=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 30-04-2024 18:00 − Donnerstag 02-05-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ CVD - Notizen zur Pressekonferenz ∗∗∗
---------------------------------------------
Ich wurde eingeladen, heute bei einer Pressekonferenz von Epicenter.works am Podium zu sitzen. Es ging um einen Fall, bei dem es im Zuge einer klassischen verantwortungsvollen Offenlegung einer Schwachstelle (Responsible Disclosure, bzw Coordinated Vulnerability Disclosure [CVD]) zu einer Anzeige gekommen ist. Nachzulesen ist der Fall auf der Epicenter Webseite. Ich will hier kurz meine Notizen / Speaking Notes zusammenfassen.
---------------------------------------------
https://cert.at/de/blog/2024/4/cvd-policy
∗∗∗ CISA warnt: MS Smartscreen- und Gitlab-Sicherheitslücke werden angegriffen ∗∗∗
---------------------------------------------
Die US-Cybersicherheitsbehörde CISA hat Angriffe auf eine Lücke im Microsoft Smartscreen und auf eine Gitlab-Schwachstelle gesichtet.
---------------------------------------------
https://heise.de/-9705715
∗∗∗ Digitale Signatur: Datenleak bei Dropbox Sign ∗∗∗
---------------------------------------------
Unbekannte Angreifer konnten auf Kundendaten des digitalen Signaturservices Dropbox Sign zugreifen. Andere Dropbox-Produkte sollen nicht betroffen sein.
---------------------------------------------
https://heise.de/-9705355
∗∗∗ Windows 10/11/Server 2022: Kein Fix für den Installationsfehler 0x80070643 beim WinRE-Update mehr ∗∗∗
---------------------------------------------
Seit Januar 2024 kämpfen Nutzer von Windows 10 und Windows 11 (sowie Windows Server 2022) mit dem Versuch Microsofts, ein Update der WinRE-Umgebung zu installieren. Im Januar 2024 ließen zahlreiche Nutzer im Umfeld des Patchday beim Versuch, das Update KB5034441 zu installieren, in den Installationsfehler 0x80070643. Trotz mehrerer Versuche zur Nachbesserung in den Folgemonaten ist es Microsoft nicht gelungen, den Installationsfehler zu beseitigen. Nun kommt das Eingeständnis, dass es keinen automatischen Fix für das Update gibt – es ist Handarbeit angesagt.
---------------------------------------------
https://www.borncity.com/blog/2024/05/02/windows-10-11-kein-fix-fr-den-inst…
∗∗∗ “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps ∗∗∗
---------------------------------------------
Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts. We have shared our findings with Google’s Android Application Security Research team, as well as the developers of apps found vulnerable to this issue.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attac…
∗∗∗ Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474, (Tue, Apr 30th) ∗∗∗
---------------------------------------------
Yesterday, I talked about attacks against a relatively recent D-Link NAS vulnerability. Today, scanning my honeypot logs, I found an odd URL that I didn't recognize. The vulnerability is a bit older but turns out to be targeting yet another NAS. [..] Based on our logs, only one IP address exploits the vulnerability: %%ip: 89.190.156.248%%.
---------------------------------------------
https://isc.sans.edu/diary/rss/30884
∗∗∗ Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. [..] The ELF binary is embedded within a repackaged application that purports to be the UPtodown App Store app for Android (package name "com.uptodown"), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection.
---------------------------------------------
https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html
∗∗∗ New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials ∗∗∗
---------------------------------------------
A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. [..] Cuttlefish has been active since at least July 27, 2023, with the latest campaign running from October 2023 through April 2024 and predominantly infecting 600 unique IP addresses associated with two Turkish telecom providers.
---------------------------------------------
https://thehackernews.com/2024/05/new-cuttlefish-malware-hijacks-router.html
∗∗∗ Autodesk: Important Security Update for Autodesk Drive ∗∗∗
---------------------------------------------
In March, Autodesk was made aware of an incident where an external user published documents to Autodesk Drive containing links to a phishing web site. Our Cyber Threat Management & Response Team immediately responded to this incident, and the malicious files are no longer being hosted on Autodesk Drive. No customers have reported being impacted by this incident.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-autodesk-dr…
∗∗∗ Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware) ∗∗∗
---------------------------------------------
While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware.
---------------------------------------------
https://asec.ahnlab.com/en/64921/
∗∗∗ CISA and Partners Release Fact Sheet on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity ∗∗∗
---------------------------------------------
This fact sheet provides information and mitigations associated with cyber operations conducted by pro-Russia hacktivists who seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture Sectors.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-and-partners-releas…
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates verfügbar ∗∗∗
---------------------------------------------
In ArubaOS, dem Betriebssystem vieler Geräte von HPE Aruba Networks, existieren mehrere kritische Sicherheitslücken. Diese ermöglichen unter anderem die Ausführung von beliebigem Code und Denial-of-Service (DoS) Angriffe. CVE-Nummern: CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, CVE-2024-33512, CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518 CVSSv3 Scores: bis zu 9.8 (kritisch)
---------------------------------------------
https://cert.at/de/warnungen/2024/5/kritische-sicherheitslucken-in-arubaos-…
∗∗∗ CISCO Talos: Vulnerability Roundup ∗∗∗
---------------------------------------------
Peplink Smart Reader, Silicon Labs Gecko Platform, open-source library for DICOM files, Grassroots DICOM library and Foxit PDF Reader.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-roundup-may-1-2024/
∗∗∗ Sonicwall: GMS ECM multiple vulnerabilities ∗∗∗
---------------------------------------------
CVE-2024-29010 - GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability. CVE-2024-29011 - GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability.
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0007
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/972186/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (nghttp2 and qtbase-opensource-src), Mageia (cjson, freerdp, guava, krb5, libarchive, and mediawiki), Oracle (container-tools:4.0 and container-tools:ol8), Red Hat (bind, buildah, container-tools:3.0, container-tools:rhel8, expat, gnutls, golang, grafana, kernel, kernel-rt, libreswan, libvirt, linux-firmware, mod_http2, pcp, pcs, podman, python-jwcrypto, rhc-worker-script, shadow-utils, skopeo, sssd, tigervnc, unbound, and yajl), SUSE (kernel and python311), and Ubuntu (gerbv and node-json5).
---------------------------------------------
https://lwn.net/Articles/972029/
∗∗∗ Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover ∗∗∗
---------------------------------------------
Three vulnerabilities in the Judge0 open source service could allow attackers to escape the sandbox and obtain root privileges on the host.
---------------------------------------------
https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-san…
∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ F5: K000139430 : Linux kernel vulnerability CVE-2024-1086 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000139430
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2024/05/wordfence-intelligence-weekly-wordpr…
∗∗∗ ZDI-24-419: (Pwn2Own) Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-419/
∗∗∗ ZDI-24-418: (Pwn2Own) Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-418/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ CyberPower PowerPanel ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01
∗∗∗ Delta Electronics DIAEnergie ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 29-04-2024 18:00 − Dienstag 30-04-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Gefälschte SMS im Namen von Bundeskanzleramt ∗∗∗
---------------------------------------------
Vorsicht: Kriminelle geben sich als Bundeskanzleramt Österreich aus. In der SMS wird behauptet, dass eine Nachricht auf Sie wartet. Klicken Sie auf keinen Fall auf den Link, Sie werden auf eine gefälschte Webseite weitergeleitet.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-sms-im-namen-von-bundesk…
∗∗∗ FBI warns of fake verification schemes targeting dating app users ∗∗∗
---------------------------------------------
The FBI is warning of fake verification schemes promoted by fraudsters on online dating platforms that lead to costly recurring subscription charges. [..] It starts with fraudsters approaching victims on a dating app or site and developing a romantic rapport. This lays the ground for requesting to take the conversation outside the platform onto a supposedly safer communications tool. At this stage, the fraudster sends a link to the victim that will take them to a seemingly legitimate verification platform where the victim will have to verify they're not a sexual offender.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-verificati…
∗∗∗ Millions of Malicious Imageless Containers Planted on Docker Hub Over 5 Years ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks. [..] Of the 4.79 million imageless Docker Hub repositories uncovered, 3.2 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns.
---------------------------------------------
https://thehackernews.com/2024/04/millions-of-malicious-imageless.html
∗∗∗ The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen ∗∗∗
---------------------------------------------
McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-le…
∗∗∗ Chrome 124 macht TLS-Handshake kaputt ∗∗∗
---------------------------------------------
Google hat kürzlich seinen Google Chrome-Browser in der Version 124 veröffentlicht. Neben Schwachstellen haben die Entwickler auch etwas an der TLS-Verschlüsselung (X25519Kyber768-Schlüsselkapselung für TLS) geändert. Inzwischen gibt es aber Rückmeldungen von Nutzern, die sich darüber beklagen, dass diese Änderung das TLS-Handshake zu Webservern kaputt machen kann. Das betrifft auch auf Chromium basierende Browser wie den Edge 124.
---------------------------------------------
https://www.borncity.com/blog/2024/04/30/chrome-124-macht-tls-handshake-kap…
∗∗∗ Google Play blockiert mehr als 2 Millionen Trojaner-Apps – Tendenz steigend ∗∗∗
---------------------------------------------
Dank strengerer Sicherheitschecks sperrte Google 2023 knapp 2,3 Millionen böse Apps aus. Trotz gesteigerter Bemühungen schlüpfen aber immer noch welche durch.
---------------------------------------------
https://heise.de/-9703405
∗∗∗ CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure ∗∗∗
---------------------------------------------
New CISA guidelines categorize AI risks into three significant types and pushes a four-part mitigation strategy. [..] The guidelines calls on management to act decisively on identified AI risks to enhance safety and security, ensuring that risk management controls are implemented and maintained to optimize the benefits of AI systems while minimizing adverse effects.
---------------------------------------------
https://www.securityweek.com/cisa-rolls-out-new-guidelines-to-mitigate-ai-r…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (org-mode), Oracle (shim and tigervnc), Red Hat (ansible-core, avahi, buildah, container-tools:4.0, containernetworking-plugins, edk2, exfatprogs, fence-agents, file, freeglut, freerdp, frr, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, kernel, libjpeg-turbo, libnbd, LibRaw, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, mutt, openssl and openssl-fips-provider, osbuild and osbuild-composer, pam, pcp, pcs, perl, pmix, podman, python-jinja2, python3.11, python3.11-cryptography, python3.11-urllib3, qemu-kvm, qt5-qtbase, runc, skopeo, squashfs-tools, systemd, tcpdump, tigervnc, toolbox, traceroute, webkit2gtk3, wpa_supplicant, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), SUSE (docker, ffmpeg, ffmpeg-4, frr, and kernel), and Ubuntu (anope, freerdp3, and php7.0, php7.2, php7.4, php8.1).
---------------------------------------------
https://lwn.net/Articles/971740/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ ChromeOS: Long Term Support Channel Update for ChromeOS ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2024/04/long-term-support-channel-upda…
∗∗∗ [R1] Nessus Network Monitor 6.4.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-07
∗∗∗ Delta Electronics CNCSoft-G2 DOPSoft ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/icsa-24-121-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 26-04-2024 18:00 − Montag 29-04-2024 18:01
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Winrar: Gefälschte Ausgaben unter Linux möglich und MotW-Probleme in Windows ∗∗∗
---------------------------------------------
Die Version 7.00 der Archiv-Software Winrar schließt auch Sicherheitslücken. Unter Linux lassen sich Ausgaben fälschen, in Windows MotW-Markierungen. [..] Winrar 7.00 wurde schon vor einigen Wochen veröffentlicht.
---------------------------------------------
https://heise.de/-9701474
∗∗∗ Okta warns of "unprecedented" credential stuffing attacks on customers ∗∗∗
---------------------------------------------
Okta warns of an "unprecedented" spike in credential stuffing attacks targeting its identity and access management solutions, with some customer accounts breached in the attacks. [..] Okta also provides in its advisory a list of more generic recommendations that can help mitigate the risk of account takover.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-…
∗∗∗ D-Link NAS Device Backdoor Abused, (Mon, Apr 29th) ∗∗∗
---------------------------------------------
End of March, NetworkSecurityFish disclosed a vulnerability in various D-Link NAS devices. The vulnerability allows access to the device using the user "messagebus" without credentials. [..] Initial exploit attempts were detected as soon as April 8th. The vulnerability is particularly dangerous as some affected devices are no longer supported by DLink, and no patch is expected to be released.
---------------------------------------------
https://isc.sans.edu/diary/rss/30878
∗∗∗ New R Programming Vulnerability Exposes Projects to Supply Chain Attacks ∗∗∗
---------------------------------------------
A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced. [..] The security defect has been addressed in version 4.4.0 released on April 24, 2024, following responsible disclosure.
---------------------------------------------
https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.h…
∗∗∗ Discord dismantles Spy.pet site that snooped on millions of users ∗∗∗
---------------------------------------------
The site, which has been slurping up public data on Discord users since November of last year, was outed to the world last week after it was discovered the platform contained messages belonging to nearly 620 million users from more than 14,000 Discord servers. Any and all of the data was available for a price – Spy.pet offered to help law enforcement, people spying on their friends, or even those training AI models.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/04/29/infosec_in_b…
∗∗∗ Google-Bewertungen entfernen lassen? Vorsicht vor entferno.at ∗∗∗
---------------------------------------------
entferno.at verspricht, Google-Rezensionen entfernen zu lassen – angeblich mit einer Erfolgsquote von 95 Prozent. Wer auf dieses Angebot eingeht, wird aber enttäuscht, denn trotz Bezahlung wurden in aktuellen Fällen keine Bewertungen gelöscht und auf schriftliche und telefonische Anfragen wurde nicht mehr reagiert. Das Geld ist weg!
---------------------------------------------
https://www.watchlist-internet.at/news/google-bewertungen-entfernen-lassen-…
∗∗∗ From IcedID to Dagon Locker Ransomware in 29 Days ∗∗∗
---------------------------------------------
In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. [..] This case had a TTR (time to ransomware) of 29 days.
---------------------------------------------
https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware…
∗∗∗ Britische Regierung verbietet Geräte mit schwachen Passwörtern ∗∗∗
---------------------------------------------
Unternehmen sind gesetzlich verpflichtet, ihre Geräte vor Cyberkriminellen zu schützen. Smartphones mit unsicheren Passwörtern müssen künftig gemeldet werden.
---------------------------------------------
https://heise.de/-9702215
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (buildah, go-toolset:rhel8, golang, java-11-openjdk, java-21-openjdk, libreswan, thunderbird, and tigervnc), Debian (chromium, emacs, frr, mediawiki, ruby-rack, trafficserver, and zabbix), Fedora (chromium, grub2, python-idna, and python-reportlab), Mageia (chromium-browser-stable, firefox, opencryptoki, and thunderbird), Red Hat (container-tools:4.0, container-tools:rhel8, git-lfs, and shim), SUSE (frr, java-11-openjdk, java-1_8_0-openjdk, kernel, pdns-recursor, and shim), and Ubuntu (apache2, cpio, curl, glibc, gnutls28, less, libvirt, and pillow).
---------------------------------------------
https://lwn.net/Articles/971487/
∗∗∗ Qnap schließt NAS-Sicherheitslücken aus Hacker-Wettbewerb Pwn2Own ∗∗∗
---------------------------------------------
NAS-Modelle von Qnap sind verwundbar. Nun hat der Hersteller Sicherheitsupdates für das Betriebssystem und Apps veröffentlicht.
---------------------------------------------
https://heise.de/-9701977
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 25-04-2024 18:00 − Freitag 26-04-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ NIS2 – Richtlinie: Ein zweiter Blick auf den Text ∗∗∗
---------------------------------------------
Beim Schreiben unserer Stellungnahmen zum Entwurf des NISG 2024 habe ich mir die Paragrafen, die uns betreffen, genauer angesehen. Diesmal nicht mit dem Blickwinkel „macht das Sinn“, sondern mit Fokus auf die Formulierungen. Das erinnert mich ein bisschen an die Zeit, als ich bei der Erstellung von RFCs mitgearbeitet habe und da auch bei Reviews jedes Wort genau auf mögliche Fehldeutungen abgeklopft habe. Ich hatte beim Lesen drei Dokumente offen: den Gesetzesentwurf, die Richtlinie in der deutschen Version und auch die englische Fassung. Und viele der schlechten Formulierungen waren keine Erfindungen aus Wien, sondern wurden schon in Brüssel erfunden. Ich will das hier dokumentieren.
---------------------------------------------
https://cert.at/de/blog/2024/4/nis2-formulierungen
∗∗∗ Researchers sinkhole PlugX malware server with 2.5 million unique IPs ∗∗∗
---------------------------------------------
Researchers have sinkholed a command and control server for a variant of the PlugX malware and observed in six months more than 2.5 million connections from unique IP addresses. [..] Sekoia has formulated two strategies to clean computers reaching their sinkhole and called for national cybersecurity teams and law enforcement agencies to join the disinfection effort.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/researchers-sinkhole-plugx-m…
∗∗∗ Per Brute Force: Schwachstelle beim GLS-Tracking legt Empfängeradressen offen ∗∗∗
---------------------------------------------
Durch einen fehlenden Brute-Force-Schutz ist es möglich gewesen, einer API von GLS genaue Adressdaten der Empfänger von GLS-Paketen zu entlocken.
---------------------------------------------
https://www.golem.de/news/per-brute-force-schwachstelle-beim-gls-tracking-l…
∗∗∗ Per GPU geknackt: So sicher sind 8-Zeichen-Passwörter 2024 ∗∗∗
---------------------------------------------
Ein gutes Passwort sollte mindestens 8 Zeichen lang sein, lautet oftmals die Empfehlung. Neue Untersuchungen zeigen jedoch: Die Zeit ist reif für mehr. [..] Ein neuer Bericht des Cybersecurity-Unternehmens Hive Systems zeigt jedoch, dass sich 8-Zeichen-Passwörter je nach verwendetem Hashing-Algorithmus und verfügbarer GPU-Leistung inzwischen in einer überschaubaren Zeit knacken lassen.
---------------------------------------------
https://www.golem.de/news/per-gpu-geknackt-so-sicher-sind-8-zeichen-passwoe…
∗∗∗ Fake-Rechnungen von firmenradar.com im Umlauf! ∗∗∗
---------------------------------------------
Unternehmen wenden sich derzeit an uns, weil sie Rechnungen erhalten und nicht wissen, wofür sie zahlen sollen. Die Rechnungen stammen von firmenradar.com, verlangt werden 899 Euro für einen „Platin-Eintrag“. Zahlen Sie nichts! Es handelt sich um Betrug.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-rechnungen-von-firmenradarcom-i…
∗∗∗ “Junk gun” ransomware: the cheap new threat to small businesses ∗∗∗
---------------------------------------------
A wave of cheap, crude, amateurish ransomware has been spotted on the dark web - and although it may not make as many headlines as LockBit, Rhysida, and BlackSuit, it still presents a serious threat to organizations. [..] "Junk gun" ransomware is appealing to a criminal who wants to operate independently but lacks technical skills. [..] A low entry barrier means potentially more ransomware attackers.
---------------------------------------------
https://www.tripwire.com/state-of-security/junk-gun-ransomware-cheap-new-th…
∗∗∗ C-DATA Web Management System RCE Attack ∗∗∗
---------------------------------------------
FortiGuard Labs observed a critical level of attack attempts in the wild targeting a 2-year-old vulnerability found on C-DATA Web Management System. [..] The vulnerability CVE-2022-4257 allows a remote attacker to execute arbitrary commands on the target system.
---------------------------------------------
https://fortiguard.fortinet.com/outbreak-alert/c-data-rce-attack
∗∗∗ Chinesische Tastatur-Apps haben Schwachstelle und verraten, was Nutzer tippen ∗∗∗
---------------------------------------------
Bereits im August 2023 stellten die Forscher des Citizen Lab fest, dass die beliebte Tastatur-App Sogou bei der Übertragung von Tastenanschlagsdaten an ihren Cloud-Server für bessere Tippvorhersagen keine Transport Layer Security (TLS) nutzte. Ohne TLS können Tastatureingaben jedoch von Dritten mitgeschnitten werden. Obwohl Sogou das Problem nach Bekanntwerden im letzten Jahr behoben hat, sind viele vorinstallierte Sogou-Tastaturen nicht auf dem neuesten Stand und können weiterhin abgehört werden.
---------------------------------------------
https://heise.de/-9699644
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix).
---------------------------------------------
https://lwn.net/Articles/971289/
∗∗∗ QNAP Security Advisories 2024-04-26 ∗∗∗
---------------------------------------------
QNAP released 6 new security Advisories.
---------------------------------------------
https://www.qnap.com/en-us/security-advisories
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Mattermost security updates 9.7.2 / 9.6.2 / 9.5.4 (ESR) / 8.1.13 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-9-7-2-9-6-2-9-5-4-e…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 24-04-2024 18:00 − Donnerstag 25-04-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ New Brokewell malware takes over Android devices, steals data ∗∗∗
---------------------------------------------
Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-…
∗∗∗ Does it matter if iptables isnt running on my honeypot?, (Thu, Apr 25th) ∗∗∗
---------------------------------------------
I've been working on comparing data from different DShield honeypots to understand differences when the honeypots reside on different networks.
---------------------------------------------
https://isc.sans.edu/diary/rss/30862
∗∗∗ Sifting through the spines: identifying (potential) Cactus ransomware victims ∗∗∗
---------------------------------------------
This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access.
---------------------------------------------
https://research.nccgroup.com/2024/04/25/sifting-through-the-spines-identif…
∗∗∗ ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices ∗∗∗
---------------------------------------------
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.
---------------------------------------------
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaig…
∗∗∗ Talos IR trends: BEC attacks surge, while weaknesses in MFA persist ∗∗∗
---------------------------------------------
Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.
---------------------------------------------
https://blog.talosintelligence.com/talos-ir-quarterly-trends-q1-2024/
∗∗∗ Threat Bulletin – New variant of IDAT Loader ∗∗∗
---------------------------------------------
Morphisec has successfully identified and prevented a new variant of IDAT loader.
---------------------------------------------
https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant
∗∗∗ Ransomware Roundup - KageNoHitobito and DoNex ∗∗∗
---------------------------------------------
The KageNoHitobito and DoNex are recent ransomware that are financially motivated, demanding payment from victims to decrypt files.
---------------------------------------------
https://feeds.fortinet.com/~/882489596/0/fortinet/blogs~Ransomware-Roundup-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Maximum severity Flowmon bug has a public exploit, patch now ∗∗∗
---------------------------------------------
Proof-of-concept exploit code has been released for a top-severity security vulnerability in Progress Flowmon, a tool for monitoring network performance and visibility.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug…
∗∗∗ WP Automatic WordPress plugin hit by millions of SQL injection attacks ∗∗∗
---------------------------------------------
Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugi…
∗∗∗ Über Zero-Day-Schwachstellen: Cisco-Firewalls werden seit Monaten attackiert ∗∗∗
---------------------------------------------
Eine zuvor unbekannte Hackergruppe nutzt mindestens seit November 2023 zwei Zero-Day-Schwachstellen in Cisco-Firewalls aus, um Netzwerke zu infiltrieren.
---------------------------------------------
https://www.golem.de/news/ueber-zero-day-schwachstellen-cisco-firewalls-wer…
∗∗∗ Unter Windows: Schwachstelle in Virtualbox verleiht Angreifern Systemrechte ∗∗∗
---------------------------------------------
Zwei Forscher haben unabhängig voneinander eine Schwachstelle in Oracles Virtualbox entdeckt. Angreifer können damit auf Windows-Hosts ihre Rechte ausweiten.
---------------------------------------------
https://www.golem.de/news/unter-windows-schwachstelle-in-virtualbox-verleih…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/971140/
∗∗∗ Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking ∗∗∗
---------------------------------------------
The Brocade SANnav management application is affected by multiple vulnerabilities, including a publicly available root password.
---------------------------------------------
https://www.securityweek.com/vulnerabilities-expose-brocade-san-appliances-…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Cisco Security Advisories 2024-04-25 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/publicationListing.x
∗∗∗ Multiple Vulnerabilities in Hitachi Energy RTU500 Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-01
∗∗∗ Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04
∗∗∗ Hitachi Energy MACH SCM ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-02
∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules (Severity: NONE) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2024-0005
∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR Agent (Severity: NONE) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2024-0005
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 23-04-2024 18:00 − Mittwoch 24-04-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Microsoft pulls fix for Outlook bug behind ICS security alerts ∗∗∗
---------------------------------------------
Microsoft reversed the fix for an Outlook bug causing erroneous security warnings after installing December 2023 security updates.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-fix-for-out…
∗∗∗ Assessing the Y, and How, of the XZ Utils incident ∗∗∗
---------------------------------------------
In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects.
---------------------------------------------
https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/
∗∗∗ Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered an ongoing attack campaign thats leveraging phishing emails to deliver malware called SSLoad.
---------------------------------------------
https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html
∗∗∗ Decrypting FortiOS 7.0.x ∗∗∗
---------------------------------------------
Decrypting Fortinet’s FortiGate FortiOS firmware is a topic that has been thoroughly covered, in part because of the many variants and permutations of FortiOS firmware, all differing based on hardware architecture and versioning.
---------------------------------------------
https://www.labs.greynoise.io/grimoire/2024-04-23-decrypting-fortios/
∗∗∗ New Password Cracking Analysis Targets Bcrypt ∗∗∗
---------------------------------------------
Hive Systems conducts another study on cracking passwords via brute-force attacks, but it’s no longer targeting MD5.
---------------------------------------------
https://www.securityweek.com/new-password-cracking-analysis-targets-bcrypt/
∗∗∗ Musiker:innen aufgepasst: Spam-Mails versprechen wertvolles Piano ∗∗∗
---------------------------------------------
Musiker:innen und insbesondere Pianist:innen müssen sich aktuell vor betrügerischen E-Mails in Acht nehmen, in denen ihnen ein teures Piano versprochen wird. Kriminelle geben sich als Witwe aus und suchen nach Abnehmer:innen für teure Instrumente wie beispielsweise wie das Yamaha Baby Grand Piano ihres verstorbenen Ehemanns.
---------------------------------------------
https://www.watchlist-internet.at/news/musikerinnen-aufgepasst-spam-mails-v…
∗∗∗ Windows-Frage: Wo speichert Bitlocker den Recovery-Key? ∗∗∗
---------------------------------------------
Bitlocker, das "unbekannte Wesen" möchte ich mal den Blog-Beitrag umschreiben. Es geht um die Frage, wo die Windows-Funktion Bitlocker eigentlich den Recovery-Key, der immer mal wieder gebraucht wird, überhaupt speichert.
---------------------------------------------
https://www.borncity.com/blog/2024/04/24/windows-frage-wo-speichert-bitlock…
∗∗∗ Exchange Server April 2024 Hotfix-Updates (24. April 2024) ∗∗∗
---------------------------------------------
Microsoft hat zum 24. April Hotfix-Updates (HU) für Exchange Server 2016 und 2019 veröffentlicht. Diese Hotfix-Updates bieten Unterstützung für neue Funktionen und sollen Probleme, die durch das März 2024 Security Update (SU) hervorgerufen wurden, beheben.
---------------------------------------------
https://www.borncity.com/blog/2024/04/24/exchange-server-april-2024-hotfix-…
∗∗∗ Distribution of Infostealer Made With Electron ∗∗∗
---------------------------------------------
AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron.
---------------------------------------------
https://asec.ahnlab.com/en/64445/
=====================
= Vulnerabilities =
=====================
∗∗∗ Grafana backend sql injection affected all version ∗∗∗
---------------------------------------------
To exploit this sql injection vulnerability, someone must use a valid account login to the grafana web backend, then send malicious POST request to /api/ds/query “rawSql” entry.
---------------------------------------------
https://fdlucifer.github.io/2024/04/22/grafana-sql-injection/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (abseil-cpp, chromium, filezilla, libfilezilla, and xorg-x11-server-Xwayland), Oracle (firefox, gnutls, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreswan, mod_http2, owO: thunderbird, and thunderbird), Red Hat (container-tools:rhel8, gnutls, grub2, kernel, kernel-rt, less, linux-firmware, opencryptoki, pcs, postgresql-jdbc, and thunderbird), Slackware (ruby), SUSE (kubernetes1.23, kubernetes1.24, [...]
---------------------------------------------
https://lwn.net/Articles/971004/
∗∗∗ Google Patches Critical Chrome Vulnerability ∗∗∗
---------------------------------------------
Google patches CVE-2024-4058, a critical Chrome vulnerability for which researchers earned a $16,000 reward.
---------------------------------------------
https://www.securityweek.com/google-patches-critical-chrome-vulnerability/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Security Advisory - Connection Hijacking Vulnerability in Some Huawei Home Routers ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-chvishhr-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 22-04-2024 18:00 − Dienstag 23-04-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials ∗∗∗
---------------------------------------------
Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-b…
∗∗∗ Struts "devmode": Still a problem ten years later?, (Tue, Apr 23rd) ∗∗∗
---------------------------------------------
Like many similar frameworks and languages, Struts 2 has a "developer mode" (devmode) offering additional features to aid debugging. Error messages will be more verbose, and the devmode includes an OGNL console. OGNL, the Object-Graph Navigation Language, can interact with Java, but in the end, executing OGNL results in arbitrary code execution.
---------------------------------------------
https://isc.sans.edu/diary/rss/30866
∗∗∗ An Analysis of the DHEat DoS Against SSH in Cloud Environments ∗∗∗
---------------------------------------------
The DHEat attack remains viable against most SSH installations, as default settings are inadequate at deflecting it. Very little bandwidth is needed to cause a dramatic effect on targets, including those with a high degree of resources.
---------------------------------------------
https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-a…
∗∗∗ Neu auf Vinted? Scannen Sie keinen QR-Code! ∗∗∗
---------------------------------------------
Vorsicht! Kriminelle kontaktieren gezielt neue Vinted-Nutzer:innen. Sie geben vor, den Artikel kaufen zu wollen und schicken einen QR-Code. Der QR-Code führt jedoch zu einer gefälschten Zahlungsseite von Vinted. Dort erfragen die Kriminellen Ihre Bankdaten und versuchen Ihnen Geld zu stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/neu-auf-vinted-scannen-sie-keinen-qr…
∗∗∗ Suspected CoralRaider continues to expand victimology using three information stealers ∗∗∗
---------------------------------------------
Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.
---------------------------------------------
https://blog.talosintelligence.com/suspected-coralraider-continues-to-expan…
∗∗∗ GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining ∗∗∗
---------------------------------------------
Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers.
---------------------------------------------
https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-fo…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid).
---------------------------------------------
https://lwn.net/Articles/970889/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Welotec: Clickjacking Vulnerability in WebUI ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-023/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 19-04-2024 18:00 − Montag 22-04-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Double Agents and User Agents: Navigating the Realm of Malicious Python Packages ∗∗∗
---------------------------------------------
Have you ever encountered the term double agent? Recently, weve had the opportunity to revisit this concept in Austria. Setting aside real-world affairs for prosecutors and journalists, let’s explore what this term means in the digital world as I continue my journey tracking malicious Python packages.
---------------------------------------------
https://cert.at/en/blog/2024/4/double-agents-and-user-agents-navigating-the…
∗∗∗ Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack ∗∗∗
---------------------------------------------
Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software.
---------------------------------------------
https://thehackernews.com/2024/04/palo-alto-networks-discloses-more.html
∗∗∗ Research Shows How Attackers Can Abuse EDR Security Products ∗∗∗
---------------------------------------------
Vulnerabilities in Palo Alto Networks Cortex XDR allowed a security researcher to turn it into a malicious offensive tool.
---------------------------------------------
https://www.securityweek.com/research-shows-how-attackers-can-abuse-edr-sec…
∗∗∗ HelloKitty ransomware rebrands, releases CD Projekt and Cisco data ∗∗∗
---------------------------------------------
The Cisco entry on the data leak site contains a list of NTLM (NT LAN Manager) hashes (encrypted account passwords) supposedly extracted during a security breach. Cisco previously admitted in 2022 that it had been hacked by the Yanluowang ransomware group, an incident allegedly limited to the theft of non-sensitive data from a single compromised account.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-rebran…
∗∗∗ GitLab affected by GitHub-style CDN flaw allowing malware hosting ∗∗∗
---------------------------------------------
BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. It turns out, GitLab is also affected by this issue and could be abused in a similar fashion.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-st…
∗∗∗ Sicherheitslücke aufgedeckt: Forscher knackt Cisco-Appliance und zockt Doom ∗∗∗
---------------------------------------------
Mit einem eigens entwickelten Exploit-Toolkit hat er sich auf dem BMC einer Cisco ESA C195 einen Root-Zugriff verschafft. [..] Um auf der C195 Doom auszuführen, reicht CVE-2024-20356 allein allerdings nicht aus. Thacker nahm zuerst diverse Modifikationen am Bios der Cisco ESA vor und verschaffte sich erst danach mit Ciscown über das Netzwerk einen Root-Zugriff auf den BMC. [..] Eine Liste der Systeme, die in der Standardkonfiguration anfällig sind, ist im Sicherheitshinweis von Cisco zu finden – ebenso wie die jeweiligen Systemversionen, die einen Patch beinhalten.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-aufgedeckt-forscher-knackt-cisc…
∗∗∗ ToddyCat is making holes in your infrastructure ∗∗∗
---------------------------------------------
We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.
---------------------------------------------
https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112…
∗∗∗ Vorsicht vor Jobangeboten per WhatsApp, SMS oder Telegram ∗∗∗
---------------------------------------------
Die Betrugsmasche beginnt direkt auf Ihrem Smartphone: Sie bekommen auf WhatsApp, Telegram oder einen anderen Messenger eine Nachricht von einer Jobvermittlung. Ihnen wird ein Nebenjob mit flexibler Zeiteinteilung angeboten. Ihre Aufgabe ist es, Hotels, Online-Shops oder andere Dienstleistungen zu bewerten oder zu testen. Angeblich kann man damit zwischen 300 und 1000 Euro pro Tag verdienen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-whatsa…
∗∗∗ NATO-Cyberübung "Locked Shields": Phishing verhindern, Container verteidigen ∗∗∗
---------------------------------------------
Das Cybersicherheitszentrum der NATO bittet zur Großübung. Sie simuliert, wie kritische Infrastruktur vor digitalen Angriffen geschützt werden kann.
---------------------------------------------
https://heise.de/-9691854
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical Forminator plugin flaw impacts over 300k WordPress sites ∗∗∗
---------------------------------------------
On Thursday, Japan's CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-forminator-plugin-f…
∗∗∗ Siemens: SSA-750274 V1.0: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW ∗∗∗
---------------------------------------------
Palo Alto Networks has published information on CVE-2024-3400 in PAN-OS. This advisory addresses Siemens Industrial products affected by this vulnerability.
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-750274.html
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox and java-1.8.0-openjdk), Debian (chromium, flatpak, guix, openjdk-11, openjdk-17, thunderbird, and tomcat9), Fedora (chromium, firefox, glibc, nghttp2, nodejs18, python-aiohttp, python-django3, python-pip, and uxplay), Mageia (putty & filezilla), Red Hat (Firefox, firefox, java-1.8.0-openjdk, java-21-openjdk, nodejs:18, shim, and thunderbird), Slackware (freerdp), SUSE (apache-commons-configuration2, nodejs14, perl-CryptX, putty, shim, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, lxd, percona-xtrabackup, and pillow).
---------------------------------------------
https://lwn.net/Articles/970793/
∗∗∗ Jetzt patchen! Attacken auf Dateiübertragungsserver CrushFTP beobachtet ∗∗∗
---------------------------------------------
Der Anbieter der Dateiübertragungsserversoftware CrushFTP warnt vor einer Sicherheitslücke, die Angreifer Sicherheitsforschern zufolge bereits ausnutzen. Dagegen gerüstete Versionen stehen zum Download bereit. Aus einer Sicherheitswarnung geht hervor, dass die Ausgaben 10.7.1 und 11.1.0 gegen die Angriffe gerüstet sind.
---------------------------------------------
https://heise.de/-9693009
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.10 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 18-04-2024 18:02 − Freitag 19-04-2024 18:02
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Google ad impersonates Whales Market to push wallet drainer malware ∗∗∗
---------------------------------------------
A legitimate-looking Google Search advertisement for the crypto trading platform Whales Market redirects visitors to a wallet-draining phishing site that steals all of your assets.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-ad-impersonates-whale…
∗∗∗ Fake cheat lures gamers into spreading infostealer malware ∗∗∗
---------------------------------------------
A new info-stealing malware linked to Redline poses as a game cheat called Cheat Lab, promising downloaders a free copy if they convince their friends to install it too.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-cheat-lures-gamers-into…
∗∗∗ SAP Applications Increasingly in Attacker Crosshairs, Report Shows ∗∗∗
---------------------------------------------
Malicious hackers are targeting SAP applications at an alarming pace, according to warnings from Onapsis and Flashpoint.
---------------------------------------------
https://www.securityweek.com/sap-applications-increasingly-in-attacker-cros…
∗∗∗ Erneut Phishing-Mails im Namen der ÖGK im Umlauf! ∗∗∗
---------------------------------------------
Derzeit erreichen uns wieder zahlreiche Meldungen über betrügerische Nachrichten, die im Namen der Österreichischen Gesundheitskasse ÖGK versendet werden. Darin wird Ihnen vorgegaukelt, dass Sie eine Rückerstattung von 150,95 Euro erhalten.
---------------------------------------------
https://www.watchlist-internet.at/news/erneut-phishing-mails-im-namen-der-o…
∗∗∗ #StopRansomware: Akira Ransomware ∗∗∗
---------------------------------------------
The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
∗∗∗ "iMessage abschalten": Warnung vor angeblichem Exploit verunsichert Nutzer ∗∗∗
---------------------------------------------
Ein bekanntes Krypto-Wallet warnt iOS-Nutzer vor einem "hochriskanten Zero-Day-Exploit für iMessage". Der angebliche Exploit könnte aber ein Scam sein.
---------------------------------------------
https://heise.de/-9690778
∗∗∗ DDoS-Plattform von internationalen Strafverfolgern abgeschaltet ∗∗∗
---------------------------------------------
Internationale Strafverfolger haben eine DDoS-as-a-service-Plattform abgeschaltet und die Domain beschlagnahmt.
---------------------------------------------
https://heise.de/-9691053
∗∗∗ Ionos-Phishing: Masche mit neuen EU-Richtlinien soll Opfer überzeugen ∗∗∗
---------------------------------------------
Das Phishingradar warnt vor einer Phishing-Masche, bei der Ionos-Kunden angeblich zu neuen EU-Richtlinien zustimmen müssen.
---------------------------------------------
https://heise.de/-9691259
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark).
---------------------------------------------
https://lwn.net/Articles/970508/
∗∗∗ FIDO2-Sticks: Lücke in Yubikey-Verwaltungssoftware erlaubt Rechteausweitung ∗∗∗
---------------------------------------------
Um die FIDO2-Sticks von Yubikey zu verwalten, stellt der Hersteller eine Software bereit. Eine Lücke darin ermöglicht die Ausweitung der Rechte.
---------------------------------------------
https://heise.de/-9690597
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 17-04-2024 18:00 − Donnerstag 18-04-2024 18:02
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Stellungnahme von CERT.at zum NISG 2024 ∗∗∗
---------------------------------------------
Die EU hat noch Ende 2022 die NIS2-Richtlinie angenommen, was den EU Mitgliedstaaten eine Frist bis Herbst 2024 einräumt, diese in nationales Recht zu gießen. Jetzt liegt ein Entwurf für dieses Gesetz vor und wir haben uns genau angesehen, wie die Punkte umgesetzt sind, die uns als nationales CSIRT betreffen. Dabei sind uns einige Stellen aufgefallen, wo wir klares und einfaches Verbesserungspotential sehen.
---------------------------------------------
https://cert.at/de/blog/2024/4/nisg2024-stellungnahme
∗∗∗ Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks ∗∗∗
---------------------------------------------
Microsoft, which first spotted the attacks, says the five flaws have been actively exploited since early April to hijack Internet-exposed OpenMedata workloads left unpatched. [..] The security vulnerabilities exploited in these attacks (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) were patched one month ago, on March 15, in OpenMedata versions 1.2.4 and 1.3.1.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-hijack-openmetadata-…
∗∗∗ Cybercriminals pose as LastPass staff to hack password vaults ∗∗∗
---------------------------------------------
The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-lastp…
∗∗∗ Mit CVE-Beschreibung: GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen ∗∗∗
---------------------------------------------
Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann.
---------------------------------------------
https://www.golem.de/news/mit-cve-beschreibung-gpt-4-kann-eigenstaendig-bek…
∗∗∗ Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor ∗∗∗
---------------------------------------------
A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell."The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh said.
---------------------------------------------
https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html
∗∗∗ Redline Stealer: A Novel Approach ∗∗∗
---------------------------------------------
A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior. [..] In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-nove…
∗∗∗ Analysis of Pupy RAT Used in Attacks Against Linux Systems ∗∗∗
---------------------------------------------
Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups.
---------------------------------------------
https://asec.ahnlab.com/en/64258/
∗∗∗ Kapeka: Neuartige Malware aus Russland? ∗∗∗
---------------------------------------------
Berichte über eine neuartige "Kapeka"-Malware tauchen allerorten auf. Die ist jedoch gar nicht neu und seit fast einem Jahr nicht mehr aktiv. [..] Die Entdeckung der Malware als "großen Schlag gegen Russland" zu werten, wie sich ein WithSecure-Sprecher gegenüber der Presseagentur dpa zitieren ließ, wirkt jedoch wie ein PR-Manöver. Schließlich wurde Kapeka auch ohne Intervention von Schadsoftware-Jägern seit Mitte vergangenen Jahres nicht mehr in freier Wildbahn gesichtet.
---------------------------------------------
https://heise.de/-9688970
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp).
---------------------------------------------
https://lwn.net/Articles/970324/
∗∗∗ Update für Solarwinds FTP-Server Serv-U schließt Lücke mit hohem Risiko ∗∗∗
---------------------------------------------
Im Solarwinds Serv-U-FTP-Server klafft eine als hohes Risiko eingestufte Sicherheitslücke. Der Hersteller dichtet sie mit einem Update ab.
---------------------------------------------
https://heise.de/-9689092
∗∗∗ Jetzt patchen! Root-Attacken auf Cisco IMC können bevorstehen ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für Cisco Integrated Management Controller und IOS erschienen. Exploitcode ist in Umlauf.
---------------------------------------------
https://heise.de/-9689086
∗∗∗ Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS and IOS XE Software SNMP Extended Named Access Control List Bypass Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Integrated Management Controller CLI Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2024/04/wordfence-intelligence-weekly-wordpr…
∗∗∗ Unitronics Vision Series PLCs ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily