Daily

daily@lists.cert.at

1 participants
3083 discussions

Tageszusammenfassung - 25.03.2024
by Daily end-of-shift report 25 Mar '24

25 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-03-2024 18:00 − Montag 25-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New ZenHammer memory attack impacts AMD Zen CPUs ∗∗∗ --------------------------------------------- Academic researchers developed ZenHammer, the first variant of the Rowhammer DRAM attack that works on CPUs based on recent AMD Zen microarchitecture that map physical addresses on DDR4 and DDR5 memory chips. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zenhammer-memory-attack-… ∗∗∗ New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts ∗∗∗ --------------------------------------------- Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named Tycoon 2FA to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. [..] In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-k… ∗∗∗ Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others ∗∗∗ --------------------------------------------- Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site. [..] The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. --------------------------------------------- https://thehackernews.com/2024/03/hackers-hijack-github-accounts-in.html ∗∗∗ New Go loader pushes Rhadamanthys stealer ∗∗∗ --------------------------------------------- A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader… ∗∗∗ Phishing mit gefälschten Rechnungen von Anwaltskanzleien ∗∗∗ --------------------------------------------- Laut BlueVoyant geben sich die Angreifer als Anwaltskanzleien aus und missbrauchen das Vertrauen, das ihre Opfer "seriösen" Juristen entgegenbringen. [..] Die NaurLegal-Kampagne täuscht Legitimität vor, indem sie PDF-Dateien mit seriös anmutenden Dateinamen wie „Rechnung_[Nummer]_von_[Name der Anwaltskanzlei].pdf“ erstellt und versendet. [..] Die Infrastruktur der NaurLegal-Kampagne umfasst Domänen, die mit WikiLoader verknüpft sind und deren Folgeaktivitäten auf eine Zuordnung zu dieser Malware-Familie schließen lassen. WikiLoader ist bekannt für ausgefeilte Verschleierungstechniken, wie z. B. die Überprüfung von Wikipedia-Antworten auf bestimmte Zeichenfolgen, um Sandbox-Umgebungen zu umgehen. --------------------------------------------- https://www.zdnet.de/88414996/phishing-mit-gefaelschten-rechnungen-von-anwa… ∗∗∗ CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/25/cisa-and-fbi-release-sec… ∗∗∗ APT29 Uses WINELOADER to Target German Political Parties ∗∗∗ --------------------------------------------- In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. --------------------------------------------- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf). --------------------------------------------- https://lwn.net/Articles/966611/ ∗∗∗ Firefox: Notfall-Update schließt kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler haben zwei kritische Sicherheitslücken mit dem Update auf Firefox 124.0.1 und Firefox ESR 115.9.1 geschlossen. --------------------------------------------- https://heise.de/-9664148 ∗∗∗ Sicherheitslücken in Microsofts WiX-Installer-Toolset gestopft ∗∗∗ --------------------------------------------- Das quelloffene WiX-Installer-Toolset von Microsoft hat zwei Sicherheitslücken. Die dichten aktualisierte Versionen ab. --------------------------------------------- https://heise.de/-9664602 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ MISP 2.4.188 released major performance improvements and many bugs fixed. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/03/25/MISP.2.4.188.released.html/ ∗∗∗ MISP 2.4.187 released with security fixes, new features and bugs fixes. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/03/24/MISP.2.4.187.released.html/ ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.1.1, 6.2.0 and 6.2.1: SC-202403.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-06 ∗∗∗ F5: K000138990 : BIND vulnerability CVE-2023-4408 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138990 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2024
by Daily end-of-shift report 22 Mar '24

22 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-03-2024 18:00 − Freitag 22-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Vancouver 2024, contestants demoed 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux and other devices and software to win $732,500 and a Tesla Model 3 car. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-tesla-and-ubuntu-… ∗∗∗ Darknet marketplace Nemesis Market seized by German police ∗∗∗ --------------------------------------------- The German police have seized infrastructure for the darknet Nemesis Market cybercrime marketplace in Germany and Lithuania, disrupting the sites operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darknet-marketplace-nemesis-… ∗∗∗ Mit gefälschten Keycards: Hacker können weltweit Millionen von Hoteltüren öffnen ∗∗∗ --------------------------------------------- Mehr als drei Millionen Türen in Hotels und Mehrfamilienhäusern sind anfällig für Angriffe mit gefälschten RFID-Schlüsselkarten. Teure Spezialausrüstung braucht es dafür nicht. --------------------------------------------- https://www.golem.de/news/mit-gefaelschten-keycards-hacker-koennen-weltweit… ∗∗∗ Whois "geofeed" Data, (Thu, Mar 21st) ∗∗∗ --------------------------------------------- Attributing a particular IP address to a specific location is hard and often fails miserably. --------------------------------------------- https://isc.sans.edu/diary/rss/30766 ∗∗∗ Unterstützungsmail im Namen von Marlene Engelhorn ist Fake! ∗∗∗ --------------------------------------------- Derzeit kursieren zahlreiche E-Mails im Namen der österreichischen Millionärin Marlene Engelhorn: Angeblich will sie mit einem Teil ihres Erbes „aufstrebende Unternehmer und lokale Projekte“ unterstützen. Achtung: Hinter dieser E-Mail stecken Kriminelle. Antworten Sie daher auf keinen Fall. --------------------------------------------- https://www.watchlist-internet.at/news/fake-marlene-engelhorn/ ∗∗∗ Large-Scale StrelaStealer Campaign in Early 2024 ∗∗∗ --------------------------------------------- We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. --------------------------------------------- https://unit42.paloaltonetworks.com/strelastealer-campaign/ ∗∗∗ “Pig butchering” is an evolution of a social engineering tactic we’ve seen for years ∗∗∗ --------------------------------------------- In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/ ∗∗∗ Sicherheit contra Offenheit – ein Kommentar zu Secure Boot ∗∗∗ --------------------------------------------- Secure Boot ist kompliziert, frickelig und wird von Microsoft dominiert. Stattdessen brauchen wir offene sichere Systeme, meint Christof Windeck. --------------------------------------------- https://heise.de/-9659071 ===================== = Vulnerabilities = ===================== ∗∗∗ KDE advises extreme caution after theme wipes Linux users files ∗∗∗ --------------------------------------------- On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktops appearance. --------------------------------------------- https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-aft… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0). --------------------------------------------- https://lwn.net/Articles/966415/ ∗∗∗ Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect ∗∗∗ --------------------------------------------- During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. --------------------------------------------- https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-s… ∗∗∗ Microsoft schließt Sicherheitslücke in Xbox-Gaming-Dienst – nach Hickhack ∗∗∗ --------------------------------------------- Microsoft hat ein Sicherheitsleck im Xbox Gaming Service abgedichtet. Dem ging jedoch eine Diskussion voraus. --------------------------------------------- https://heise.de/-9662746 ∗∗∗ Kritische Sicherheitslücke in FortiClientEMS wird angegriffen ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in FortiClientEMS wird inzwischen aktiv angegriffen. Zudem ist ein Proof-of-Concept-Exploit öffentlich geworden. --------------------------------------------- https://heise.de/-9662866 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2024
by Daily end-of-shift report 21 Mar '24

21 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-03-2024 18:00 − Donnerstag 21-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatchable vulnerability in Apple chip leaks secret encryption keys ∗∗∗ --------------------------------------------- A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. --------------------------------------------- https://arstechnica.com/?p=2011812 ∗∗∗ Spa Grand Prix email account hacked to phish banking info from fans ∗∗∗ --------------------------------------------- Hackers hijacked the official contact email for the Belgian Grand Prix event and used it to lure fans to a fake website promising a €50 gift voucher. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spa-grand-prix-email-account… ∗∗∗ Evasive Sign1 malware campaign infects 39,000 WordPress sites ∗∗∗ --------------------------------------------- A previously unknown malware campaign called Sign1 has infected over 39,000 websites over the past six months, causing visitors to see unwanted redirects and popup ads. [..] While Sucuri's client was breached through a brute force attack, Sucuri has not shared how the other detected sites were compromised. However, based on previous WordPress attacks, it probably involves a combination of brute force attacks and exploiting plugin vulnerabilities to gain access to the site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evasive-sign1-malware-campai… ∗∗∗ AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st thats used to target Laravel applications and steal sensitive data. [..] Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks." --------------------------------------------- https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html ∗∗∗ Vulnerability Allowed One-Click Takeover of AWS Service Accounts ∗∗∗ --------------------------------------------- The vulnerability, named FlowFixation by Tenable, has been patched by AWS and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future. --------------------------------------------- https://www.securityweek.com/vulnerability-allowed-one-click-takeover-of-aw… ∗∗∗ Betrügerische Europol-SMS führt zu Schadsoftware ∗∗∗ --------------------------------------------- In der massenhaft verschickten, betrügerischen SMS wird behauptet, dass Sie als Beteiligter in einem EUROPOL-Fall geführt werden. Um Einspruch zu erheben, sollen Sie eine App installieren. Vorsicht – Sie installieren Schadsoftware auf Ihrem Gerät und geben Kriminellen Zugang zu Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/fake-europol-sms/ ∗∗∗ Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention ∗∗∗ --------------------------------------------- Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. FalseFont is the latest tool in Curious Serpens’ arsenal. The examples we analyzed show how the threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor. --------------------------------------------- https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/ ∗∗∗ Rescoms rides waves of AceCryptor spam ∗∗∗ --------------------------------------------- Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryp… ∗∗∗ Warning Against Infostealer Disguised as Installer ∗∗∗ --------------------------------------------- The StealC malware disguised as an installer is being distributed en masse. It was identified as being downloaded via Discord, GitHub, Dropbox, etc. Considering the cases of distribution using similar routes, it is expected to redirect victims multiple times from a malicious webpage disguised as a download page for a certain program to the download URL. StealC is an Infostealer that extorts a variety of key information such as system, browser, cryptocurrency wallet, Discord, Telegram, and mail client data. --------------------------------------------- https://asec.ahnlab.com/en/63308/ ∗∗∗ New details on TinyTurla’s post-compromise activity reveal full kill chain ∗∗∗ --------------------------------------------- We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-full-kill-chain/ ∗∗∗ The Updated APT Playbook: Tales from the Kimsuky threat actor group ∗∗∗ --------------------------------------------- In this blog we will detail new techniques that we have observed used by this actor group over the recent months. We believe that sharing these evolving techniques gives defenders the latest insights into measures required to protect their assets. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-… ∗∗∗ CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques ∗∗∗ --------------------------------------------- Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/21/cisa-fbi-and-ms-isac-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 11, 2024 to March 17, 2024) ∗∗∗ --------------------------------------------- Last week, there were 159 vulnerabilities disclosed in 123 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi). --------------------------------------------- https://lwn.net/Articles/966246/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-081-01 ∗∗∗ F5: K000138966 : Intel Xeon CPU vulnerability CVE-2023-23908 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2024
by Daily end-of-shift report 20 Mar '24

20 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-03-2024 18:00 − Mittwoch 20-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Misconfigured Firebase instances leaked 19 million plaintext passwords ∗∗∗ --------------------------------------------- Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development. --------------------------------------------- https://www.bleepingcomputer.com/news/security/misconfigured-firebase-insta… ∗∗∗ Android malware, Android malware and more Android malware ∗∗∗ --------------------------------------------- In this report, we share our latest Android malware findings: the Tambir spyware, Dwphon downloader and Gigabud banking Trojan. --------------------------------------------- https://securelist.com/crimeware-report-android-malware/112121/ ∗∗∗ Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th) ∗∗∗ --------------------------------------------- Late last week, an exploit surfaced on GitHub for CVE-2024-21762. This vulnerability affects Fortinet's FortiOS. A patch was released on February 8th. Owners of affected devices had over a month to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/30762 ∗∗∗ Phishing im Namen der Österreichischen Gesundheitskasse ÖGK ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen E-Mails in Acht, die Sie im Namen der Österreichischen Gesundheitskasse ÖGK erhalten. Aktuell spielt man Ihnen vor, dass es eine ausstehende Rückerstattung für Sie gibt. Folgen Sie hier keinen Links und geben Sie keine Daten bekannt. Man versucht Ihnen Geld und Daten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-gesundheitskasse-oegk/ ∗∗∗ Gotta Hack ‘Em All: Pokémon passwords reset after attack ∗∗∗ --------------------------------------------- Are you using the same passwords in multiple places online? Well, stop. Stop right now. And make sure that youve told your friends and family to stop being reckless too. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/gotta-hack-em-all-pokemon-p… ∗∗∗ A prescription for privacy protection: Exercise caution when using a mobile health app ∗∗∗ --------------------------------------------- Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data. --------------------------------------------- https://www.welivesecurity.com/en/privacy/prescription-privacy-protection-e… ∗∗∗ Loop DoS: Verschiedene Netzwerkdienste leiden unter Protokoll-Endlosschleife ∗∗∗ --------------------------------------------- Unter den Diensten, die Sicherheitsforscher als Gefahr identifiziert haben, sind auch solche aus der Frühzeit des Internets. Nun sind Netzwerk-Admins gefragt. --------------------------------------------- https://heise.de/-9660179 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, [...] --------------------------------------------- https://lwn.net/Articles/966053/ ∗∗∗ Netgear wireless router open to code execution after buffer overflow vulnerability ∗∗∗ --------------------------------------------- There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-march-20-2024/ ∗∗∗ Atlassian: Patch-Reigen im März für Bamboo, Bitbucket, Confluence und Jira ∗∗∗ --------------------------------------------- Atlassian behandelt 25 Sicherheitslücken in Bamboo, Bitbucket, Confluence und Jira. Eine davon gilt als kritisch. --------------------------------------------- https://heise.de/-9660075 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Command Injection in Bosch Network Synchronizer ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-152190-bt.html ∗∗∗ Security Update for Ivanti Neurons for ITSM ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-neurons-for-itsm ∗∗∗ Security Update for Ivanti Standalone Sentry ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-standalone-sentry ∗∗∗ Webbrowser Chrome: Google dichtet mehrere Sicherheitslecks ab ∗∗∗ --------------------------------------------- https://heise.de/-9659978 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2024
by Daily end-of-shift report 19 Mar '24

19 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 18-03-2024 18:00 − Dienstag 19-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New AcidPour data wiper targets Linux x86 network devices ∗∗∗ --------------------------------------------- A new destructive malware named AcidPour was spotted in the wild, featuring data-wiper functionality and targeting Linux x86 IoT and networking devices. [..] AcidPour shares many similarities with AcidRain, such as targeting specific directories and device paths common in embedded Linux distributions, but their codebase overlaps by an estimated 30%. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targ… ∗∗∗ Turnier verschoben: Mögliche RCE-Schwachstelle bedroht Apex-Legends-Spieler ∗∗∗ --------------------------------------------- Der weitverbreitete Free-to-play-Shooter Apex Legends steht derzeit im Verdacht, unter einer Sicherheitslücke zu leiden, die es Angreifern ermöglicht, aus der Ferne die Kontrolle über die Computer der Spieler zu übernehmen. Ob die Schwachstelle das Spiel selbst oder dessen Anti-Cheat-Software betrifft, ist wohl noch unklar. --------------------------------------------- https://www.golem.de/news/turnier-verschoben-moegliche-rce-schwachstelle-be… ∗∗∗ ARM MTE: Androids Hardwareschutz gegen Speicherlücken umgehbar ∗∗∗ --------------------------------------------- Mit dem Memory-Tagging moderner ARM-CPUs soll das Potenzial bestimmter Sicherheitslücken verkleinert werden. Die Idee hat deutliche Grenzen. Das Security-Forschungsteam des Code-Hosters Github hat die Ausnutzung einer Speicherlücke beschrieben, bei der der dafür eigentlich vorgesehene Schutz, das Memory-Tagging, offenbar gar keine Rolle spielt. Den Beteiligten ist es demnach gelungen, eine Sicherheitslücke in ARMs GPU-Treiber, die vollen Kernelzugriff und das Erlangen von Root-Rechten ermöglicht, auch auf einem aktuellen Pixel 8 auszunutzen, auf dem die sogenannten Memory Tagging Extension (MTE) aktiviert ist. --------------------------------------------- https://www.golem.de/news/arm-mte-androids-hardwareschutz-gegen-speicherlue… ∗∗∗ Threat landscape for industrial automation systems. H2 2023 ∗∗∗ --------------------------------------------- Kaspersky ICS CERT shares industrial threat statistics for H2 2023: most commonly detected malicious objects, threat sources, threat landscape by industry and region. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ Attacker Hunting Firewalls, (Tue, Mar 19th) ∗∗∗ --------------------------------------------- The competition for freshly deployed vulnerable devices, or devices not patched for the latest greatest vulnerability, is immense. Your success in the ransomware or access broker ecosystem depends on having a consistently updated list of potential victims. As a result, certain IP addresses routinely scan the internet for specific types of vulnerabilities. One such example is 77.90.185.152. This IP address has been scanning for a different vulnerability each day. --------------------------------------------- https://isc.sans.edu/diary/rss/30758 ∗∗∗ New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics ∗∗∗ --------------------------------------------- A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. [..] A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. [..] The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). --------------------------------------------- https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html ∗∗∗ Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor ∗∗∗ --------------------------------------------- This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006. --------------------------------------------- https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loade… ∗∗∗ Claroty-Report: Zahlreiche Schwachstellen in medizinischen Netzwerken und Geräten ∗∗∗ --------------------------------------------- Sicherheitsanbieter Claroty hat sein Team82, eine Forschungseinheit von Claroty, auf das Thema Sicherheit im Medizinbereich, bezogen auf Geräte und Netzwerke, angesetzt, um die Auswirkungen der zunehmenden Vernetzung medizinischer Geräte zu untersuchen. Ziel des Berichts ist es, die umfassende Konnektivität kritischer medizinischer Geräte – von bildgebenden Systemen bis hin zu Infusionspumpen – aufzuzeigen und die damit verbundenen Risiken zu beleuchten. [..] Das erschreckende Ergebnis: Im Rahmen der Untersuchungen von Team82 tauchen häufig Schwachstellen und Implementierungsfehler auf. --------------------------------------------- https://www.borncity.com/blog/2024/03/19/claroty-report-zahlreiche-schwachs… ∗∗∗ Jenkins Args4j CVE-2024-23897: Files Exposed, Code at Risk ∗∗∗ --------------------------------------------- Jenkins, a popular open-source automation server, was discovered to be affected by a file read vulnerability, CVE-2024-23897. [..] Given its high severity we would like to emphasize the need for swift measures to secure Jenkins installations. [..] Jenkins patched CVE-2024-23897 in versions 2.442 and LTS 2.426.3 by disabling the problematic command parser feature. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-23897.html ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- LoadMaster is a load balancer and application delivery controller. Exploiting this vulnerability enables command execution on the LoadMaster if you have access to the administrator web user interface. Once command execution is obtained, it is possible to escalate privileges to root from the default admin “bal” user by abusing sudo entries, granting full control of the device. A proof of concept exploit is available in our CVE GitHub repository. --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim). --------------------------------------------- https://lwn.net/Articles/965958/ ∗∗∗ RaspberryMatic: Kritische Lücke erlaubt Codeschmuggel ∗∗∗ --------------------------------------------- Im freien HomeMatic-Server RaspberryMatic klafft eine Codeschmuggel-Lücke. Sie gilt als kritisch. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9658709 ∗∗∗ Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Mozilla dichtet zahlreiche Sicherheitslücken im Webbrowser Firefox und Mailer Thunderbird ab. --------------------------------------------- https://heise.de/-9659433 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Franklin Fueling System EVO 550/5000 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2024
by Daily end-of-shift report 18 Mar '24

18 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-03-2024 18:00 − Montag 18-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New acoustic attack determines keystrokes from typing patterns ∗∗∗ --------------------------------------------- Researchers have demonstrated a new acoustic side-channel attack on keyboards that can deduce user input based on their typing patterns, even in poor conditions, such as environments with noise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acoustic-attack-determin… ∗∗∗ Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft. --------------------------------------------- https://thehackernews.com/2024/03/hackers-using-sneaky-html-smuggling-to.ht… ∗∗∗ Opening Pandora’s box - Supply Chain Insider Threats in Open Source projects ∗∗∗ --------------------------------------------- Granting repository "Write" access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, using a responsible disclosure for the AWS Karpenter project to demonstrate why strict safeguards are essential. --------------------------------------------- https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-thre… ∗∗∗ Saisonale Betrugsmaschen: Vorsicht bei der Urlaubsbuchung! ∗∗∗ --------------------------------------------- Passend zur Jahreszeit, in der besonders viele Urlaubsbuchungen vorgenommen werden, veröffentlichen Kriminelle betrügerische Urlaubsbuchungsplattformen wie fincas-und-villen.com. Lassen Sie sich nicht von den günstigen Preisen und schönen Bildern blenden: Hier verlieren Sie Ihr Geld und enden im schlimmsten Fall ohne Unterkunft am Urlaubsziel. --------------------------------------------- https://www.watchlist-internet.at/news/saisonale-betrugsmaschen-urlaubsbuch… ∗∗∗ Wie OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? ∗∗∗ --------------------------------------------- Es ist eine Frage, die sich wohl jeder Sicherheitsverantwortliche stellt, wenn es um die Cloud und den Zugriff auf Dienste mittels OAuth geht. Die Fragestellung: Wie lassen sich OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? Und wie kann man das mit Microsoft-Technologie erledigen. --------------------------------------------- https://www.borncity.com/blog/2024/03/17/wie-oauth-anwendungen-ber-tenant-g… ∗∗∗ Top things that you might not be doing (yet) in Entra Conditional Access – Advanced Edition ∗∗∗ --------------------------------------------- In this second part, we’ll go over more advanced security controls within Conditional Access that, in my experience, are frequently overlooked in environments during security assessments. --------------------------------------------- https://blog.nviso.eu/2024/03/18/top-things-that-you-might-not-be-doing-yet… ∗∗∗ Ethereum’s CREATE2: A Double-Edged Sword in Blockchain Security ∗∗∗ --------------------------------------------- Ethereum’s CREATE2 function is being exploited by attackers to compromise the security of digital wallets, bypassing traditional security measures and facilitating unauthorized access to funds. --------------------------------------------- https://research.checkpoint.com/2024/ethereums-create2-a-double-edged-sword… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Aiohttp bug to find vulnerable networks ∗∗∗ --------------------------------------------- The ransomware actor ShadowSyndicate was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-aiohttp-bug-… ∗∗∗ Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762 ∗∗∗ --------------------------------------------- In this post we detail the steps we took to identify the patched vulnerability and produce a working exploit. --------------------------------------------- https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-r… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, spip, and unadf), Fedora (chromium, iwd, opensc, openvswitch, python3.6, shim, shim-unsigned-aarch64, and shim-unsigned-x64), Mageia (batik, imagemagick, irssi, jackson-databind, jupyter-notebook, ncurses, and yajl), Oracle (.NET 7.0, .NET 8.0, and dnsmasq), Red Hat (postgresql:10), SUSE (chromium, kernel, openvswitch, python-rpyc, and tiff), and Ubuntu (openjdk-8). --------------------------------------------- https://lwn.net/Articles/965829/ ∗∗∗ PoC Published for Critical Fortra Code Execution Vulnerability ∗∗∗ --------------------------------------------- A critical directory traversal vulnerability in Fortra FileCatalyst Workflow could lead to remote code execution. --------------------------------------------- https://www.securityweek.com/poc-published-for-critical-fortra-code-executi… ∗∗∗ Kritische Sicherheitslücke CVE-2024-21762 in Fortinet FortiOS wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- In unserer Warnung vom 09. Februar 2024 haben wir bereits über die Sicherheitslücken CVE-2024-21762 und CVE-2024-23113 berichtet und in Folge Besitzer:innen über die für die IP-Adressen hinterlegten Abuse-Kontakten informiert. CVE-2024-21762 wird seit kurzem nun aktiv ausgenutzt. Unauthentifizierte Angreifer:innen können auf betroffenen Geräten beliebigen Code ausführen. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/kritische-sicherheitslucke-cve-2024-217… ∗∗∗ Spring Framework: Updates beheben neue, alte Sicherheitslücke ∗∗∗ --------------------------------------------- Nutzen Spring-basierte Anwendungen eine URL-Parsing-Funktion des Frameworks, öffnen sie sich für verschiedene Attacken. Nicht zum ersten Mal. --------------------------------------------- https://heise.de/-9657496 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2024
by Daily end-of-shift report 15 Mar '24

15 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-03-2024 18:00 − Freitag 15-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SIM swappers hijacking phone numbers in eSIM attacks ∗∗∗ --------------------------------------------- SIM swappers have adapted their attacks to steal a targets phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone… ∗∗∗ StopCrypt: Most widely distributed ransomware now evades detection ∗∗∗ --------------------------------------------- A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stopcrypt-most-widely-distri… ∗∗∗ 5Ghoul Revisited: Three Months Later, (Fri, Mar 15th) ∗∗∗ --------------------------------------------- About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability. --------------------------------------------- https://isc.sans.edu/diary/rss/30746 ∗∗∗ Third-Party ChatGPT Plugins Could Lead to Account Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data. According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub. --------------------------------------------- https://thehackernews.com/2024/03/third-party-chatgpt-plugins-could-lead.ht… ∗∗∗ Vorsicht vor Abo-Falle auf produktretter.at! ∗∗∗ --------------------------------------------- Einmal registrieren und schon erhalten Sie hochwertige und voll funktionsfähige Produkte, die andere retourniert haben. Es fallen lediglich Versandkosten von maximal 2,99 Euro an. Klingt zu schön, um wahr zu sein? Ist es auch. Denn Seiten wie produktretter.at, produkttest-anmeldung.com oder retourenheld.io locken in eine Abo-Falle. Die versprochenen Produkte kommen nie an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-abo-falle-auf-produktre… ∗∗∗ Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled ∗∗∗ --------------------------------------------- We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/ ∗∗∗ How to share sensitive files securely online ∗∗∗ --------------------------------------------- Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe. --------------------------------------------- https://www.welivesecurity.com/en/how-to/share-sensitive-files-securely-onl… ∗∗∗ The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions ∗∗∗ --------------------------------------------- Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later. --------------------------------------------- https://blog.talosintelligence.com/ransomware-affiliate-model/ ∗∗∗ Zwei Backdoors in Ivanti-Appliances analysiert ∗∗∗ --------------------------------------------- Anfang 2024 wurden die Pulse Secure Appliances von Ivanti durch die damals gemeldeten Schwachstellen CVE-2023-46805 und CVE-2024-21887 weiträumig ausgenutzt. Zwei Exemplare dieser Backdoors haben Sicherheitsforscher jetzt ausführlich beschrieben. --------------------------------------------- https://heise.de/-9656137 ∗∗∗ Sicherheitsforscher genervt: Lücken-Datenbank NVD seit Wochen unvollständig ∗∗∗ --------------------------------------------- Die von der US-Regierung betriebene Datenbank reichert im CVE-System gemeldete Sicherheitslücken mit wichtigen Metadaten an. Das blieb seit Februar aus. [..] Von über 2.200 seit 15. Februar veröffentlichten Sicherheitslücken mit CVE-ID sind lediglich 59 mit Metadaten versehen, 2.152 liegen brach. [..] Darüber, wie sie die Tausenden offenen Sicherheitslücken abarbeiten will und vor allem, wann sie ihre Arbeit wieder aufnimmt, schweigt sich die NVD derzeit aus. --------------------------------------------- https://heise.de/-9656574 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF06 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF06. Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413) ∗∗∗ --------------------------------------------- In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on users computer when the user opened a malicious hyperlink in attackers email. The micropatch was written for the following security-adopted versions of Office with all available updates installed: Microsoft Office 2013, Microsoft Office 2010 --------------------------------------------- https://blog.0patch.com/2024/03/micropatches-released-for-microsoft.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird). --------------------------------------------- https://lwn.net/Articles/965576/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2024-2247: JFrog Artifactory Cross-Site Scripting ∗∗∗ --------------------------------------------- https://jfrog.com/help/r/jfrog-release-information/cve-2024-2247-jfrog-arti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2024
by Daily end-of-shift report 14 Mar '24

14 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-03-2024 18:00 − Donnerstag 14-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PixPirate Android malware uses new tactic to hide on phones ∗∗∗ --------------------------------------------- The latest version of the PixPirate banking trojan for Android employs a previously unseen method to hide from the victim while remaining active on the infected device even if its dropper app has been removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pixpirate-android-malware-us… ∗∗∗ Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th) ∗∗∗ --------------------------------------------- Interesting trends do emerge from time to time. One such recent trend seems to be connected with an increased use of IPFS and R2 buckets to host phishing pages. --------------------------------------------- https://isc.sans.edu/diary/rss/30744 ∗∗∗ Breaking Down APT29’s Latest Tactics and How to Defend Against Them ∗∗∗ --------------------------------------------- Recently, the US National Security Agency (NSA) joined United Kingdom’s National Cyber Security Center (NCSC) in releasing an advisory detailing the recent TTPs (or tactics, techniques, and procedures) of the group known as APT29 (or, in other taxonomies of threat actors, Midnight Blizzard, the Dukes, and Cozy Bear). --------------------------------------------- https://orca.security/resources/blog/how-to-defend-against-apt29-cozy-bear-… ===================== = Vulnerabilities = ===================== ∗∗∗ A patched Windows attack surface is still exploitable ∗∗∗ --------------------------------------------- In this report, we highlight the key points about a class of recently-patched elevation-of-privilege vulnerabilities affecting Microsoft Windows, and then focus on how to check if any of them have been exploited or if there have been any attempts to exploit them. --------------------------------------------- https://securelist.com/windows-vulnerabilities/112232/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server). --------------------------------------------- https://lwn.net/Articles/965470/ ∗∗∗ Kubernetes Vulnerability Allows Remote Code Execution on Windows Endpoints ∗∗∗ --------------------------------------------- A high-severity Kubernetes vulnerability tracked as CVE-2023-5528 can be exploited to execute arbitrary code on Windows endpoints. --------------------------------------------- https://www.securityweek.com/kubernetes-vulnerability-allows-remote-code-ex… ∗∗∗ Cisco schließt hochriskante Lücken in IOS XR ∗∗∗ --------------------------------------------- Cisco warnt vor SIcherheitslücken mit teils hohem Risiko im Router-Betriebssystem IOS XR. Updates stehen bereit. --------------------------------------------- https://heise.de/-9654542 ∗∗∗ Schnell upgraden: Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Neue Funktionen liefert GarageBand 10.4.11 laut Apple nicht. Dafür steckt ein wichtiger Sicherheitsfix drin. Nutzer sollten die macOS-App schnell aktualisieren. --------------------------------------------- https://heise.de/-9654638 ∗∗∗ HP: Viele Laptops und PCs von Codeschmuggel-Lücke betroffen ∗∗∗ --------------------------------------------- Eine BIOS-Sicherheitsfunktion von HP-Laptops und -PCs kann von Angreifern umgangen werden. BIOS-Updates stehen bereit oder werden grad entwickelt. --------------------------------------------- https://heise.de/-9654678 ∗∗∗ VU#488902: CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/488902 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Softing edgeConnector ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-13 ∗∗∗ Mitsubishi Electric MELSEC-Q/L Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-14 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2024
by Daily end-of-shift report 13 Mar '24

13 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-03-2024 18:00 − Mittwoch 13-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RisePro stealer targets Github users in “gitgub” campaign ∗∗∗ --------------------------------------------- We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. [..] RisePro resurfaces with new string encryption and a bloated MSI installer that crashes reversing tools like IDA. The "gitgub" campaign already sent more than 700 archives of stolen data to Telegram. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-g… ∗∗∗ Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th) ∗∗∗ --------------------------------------------- Today, most of the malicious scripts in the wild are heavily obfuscated. [...] There was a huge amount of obfuscated strings (443 in total). Let's try tro process them with ChatGPT [..] The request took a few seconds to get some feedback but results were perfect (I only submitted a small part of the script). --------------------------------------------- https://isc.sans.edu/diary/rss/30740 ∗∗∗ FakeBat delivered via several active malvertising campaigns ∗∗∗ --------------------------------------------- A number of software brands are being impersonated with malicious ads and fake sites to distribute malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-deliv… ∗∗∗ Geldwäsche statt Babysitting: Vorsicht vor diesem Jobbetrug! ∗∗∗ --------------------------------------------- Kriminelle suchen über Babysitter-Börsen angeblich eine Betreuung für ihr Kind oder ihre Kinder. Das vermeintliche Elternteil behauptet, derzeit noch im Ausland zu leben und erst zu einem späteren Zeitpunkt nach Österreich zu ziehen. Damit sich die Kinder gleich von Anfang an wohl fühlen, sollen die neuen Babysitter:innen bereits im Vorfeld Spielzeug einkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/geldwaesche-statt-babysitting-vorsic… ∗∗∗ JetBrains vulnerability exploitation highlights debate over silent patching ∗∗∗ --------------------------------------------- Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers’ servers to Rapid7’s decision to release detailed information on the vulnerabilities. --------------------------------------------- https://therecord.media/jetbrains-rapid7-silent-patching-dispute ∗∗∗ Unpacking Flutter hives ∗∗∗ --------------------------------------------- The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code. --------------------------------------------- https://blog.nviso.eu/2024/03/13/unpacking-flutter-hives/ ∗∗∗ Threat actors leverage document publishing sites for ongoing credential and session token theft ∗∗∗ --------------------------------------------- Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. --------------------------------------------- https://blog.talosintelligence.com/threat-actors-leveraging-document-publis… ∗∗∗ CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign ∗∗∗ --------------------------------------------- The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. [..] This campaign was part of the larger Water Hydra APT zero-day analysis. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-ope… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x High, 4x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Palo Alto Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x Medium --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins – $1,250 Bounty Awarded ∗∗∗ --------------------------------------------- Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! [..] This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password. --------------------------------------------- https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpat… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn). --------------------------------------------- https://lwn.net/Articles/965278/ ∗∗∗ März-Patchday: Microsoft stopft zwei kritische Löcher in Hyper-V ∗∗∗ --------------------------------------------- Insgesamt bringt der März-Patchday Fixes für 61 Sicherheitslücken. --------------------------------------------- https://www.zdnet.de/88414822/maerz-patchday-microsoft-stopft-zwei-kritisch… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe Experience Manager, Adobe Premiere Pro, Adobe ColdFusion, Adobe Bridge, Adobe Lightroom, Adobe Animate --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/adobe-releases-security-… ∗∗∗ AMD und Intel schließen CPU-Sicherheitslücken in Core- und Ryzen-CPUs ∗∗∗ --------------------------------------------- Zum Patch-Tuesday räumen AMD und Intel weitere Sicherheitslücken in ihren Prozessoren ein. Es geht unter anderem um Race Conditions. --------------------------------------------- https://heise.de/-9653846 ∗∗∗ Fortinet-Patchday: Updates gegen kritische Schwachstellen ∗∗∗ --------------------------------------------- Fortinet hat zum März-Patchday Sicherheitslücken in FortiOS, FortiProxy, FortiClientEMS und im FortiManager geschlossen. --------------------------------------------- https://heise.de/-9653730 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-39368 and CVE-2023-38575 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX616982/citrix-hypervisor-security-upd… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lenovo Security Advisories 2024-03-12 ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/de/product_security/home ∗∗∗ Xen Security Advisory CVE-2024-2193 / XSA-453 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-453.html ∗∗∗ Xen Security Advisory CVE-2023-28746 / XSA-452 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-452.html ∗∗∗ Wago: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-039/ ∗∗∗ Bosch: BVMS affected by Autodesk Design Review Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-246962-bt.html ∗∗∗ Bosch: RPS and RPS-LITE operator and communication process vulnerabilities. ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html ∗∗∗ Canon: CPE2024-002 – Vulnerability Mitigation/Remediation for Small Office Multifunction Printers and Laser Printers – 14 March 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ SonicWall: SonicWall Email Security Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006 ∗∗∗ SonicWall: SonicOS SSLVPN Portal Stored Cross-site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005 ∗∗∗ SonicWall: Integer-Based Buffer Overflow Vulnerability In SonicOS via IPSec ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0004 ∗∗∗ Google Chrome: Drei Sicherheitslöcher gestopft ∗∗∗ --------------------------------------------- https://heise.de/-9653082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2024
by Daily end-of-shift report 12 Mar '24

12 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-03-2024 18:00 − Dienstag 12-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Inception Attack: Neue Angriffstechnik ermöglicht Manipulation von VR-Inhalten ∗∗∗ --------------------------------------------- Angreifer können nicht nur sensible Informationen abgreifen, sondern auch dem VR-Nutzer angezeigte Inhalte verändern, ohne dass dieser etwas merkt. --------------------------------------------- https://www.golem.de/news/inception-attack-neue-angriffstechnik-ermoeglicht… ∗∗∗ Verträge und Abos kündigen: Vorsicht vor kostenpflichtigen Angeboten ∗∗∗ --------------------------------------------- Sie möchten Ihren Vertrag kündigen, wissen aber nicht wie? Oft sind die Informationen zur Kündigung und Kontaktadressen des jeweiligen Unternehmens auch unauffindbar. Aus gutem Grund suchen Konsument:innen daher nach Diensten, die den Kündigungsprozess übernehmen. Oft sind diese Dienste kostenpflichtig oder selbst eine Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/vertraege-und-abos-kuendigen-vorsich… ∗∗∗ Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption ∗∗∗ --------------------------------------------- Available evidence suggests vulnerability exploitation has replaced botnets as a prime infection vector. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ CISA Publishes SCuBA Hybrid Identity Solutions Guidance ∗∗∗ --------------------------------------------- CISA has published Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Guidance (HISG) to help users better understand identity management capabilities and securely integrate their traditional on-premises enterprise networks with cloud-based solutions. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/cisa-publishes-scuba-hyb… ∗∗∗ VCURMS: A Simple and Functional Weapon ∗∗∗ --------------------------------------------- ForitGuard Labs uncovers a rat VCURMS weapon and STRRAT in a phishing campaign --------------------------------------------- https://feeds.fortinet.com/~/873512375/0/fortinet/blogs~VCURMS-A-Simple-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Mageia (libtiff and thunderbird), Red Hat (kernel, kpatch-patch, postgresql, and rhc-worker-script), SUSE (compat-openssl098, openssl, openssl1, python-Django, python-Django1, and wpa_supplicant), and Ubuntu (accountsservice, libxml2, linux-bluefield, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.1, openvswitch, postgresql-9.5, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/965113/ ∗∗∗ SAP schließt zehn Sicherheitslücken am März-Patchday ∗∗∗ --------------------------------------------- SAP hat zehn neue Sicherheitsmitteilungen zum März-Patchday veröffentlicht. Zwei der geschlossenen Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-9652057 ∗∗∗ Synology dichtet Sicherheitslecks in SRM ab ∗∗∗ --------------------------------------------- Im Synology Router Manager (SRM) klaffen Sicherheitslecks, durch die Angreifer etwa Scripte einschleusen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9652225 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ SSA-918992 V1.0: Unused HTTP Service on SENTRON 3KC ATC6 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-918992.html ∗∗∗ SSA-832273 V1.0: Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-832273.html ∗∗∗ SSA-792319 V1.0: Missing Read Out Protection in SENTRON 7KM PAC3x20 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-792319.html ∗∗∗ SSA-770721 V1.0: Multiple Vulnerabilities in SIMATIC RF160B before V2.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-770721.html ∗∗∗ SSA-653855 V1.0: Information Disclosure vulnerability in SINEMA Remote Connect Client before V3.1 SP1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-653855.html ∗∗∗ SSA-576771 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-576771.html ∗∗∗ SSA-382651 V1.0: File Parsing Vulnerability in Solid Edge before V223.0.11 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-382651.html ∗∗∗ SSA-366067 V1.0: Multiple Vulnerabilities in Fortigate NGFW before V7.4.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-366067.html ∗∗∗ SSA-353002 V1.0: Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-353002.html ∗∗∗ SSA-225840 V1.0: Vulnerabilities in the Network Communication Stack in Sinteso EN and Cerberus PRO EN Fire Protection Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-225840.html ∗∗∗ SSA-145196 V1.0: Authorization Bypass Vulnerability in Siveillance Control ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-145196.html ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in CHARX SEC charge controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-011/ ∗∗∗ Citrix SDWAN Security Bulletin for CVE-2024-2049 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX617071/citrix-sdwan-security-bulletin… ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0005 ∗∗∗ Missing PSK secret for IKEv2 connection can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-2357/CVE-2024-2357.txt ∗∗∗ Schneider Electric EcoStruxure Power Design ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-072-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily