. --------------------------------------------- https://heise.de/-9808481 ===================== = Vulnerabilities = ===================== ∗∗∗ Telegram zero-day allowed sending malicious Android APKs as videos ∗∗∗ --------------------------------------------- A Telegram for Android zero-day vulnerability dubbed EvilVideo allowed attackers to send malicious Android APK payloads disguised as video files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-se… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (botan2, chromium, ffmpeg, fluent-bit, gtk3, httpd, suricata, tcpreplay, and thunderbird), Mageia (apache, chromium-browser-stable, libfm & libfm-qt, and thunderbird), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libndp, qt5-qtbase, ruby, skopeo, thunderbird, and virt:ol and virt-devel:rhel), Red Hat (containernetworking-plugins, firefox, libndp, qt5-qtbase, and thunderbird), SUSE (caddy,[...] --------------------------------------------- https://lwn.net/Articles/982845/ ∗∗∗ Sicherheitsupdates: Angreifer können Sonicwall-Firewalls lahmlegen ∗∗∗ --------------------------------------------- Einige Firewalls von Sonicwall sind verwundbar. Attacken könnten bevorstehen. --------------------------------------------- https://heise.de/-9808904 ∗∗∗ BIOS-Sicherheitslücke gefährdet unzählige HP-PCs ∗∗∗ --------------------------------------------- Angreifer können viele Desktopcomputer von HP mit Schadcode attackieren. --------------------------------------------- https://heise.de/-9809134 ∗∗∗ SSA-071402 V1.0: Multiple Vulnerabilities in SICAM Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-071402.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2024
by Daily end-of-shift report 19 Jul '24

19 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-07-2024 18:00 − Freitag 19-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Wieso weltweit zahlreiche IT-Systeme durch zwei Fehler am 19. Juli 2024 ausfielen ∗∗∗ --------------------------------------------- Am 19. Juli 2024 kam es weltweit zu zahlreichen Störungen an IT-Systemen. Der Betrieb an Flughäfen stand, Banken konnten nicht mehr arbeiten, Züge fielen aus, und Firmen schickten ihre Mitarbeiter nach Hause (z.B. Tegut), weil die IT-Systeme nicht mehr gingen. Es war aber kein Cyberangriff, sondern das gleichzeitige Auftreten zweier Fehler – unabhängig voneinander, die zum Ausfall von Funktionen führte. --------------------------------------------- https://www.borncity.com/blog/2024/07/19/wieso-weltweit-zahlreiche-it-syste… ∗∗∗ Recent Splunk Enterprise Vulnerability Easy to Exploit: Security Firm ∗∗∗ --------------------------------------------- SonicWall warns that a simple GET request is enough to exploit a recent Splunk Enterprise vulnerability. --------------------------------------------- https://www.securityweek.com/recent-splunk-enterprise-vulnerability-easy-to… ∗∗∗ Fake-SMS: „Ihre Registrierung für die Unternehmensservice Portal ID läuft ab“ ∗∗∗ --------------------------------------------- Kriminelle senden aktuell SMS an Unternehmer:innen und geben sich dabei als Unternehmensservice Portal (USP) aus. Es wird behauptet, dass die ID für das Portal abläuft - und zwar schon morgen. Tatsächlich versuchen Kriminelle hier, an Ihre Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-sms-ihre-registrierung-fuer-die… ∗∗∗ HotPage: Story of a signed, vulnerable, ad-injecting driver ∗∗∗ --------------------------------------------- The analysis of this rather generic-looking piece of malware has proven, once again, that adware developers are still willing to go the extra mile to achieve their goals. Not only that, these have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulner… ∗∗∗ Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma ∗∗∗ --------------------------------------------- Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-va… ∗∗∗ APT41 Has Arisen From the DUST ∗∗∗ --------------------------------------------- In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, libndp, openssh, qt5-qtbase, ruby, skopeo, and thunderbird), Debian (thunderbird), Fedora (dotnet6.0, httpd, python-django, python-django4.2, qt6-qtbase, rapidjson, and ruby), Red Hat (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, libndp, qt5-qtbase, and thunderbird), Slackware (httpd), SUSE (apache2, chromium, and kernel), and Ubuntu (apache2, linux-aws, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-aws-6.5, linux-lowlatency-hwe-6.5, linux-oracle-6.5, linux-starfive-6.5, and linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/982559/ ∗∗∗ SonicWall SMA100 NetExtender Windows Client Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update. SonicWall strongly advises SSL VPN NetExtender client users to upgrade to the latest release version. IMPORTANT: This vulnerability does not affect SonicWall firewall (SonicOS) products. CVE: CVE-2024-29014 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0011 ∗∗∗ Atlassian Bamboo: Angreifer können Entwicklungsumgebungen kompromittieren ∗∗∗ --------------------------------------------- Es sind Attacken auf Atlassian Bamboo Data Center und Server vorstellbar. Dagegen abgesicherte Version sind erschienen. --------------------------------------------- https://heise.de/-9806185 ∗∗∗ Schlupfloch für Schadcode in Ivanti Endpoint Manager geschlossen ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, sind Attacken auf Ivanti Endpoint Manager möglich. Ein Sicherheitspatch schafft Abhilfe. [..] In einem Beitrag schreiben die Entwickler, dass von der Lücke (CVE-2024-37381 "hoch") EPM 2024 flat betroffen ist. Unklar ist, ob davon auch andere Versionen bedroht sind. Im späteren Verlauf schreiben sie, dass das Sicherheitsproblem in zukünftigen EPM-Ausgaben gelöst wird. --------------------------------------------- https://heise.de/-9806384 ∗∗∗ Bosch: "regreSSHion" OpenSSH vulnerability in PRC7000 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-258444.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2024
by Daily end-of-shift report 18 Jul '24

18 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-07-2024 18:00 − Donnerstag 18-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ SolarWinds fixes 8 critical bugs in access rights audit software ∗∗∗ --------------------------------------------- SolarWinds has fixed eight critical vulnerabilities in its Access Rights Manager (ARM) software, six of which allowed attackers to gain remote code execution (RCE) on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-fixes-8-critical-… ∗∗∗ Cisco-Schwachstelle: Secure Email Gateway ist vor allem secure, außer vor Mails ∗∗∗ --------------------------------------------- Eine E-Mail mit einem speziell gestalteten Anhang reicht aus, um ein anfälliges Gateway zu infiltrieren und es zum Absturz zu bringen oder Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/cisco-schwachstelle-secure-email-gateway-ist-vor-… ∗∗∗ Forensik-Tool Cellebrite: Diese Smartphones kann das FBI knacken ∗∗∗ --------------------------------------------- Kürzlich hat das FBI das Smartphone des Trump-Attentäters geknackt. Geleakte Dokumente von Cellebrite zeigen, bei welchen Geräten das grundsätzlich möglich ist. --------------------------------------------- https://www.golem.de/news/forensik-tool-cellebrite-diese-smartphones-kann-d… ∗∗∗ Criminal Gang Physically Assaulting People for Their Cryptocurrency ∗∗∗ --------------------------------------------- This is pretty horrific: a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elderly North Carolina couple, whose home .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/07/criminal-gang-physically-ass… ∗∗∗ SAP AI Core Vulnerabilities Expose Customer Data to Cyber Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered security shortcomings in SAP AI Core cloud-based platform for creating and deploying predictive artificial intelligence (AI) workflows that could be exploited to get hold of access tokens and customer data. The five vulnerabilities have been collectively dubbed SAPwned by cloud .. --------------------------------------------- https://thehackernews.com/2024/07/sap-ai-core-vulnerabilities-expose.html ∗∗∗ TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks ∗∗∗ --------------------------------------------- Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations. Recorded Futures Insikt Group is tracking the activity .. --------------------------------------------- https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html ∗∗∗ Container Breakouts: Escape Techniques in Cloud Environments ∗∗∗ --------------------------------------------- Unit 42 researchers test container escape methods and possible impacts within a Kubernetes cluster using a containerd container runtime. --------------------------------------------- https://unit42.paloaltonetworks.com/container-escape-techniques/ ∗∗∗ Windows Patchday-Nachlese: MSHTML 0-day-Schwachstelle CVE-2024-38112 durch Malware ausgenutzt ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag zum Juli 2024 Patchday bei Microsoft. Mit den Sicherheitsupdates hat Microsoft auch eine MSHTML Spoofing-Schwachstelle geschlossen. Es gab die Information, dass diese Schwachstelle (CVE-2024-38112) durch .. --------------------------------------------- https://www.borncity.com/blog/2024/07/18/windows-patchday-nachlese-mshtml-0… ∗∗∗ FIN7 Cybercrime Gang Evolves with Ransomware and Hacking Tools ∗∗∗ --------------------------------------------- FIN7, a notorious cybercrime gang, is back with a new bag of tricks! --------------------------------------------- https://hackread.com/fin7-cybercrime-gang-ransomware-hacking-tools/ ∗∗∗ CISA Releases Playbook for Infrastructure Resilience Planning ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) released a companion guide to the Infrastructure Resilience Planning Framework (IRPF), which provides guidance on how local governments and the private sector can .. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-playbook-infrastructure… ∗∗∗ Critical Patch Update: Oracles Quartalsupdate liefert 386 Sicherheitspatches ∗∗∗ --------------------------------------------- Angreifer können kritische Lücken in unter anderem Oracle HTTP Server oder MySQL Cluster ausnutzen. --------------------------------------------- https://heise.de/-9804741 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-07-18 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/publicationListing.x ∗∗∗ Heap-based buffer overflow vulnerability in SonicOS IPSec VPN ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0012 ∗∗∗ CVE-2024-5321 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/126161 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2024
by Daily end-of-shift report 17 Jul '24

17 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-07-2024 18:00 − Mittwoch 17-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Scattered Spider Adopts RansomHub and Qilin Ransomware for Cyber Attacks ∗∗∗ --------------------------------------------- The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Scattered Spider is the designation given to a threat actor that's known for its .. --------------------------------------------- https://thehackernews.com/2024/07/scattered-spider-adopts-ransomhub-and.html ∗∗∗ Ransomware continues to pile on costs for critical infrastructure victims ∗∗∗ --------------------------------------------- Millions more spent without any improvement in recovery times Costs associated with ransomware attacks on critical national infrastructure (CNI) organizations skyrocketed in the past year. --------------------------------------------- https://www.theregister.com/2024/07/17/ransomware_continues_to_pile_on/ ∗∗∗ Anlagebetrug: Vorsicht vor E-Mails mit Entschädigungsversprechen ∗∗∗ --------------------------------------------- Sie haben in der Vergangenheit durch Anlagebetrug Geld verloren? Vorsicht: Sie sind noch immer im Visier von Kriminellen. Diese kontaktieren nämlich ehemalige Opfer mit der Behauptung, dass Ihr Geld gefunden wurde. Ignorieren Sie solche Angebote und gehen Sie nicht darauf ein, sonst verlieren Sie erneut Geld! --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-vorsicht-vor-e-mails-mi… ∗∗∗ ‘GhostEmperor’ returns: Mysterious Chinese hacking group spotted for first time in two years ∗∗∗ --------------------------------------------- An elusive and highly covert Chinese hacking group tracked as GhostEmperor - notorious for its sophisticated supply-chain attacks targeting telecommunications and government entities in Southeast Asia - has been spotted for the first time in more than two years. And according to the researchers, the group has gotten even better at evading detection. --------------------------------------------- https://therecord.media/ghostemperor-spotted-first-time-in-two-years ∗∗∗ Reverse-Proxy-Phishing-Angriffe trotz Phishing-Schutz ∗∗∗ --------------------------------------------- Weltweit lässt sich eine Zunahme von Phishing und Reverse-Proxy-Phishing-Angriffen konstatieren. Anbieter von Sicherheitslösungen haben damit begonnen, fortschrittlichere Erkennungsmethoden zu implementieren. Aber reicht das aus, um entschlossene und ausgebuffte Angreifer abzuwehren? Kuba Gretzky hat sich auf der .. --------------------------------------------- https://www.borncity.com/blog/2024/07/17/reverse-proxy-phishing-angriffe-an… ∗∗∗ Private HTS Program Continuously Used in Attacks ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has previously covered a case where Quasar RAT was distributed through private home trading systems (HTS) in the blog post “Quasar RAT Being Distributed by Private HTS Program“. The same threat actor has been continuously distributing malware, and attack cases have been confirmed even recently. Similar to the previous .. --------------------------------------------- https://asec.ahnlab.com/en/67969/ ∗∗∗ Root-Sicherheitslücke bedroht KI-Gadget Rabbit R1 ∗∗∗ --------------------------------------------- Angreifer können das KI-Gadget Rabbit R1 über den Android-Exploit Kamakiri komplett kompromittieren. Bislang gibt es keinen Sicherheitspatch. --------------------------------------------- https://heise.de/-9803666 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5731-1 linux - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00142.html ∗∗∗ Oracle Critical Patch Update Advisory - July 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpujul2024.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-31/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-32/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2024
by Daily end-of-shift report 16 Jul '24

16 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-07-2024 18:00 − Dienstag 16-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zwei Tage nach Attentat: FBI knackt Smartphone des Trump-Schützen ∗∗∗ --------------------------------------------- Ein Attentat auf Donald Trump sorgte am Wochenende für Aufsehen. Das FBI ist nun in der Lage, die Inhalte des Smartphones des Schützen zu analysieren. --------------------------------------------- https://www.golem.de/news/zwei-tage-nach-attentat-fbi-knackt-smartphone-des… ∗∗∗ "Reply-chain phishing" with a twist, (Tue, Jul 16th) ∗∗∗ --------------------------------------------- Few weeks ago, I was asked by a customer to take a look at a phishing message which contained a link that one of their employees clicked on. The concern was whether the linked-to site was only a generic credential stealing web page or something targeted/potentially more dangerous. Luckily, it was only a run-of-the-mill phishing kit login page, nevertheless, the e-mail message itself turned out to be somewhat more interesting, since although it didn’t look like anything special, it did make it to the recipient’s inbox, instead of the e-mail quarantine where it should have ended up. --------------------------------------------- https://isc.sans.edu/diary/rss/31084 ∗∗∗ Konfety Ad Fraud Uses 250+ Google Play Decoy Apps to Hide Malicious Twins ∗∗∗ --------------------------------------------- Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities. --------------------------------------------- https://thehackernews.com/2024/07/konfety-ad-fraud-uses-250-google-play.html ∗∗∗ DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed ∗∗∗ --------------------------------------------- Meet the new boss, same as the old boss The DarkGate malware family has become more prevalent in recent months, after one of its main competitors was taken down by the FBI. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/07/16/darkgate_mal… ∗∗∗ Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages ∗∗∗ --------------------------------------------- A hacker group called “NullBulge” says it stole more than a terabyte of Disneys internal Slack messages and files from nearly 10,000 channels in an apparent protest over AI-generated art. --------------------------------------------- https://www.wired.com/story/disney-slack-leak-nullbulge/ ∗∗∗ Kaspersky Leaving US Following Government Ban ∗∗∗ --------------------------------------------- Kaspersky is shutting down operations in the US and laying off employees following the recent Commerce Department ban. --------------------------------------------- https://www.securityweek.com/kaspersky-leaving-us-following-government-ban/ ∗∗∗ Beware of BadPack: One Weird Trick Being Used Against Android Devices ∗∗∗ --------------------------------------------- Our data shows a pattern of APK malware bundled as BadPack files. We discuss how this technique is used to garble malicious Android files, creating challenges for analysts. --------------------------------------------- https://unit42.paloaltonetworks.com/apk-badpack-malware-tampered-headers/ ∗∗∗ Check Point Research Reports Highest Increase of Global Cyber Attacks seen in last two years – a 30% Increase in Q2 2024 Global Cyber Attacks ∗∗∗ --------------------------------------------- Check Point Research (CPR) releases new data on Q2 2024 cyber attack trends. The data is segmented by global volume, industry and geography. These cyber attack numbers were driven by a variety of reasons, ranging from the continued increase in digital transformation and the growing sophistication of cybercriminals using advanced techniques like AI and machine learning. --------------------------------------------- https://blog.checkpoint.com/research/check-point-research-reports-highest-i… ∗∗∗ Punch Card Hacking – Exploring a Mainframe Attack Vector ∗∗∗ --------------------------------------------- Mainframes are the unseen workhorses that carry the load for many services we use on a daily basis: Withdrawing money from an ATM, credit card payments, and airline reservations to name just a few of the high volume workloads that are primarily handled by mainframes. [..] In this article, we demonstrate an entry level technique for penetration testers to get started using a different twist on a familiar technology to attack these computing giants. --------------------------------------------- https://blog.nviso.eu/2024/07/16/punch-card-hacking-exploring-a-mainframe-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2024-31144 / XSA-459 ∗∗∗ --------------------------------------------- If a fraudulent metadata backup has been written into an SR which also contains a legitimate metadata backup, and an administrator explicitly chooses to restore from backup, the fraudulent metadata might be consumed instead of the legitimate metadata. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-459.html ∗∗∗ Xen Security Advisory CVE-2024-31143 / XSA-458 ∗∗∗ --------------------------------------------- Denial of Service (DoS) affecting the entire host, crashes, information leaks, or elevation of privilege all cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-458.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (erlang-jose, mingw-python-certifi, and yt-dlp), Mageia (firefox, nss, libreoffice, sendmail, and tomcat), Red Hat (firefox, ghostscript, git-lfs, kernel, kernel-rt, ruby, and skopeo), SUSE (Botan, cockpit, kernel, nodejs18, p7zip, python3, and tomcat), and Ubuntu (ghostscript, linux, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-azure-6.5, linux-gcp-6.5, and linux-gke, linux-nvidia). --------------------------------------------- https://lwn.net/Articles/982169/ ∗∗∗ Rockwell Automation Pavilion 8 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-198-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2024
by Daily end-of-shift report 15 Jul '24

15 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-07-2024 18:00 − Montag 15-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Neue Absenderadresse für unsere täglichen Mails an Netzbetreiber ∗∗∗ --------------------------------------------- Wir versenden jeden Tag zwischen 150 und 250 Mails an unsere Kontakte bei Netzbetreibern in Österreich, um diese über Probleme in ihren Netzen zu informieren, die wir (bzw. unsere Datenquellen) dort gefunden haben. [..] Jetzt haben wir uns dazu entschlossen, den gleichen Weg zu nehmen, den schon viele andere Firmen beschritten haben: Wir senden ab sofort diese Mails nicht mehr von team(a)cert.at als Absender, sondern von noreply(a)cert.at aus. [..] Echte Rückfragen sollten weiterhin an team(a)cert.at gerichtet werden. --------------------------------------------- https://www.cert.at/de/blog/2024/7/neuer-absender-fuer-notifications ∗∗∗ Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD ∗∗∗ --------------------------------------------- On patch Tuesday last week, Microsoft released an update for CVE-2024-38112, which they said was being exploited in the wild. We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that’s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft. However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice any coordination regarding the fix. This lack of transparency from vendors often leaves researchers who practice CVD with more questions than answers. --------------------------------------------- https://www.thezdi.com/blog/2024/7/15/uncoordinated-vulnerability-disclosur… ∗∗∗ Microsoft Says Windows Not Impacted by regreSSHion as Second OpenSSH Bug Is Found ∗∗∗ --------------------------------------------- Microsoft confirmed last week that Windows is not affected by the vulnerability. --------------------------------------------- https://www.securityweek.com/microsoft-says-windows-not-impacted-by-regress… ∗∗∗ ClickFix Deception: A Social Engineering Tactic to Deploy Malware ∗∗∗ --------------------------------------------- The HTML file masquerades as a Word document, displaying an error prompt to deceive users. [..] In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. [..] Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-s… ∗∗∗ DNS hijacks target crypto platforms registered with Squarespace ∗∗∗ --------------------------------------------- A wave of coordinated DNS hijacking attacks targets decentralized finance (DeFi) cryptocurrency domains using the Squarespace registrar, redirecting visitors to phishing sites hosting wallet drainers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-pl… ∗∗∗ June Windows Server updates break Microsoft 365 Defender features ∗∗∗ --------------------------------------------- Microsoft has confirmed that Windows Server updates from last months Patch Tuesday break some Microsoft 365 Defender features that use the network data reporting service. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/june-windows-server-updates… ∗∗∗ Facebook ads for Windows desktop themes push info-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals use Facebook business pages and advertisements to promote fake Windows themes that infect unsuspecting users with the SYS01 password-stealing malware. [..] While using Facebook advertisements to push information-stealing malware is not new, the social media platform's massive reach makes these campaigns a significant threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-ads-for-windows-the… ∗∗∗ Knot Resolver 6 News: DoS protection – operator’s overview ∗∗∗ --------------------------------------------- The team behind Knot Resolver, the scalable caching DNS resolver, is hard at work developing a complex solution for protecting DNS servers and other participants on the Internet alike against denial-of-service attacks. This effort is a part of the ongoing DNS4EU project, co-funded by the European Union1, which we are a proud part of. [..] As usual with projects from CZ.NIC, all of this code is also free and open source under the GPL license, so everyone is free to study and adapt it for their own exciting purposes. --------------------------------------------- https://en.blog.nic.cz/2024/07/15/knot-resolver-6-news-dos-protection-opera… ∗∗∗ 16-bit Hash Collisions in .xls Spreadsheets, (Sat, Jul 13th) ∗∗∗ --------------------------------------------- Since the hashing algorithm used for the protection of .xls files produces a 16-bit integer with its highest bit set, there are 32768 (0x8000) possible hash values (called verifier), and thus ample chance to generate hash collisions. I generated such a list, and included it in an update of my oledump plugin plugin_biff.py. --------------------------------------------- https://isc.sans.edu/diary/rss/31066 ∗∗∗ Protected OOXML Spreadsheets, (Mon, Jul 15th) ∗∗∗ --------------------------------------------- I was asked a question about the protection of an .xlsm spreadsheet [..] --------------------------------------------- https://isc.sans.edu/diary/rss/31070 ∗∗∗ CRYSTALRAY Hackers Infect Over 1,500 Victims Using Network Mapping Tool ∗∗∗ --------------------------------------------- A threat actor that was previously observed using an open-source network mapping tool has greatly expanded their operations to infect over 1,500 victims. Sysdig, which is tracking the cluster under the name CRYSTALRAY, said the activities have witnessed a tenfold surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source software] security tools." --------------------------------------------- https://thehackernews.com/2024/07/crystalray-hackers-infect-over-1500.html ∗∗∗ CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks ∗∗∗ --------------------------------------------- Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cups, krb5, pgadmin4, python3.6, and yarnpkg), Mageia (freeradius, kernel, kmod-xtables-addons, kmod-virtualbox, and dwarves, kernel-linus, and squid), Red Hat (ghostscript, kernel, and less), SUSE (avahi, c-ares, cairo, cups, fdo-client, gdk-pixbuf, git, libarchive, openvswitch3, podman, polkit, python-black, python-Jinja2, python-urllib3, skopeo, squashfs, tiff, traceroute, and wget), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm). --------------------------------------------- https://lwn.net/Articles/982029/ ∗∗∗ Admin-Lücke bedroht Palo Alto Networks Migration-Tool Expedition ∗∗∗ --------------------------------------------- Verschiedene Cybersicherheitsprodukte von Palo Alto Networks sind verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9800845 ∗∗∗ Wireshark 4.2.6 Released, (Sun, Jul 14th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/31068 ∗∗∗ 2024-07-15: Cyber Security Advisory -Mint Workbench I Unquoted Service Path Enumeration ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7912&Lan… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2024
by Daily end-of-shift report 12 Jul '24

12 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-07-2024 18:00 − Freitag 12-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nach Social-Media-Drama: Signal patcht eine seit 2018 bekannte Schwachstelle ∗∗∗ --------------------------------------------- Durch die Schwachstelle können andere Anwendungen auf Signal-Chats zugreifen. Bekannt ist das Problem schon seit sechs Jahren. Nun soll endlich ein Fix kommen. --------------------------------------------- https://www.golem.de/news/nach-social-media-drama-signal-patcht-seit-sechs-… ∗∗∗ Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots ∗∗∗ --------------------------------------------- Some of the commands observed can be confusing for a novice looking at ssh honeypot logs. Sure, you have some obvious commands like "uname -a" to fingerprint the kernel. However, other commands are less intuitive and are not commands a normal user would use. I am trying to summarize some of the more common ones here, focusing on commands attackers use to figure out if they are inside a honeypot. --------------------------------------------- https://isc.sans.edu/diary/Understanding+SSH+Honeypot+Logs+Attackers+Finger… ∗∗∗ 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack ∗∗∗ --------------------------------------------- Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, while also adding a new layer of stealth to evade detection.The fresh packages, about 60 in number and spanning 290 versions, demonstrate a refined approach from the .. --------------------------------------------- https://thehackernews.com/2024/07/60-new-malicious-packages-uncovered-in.ht… ∗∗∗ Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments ∗∗∗ --------------------------------------------- A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users inboxes.The vulnerability, tracked as CVE-2024-39929, has a CVSS .. --------------------------------------------- https://thehackernews.com/2024/07/critical-exim-mail-server-vulnerability.h… ∗∗∗ Telefonbetrug: Scam Anruf von Anwälten im Umlauf ∗∗∗ --------------------------------------------- Der Betrüger fälscht die Telefonnummer einer renommierten Anwaltskanzlei in der Umgebung und ruft das Opfer an. Im Gespräch gibt sich der vermeintliche Anwalt als eine echte Person aus, die .. --------------------------------------------- https://blog.zettasecure.com/telefonbetrug-scam-anruf-von-anwaelten-im-umla… ∗∗∗ AT&T wurde Opfer eines riesigen Hackerangriffs ∗∗∗ --------------------------------------------- Verbindungsdaten von 109 Millionen Kunden wurden von unbekannten Angreifern heruntergeladen --------------------------------------------- https://www.derstandard.at/story/3000000228237/att-wurde-opfer-eines-riesig… ∗∗∗ Apple sends new warning about mercenary spyware attacks to iPhone users. Should you worry now? ∗∗∗ --------------------------------------------- Though mercenary spyware attacks are rare and typically sent only to targeted individuals, Apple has alerted iPhone users about them for the second time this year. --------------------------------------------- https://www.zdnet.com/article/apple-warns-of-mercenary-spyware-attacks-agai… ∗∗∗ mSpy: Dritter Hack seit 2010 legt Millionen Nutzerdaten offen ∗∗∗ --------------------------------------------- Es heißt ja "Aller guten Dinge sind drei" – was aber hier wohl eher nicht zutrifft. Der Anbieter von Smartphone-Überwachung, mySpy, ist erneut durch ein Datenleck auf Grund eines Hacks aufgefallen (der dritte Vorfall seit 2010). Ein .. --------------------------------------------- https://www.borncity.com/blog/2024/07/12/mspy-dritter-hack-seit-2010-legt-m… ∗∗∗ Checking in on the state of cybersecurity and the Olympics ∗∗∗ --------------------------------------------- Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-july-12-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5729-1 apache2 - security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in the Apache HTTP server,which may result in authentication bypass, execution of scripts in directories not directly reachable by any URL, server-side request forgery or denial of service. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00140.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2024
by Daily end-of-shift report 11 Jul '24

11 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-07-2024 18:00 − Donnerstag 11-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Datenleck: Millionen von 2FA-SMS standen frei zugänglich im Netz ∗∗∗ --------------------------------------------- Die vom CCC entdeckten SMS haben wohl neben internen Verwaltungs- und Abrechnungsdaten auf einer ungesicherten S3-Instanz eines Dienstleisters gelegen. --------------------------------------------- https://www.golem.de/news/datenleck-millionen-von-2fa-sms-standen-frei-zuga… ∗∗∗ You had a year to patch this Veeam flaw and now its going to hurt ∗∗∗ --------------------------------------------- LockBit variant targets backup software - which you may remember is supposed to help you recover from ransomware Yet another new ransomware gang, this one dubbed EstateRansomware, is exploiting a .. --------------------------------------------- https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ ∗∗∗ Achtung: Phishingversuche im Namen von Bitpanda! ∗∗∗ --------------------------------------------- Derzeit kursieren vermehrt Phishingmails und SMS, die vortäuschen, vom Finanzdienstleister BitPanda versendet worden zu sein. Geben Sie keine persönlichen Daten oder Codes weiter, sonst geben Sie Kriminellen Zugang zu Ihrem Wallet! --------------------------------------------- https://www.watchlist-internet.at/news/phishingversuche-bitpanda/ ∗∗∗ E-Mail genügt: Outlook-Lücke gibt Angreifern Zugriff aufs System ∗∗∗ --------------------------------------------- Gefahr insbesondere bei Mails von "vertrauenswürdigen Absendern" – Patch steht bereit --------------------------------------------- https://www.derstandard.at/story/3000000228006/e-mail-genuegt-outlook-lueck… ∗∗∗ Impact of data breaches is fueling scam campaigns ∗∗∗ --------------------------------------------- Data breaches have become one of the most crucial threats to organizations across the globe, and they’ve only become more prevalent and serious over time. A data breach occurs when unauthorized .. --------------------------------------------- https://blog.talosintelligence.com/data-breaches-fueling-scam-campaigns/ ∗∗∗ CISA and FBI Release Secure by Design Alert on Eliminating OS Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- Today, CISA and FBI are releasing their newest Secure by Design Alert in the series, Eliminating OS Command Injection Vulnerabilities, in response to recent well-publicized threat actor campaigns that exploited OS command injection .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/10/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5728-1 exim4 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00139.html ∗∗∗ DSA-5727-1 firefox-esr - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00138.html ∗∗∗ 2024-07 Security Bulletin: Junos OS Evolved: Execution of a specific CLI command will cause a crash in the AFT manager (CVE-2024-39513) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-07-Security-Bulletin-Junos… ∗∗∗ 2024-07 Security Bulletin: Junos OS and Junos OS Evolved: BGP multipath incremental calculation is resulting in an rpd crash (CVE-2024-39554) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-07-Security-Bulletin-Junos… ∗∗∗ NetScaler Console, Agent and SDX Security Bulletin for CVE-2024-6235 and CVE-2024-6236 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX677998/netscaler-console-agent-and-sd… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2024
by Daily end-of-shift report 10 Jul '24

10 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-07-2024 18:00 − Mittwoch 10-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ticket Heist network of 700 domains sells fake Olympic Games tickets ∗∗∗ --------------------------------------------- A large-scale fraud campaign with over 700 domain names is likely targeting Russian-speaking users looking to purchase tickets for the Summer Olympics in Paris. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ticket-heist-network-of-700-… ∗∗∗ Im Klartext: Linksys-Router senden wohl WLAN-Passwörter an US-Server ∗∗∗ --------------------------------------------- Eine Verbraucherorganisation hat zwei Routermodelle von Linksys getestet. Beide übermitteln wohl sensible Daten an einen Server in den USA. Einen Patch gibt es bisher nicht. --------------------------------------------- https://www.golem.de/news/im-klartext-linksys-router-senden-wohl-wlan-passw… ∗∗∗ Cyberangriff trifft IT-Konzern: 49 Systeme von Fujitsu mit Malware infiziert ∗∗∗ --------------------------------------------- Cyberkriminellen ist es gelungen, interne Systeme von Fujitsu zu infiltrieren. Potenziell sind auch Kundendaten abgeflossen. Viele Details nennt der Konzern aber nicht. --------------------------------------------- https://www.golem.de/news/cyberangriff-trifft-it-konzern-49-systeme-von-fuj… ∗∗∗ Finding Honeypot Data Clusters Using DBSCAN: Part 1 ∗∗∗ --------------------------------------------- Sometimes data needs to be transformed or different tools need to be used so that it can be compared with other data. Some honeypot data is easy to compare since there is no customized information such as randomly generated file names, IP addresses, etc. --------------------------------------------- https://isc.sans.edu/diary/Finding+Honeypot+Data+Clusters+Using+DBSCAN+Part… ∗∗∗ Ransomware crews investing in custom data stealing malware ∗∗∗ --------------------------------------------- BlackByte, LockBit among the criminals using bespoke tools As ransomware crews increasingly shift beyond just encrypting victims files and demanding a payment to unlock them, instead swiping sensitive info straight away, some of the .. --------------------------------------------- https://www.theregister.com/2024/07/10/ransomware_data_exfil_malware/ ∗∗∗ Google Is Adding Passkey Support for Its Most Vulnerable Users ∗∗∗ --------------------------------------------- Google is bringing the password-killing “passkey” tech to its Advanced Protection Program users more than a year after rolling them out broadly. --------------------------------------------- https://www.wired.com/story/google-passkey-advance-protection-program/ ∗∗∗ Augen auf beim Ticketkauf ∗∗∗ --------------------------------------------- Wie Betrüger beliebte Ticketplattformen für ihre finsteren Zwecke missbrauchen --------------------------------------------- https://www.welivesecurity.com/de/tipps-ratgeber/augen-auf-beim-ticketkauf/ ∗∗∗ Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities ∗∗∗ --------------------------------------------- This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities. --------------------------------------------- https://blog.talosintelligence.com/microsoft-patch-tuesday-july-2024/ ∗∗∗ Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs ∗∗∗ --------------------------------------------- Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers. --------------------------------------------- https://blog.talosintelligence.com/common-ransomware-actor-ttps-playbooks/ ∗∗∗ Eldorado Ransomware Targeting Windows and Linux with New Malware ∗∗∗ --------------------------------------------- Another day, another threat against Windows and Linux systems! --------------------------------------------- https://hackread.com/eldorado-ransomware-windows-linux-malware/ ∗∗∗ CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook ∗∗∗ --------------------------------------------- Morphisec researchers have identified a significant vulnerability, CVE-2024-38021 — a zero-click remote code execution (RCE) vulnerability that impacts most Microsoft Outlook applications. --------------------------------------------- https://blog.morphisec.com/cve-2024-38021-microsoft-outlook-moniker-rce-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, kernel-rt, libreswan, linux-firmware, pki-core, and podman), Fedora (firefox and jpegxl), Gentoo (Buildah, HarfBuzz, and LIVE555 Media Server), Oracle (buildah, gvisor-tap-vsock, kernel, libreswan, and podman), Red Hat (containernetworking-plugins, dotnet6.0, dotnet8.0, fence-agents, kernel, libreswan, libvirt, perl-HTTP-Tiny, python39:3.9, toolbox, and virt:rhel and virt-devel:rhel modules), SUSE (firefox, --------------------------------------------- https://lwn.net/Articles/981508/ ∗∗∗ [20240705] - Core - XSS in com_fields default field value ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/939-20240705-core-xss-in-c… ∗∗∗ [20240704] - Core - XSS in Wrapper extensions ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/938-20240704-core-xss-in-w… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily