Daily

daily@lists.cert.at

1 participants
3154 discussions

Tageszusammenfassung - 24.04.2024
by Daily end-of-shift report 24 Apr '24

24 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-04-2024 18:00 − Mittwoch 24-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft pulls fix for Outlook bug behind ICS security alerts ∗∗∗ --------------------------------------------- Microsoft reversed the fix for an Outlook bug causing erroneous security warnings after installing December 2023 security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-fix-for-out… ∗∗∗ Assessing the Y, and How, of the XZ Utils incident ∗∗∗ --------------------------------------------- In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/ ∗∗∗ Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an ongoing attack campaign thats leveraging phishing emails to deliver malware called SSLoad. --------------------------------------------- https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html ∗∗∗ Decrypting FortiOS 7.0.x ∗∗∗ --------------------------------------------- Decrypting Fortinet’s FortiGate FortiOS firmware is a topic that has been thoroughly covered, in part because of the many variants and permutations of FortiOS firmware, all differing based on hardware architecture and versioning. --------------------------------------------- https://www.labs.greynoise.io/grimoire/2024-04-23-decrypting-fortios/ ∗∗∗ New Password Cracking Analysis Targets Bcrypt ∗∗∗ --------------------------------------------- Hive Systems conducts another study on cracking passwords via brute-force attacks, but it’s no longer targeting MD5. --------------------------------------------- https://www.securityweek.com/new-password-cracking-analysis-targets-bcrypt/ ∗∗∗ Musiker:innen aufgepasst: Spam-Mails versprechen wertvolles Piano ∗∗∗ --------------------------------------------- Musiker:innen und insbesondere Pianist:innen müssen sich aktuell vor betrügerischen E-Mails in Acht nehmen, in denen ihnen ein teures Piano versprochen wird. Kriminelle geben sich als Witwe aus und suchen nach Abnehmer:innen für teure Instrumente wie beispielsweise wie das Yamaha Baby Grand Piano ihres verstorbenen Ehemanns. --------------------------------------------- https://www.watchlist-internet.at/news/musikerinnen-aufgepasst-spam-mails-v… ∗∗∗ Windows-Frage: Wo speichert Bitlocker den Recovery-Key? ∗∗∗ --------------------------------------------- Bitlocker, das "unbekannte Wesen" möchte ich mal den Blog-Beitrag umschreiben. Es geht um die Frage, wo die Windows-Funktion Bitlocker eigentlich den Recovery-Key, der immer mal wieder gebraucht wird, überhaupt speichert. --------------------------------------------- https://www.borncity.com/blog/2024/04/24/windows-frage-wo-speichert-bitlock… ∗∗∗ Exchange Server April 2024 Hotfix-Updates (24. April 2024) ∗∗∗ --------------------------------------------- Microsoft hat zum 24. April Hotfix-Updates (HU) für Exchange Server 2016 und 2019 veröffentlicht. Diese Hotfix-Updates bieten Unterstützung für neue Funktionen und sollen Probleme, die durch das März 2024 Security Update (SU) hervorgerufen wurden, beheben. --------------------------------------------- https://www.borncity.com/blog/2024/04/24/exchange-server-april-2024-hotfix-… ∗∗∗ Distribution of Infostealer Made With Electron ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron. --------------------------------------------- https://asec.ahnlab.com/en/64445/ ===================== = Vulnerabilities = ===================== ∗∗∗ Grafana backend sql injection affected all version ∗∗∗ --------------------------------------------- To exploit this sql injection vulnerability, someone must use a valid account login to the grafana web backend, then send malicious POST request to /api/ds/query “rawSql” entry. --------------------------------------------- https://fdlucifer.github.io/2024/04/22/grafana-sql-injection/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (abseil-cpp, chromium, filezilla, libfilezilla, and xorg-x11-server-Xwayland), Oracle (firefox, gnutls, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreswan, mod_http2, owO: thunderbird, and thunderbird), Red Hat (container-tools:rhel8, gnutls, grub2, kernel, kernel-rt, less, linux-firmware, opencryptoki, pcs, postgresql-jdbc, and thunderbird), Slackware (ruby), SUSE (kubernetes1.23, kubernetes1.24, [...] --------------------------------------------- https://lwn.net/Articles/971004/ ∗∗∗ Google Patches Critical Chrome Vulnerability ∗∗∗ --------------------------------------------- Google patches CVE-2024-4058, a critical Chrome vulnerability for which researchers earned a $16,000 reward. --------------------------------------------- https://www.securityweek.com/google-patches-critical-chrome-vulnerability/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Connection Hijacking Vulnerability in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-chvishhr-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2024
by Daily end-of-shift report 23 Apr '24

23 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-04-2024 18:00 − Dienstag 23-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials ∗∗∗ --------------------------------------------- Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-b… ∗∗∗ Struts "devmode": Still a problem ten years later?, (Tue, Apr 23rd) ∗∗∗ --------------------------------------------- Like many similar frameworks and languages, Struts 2 has a "developer mode" (devmode) offering additional features to aid debugging. Error messages will be more verbose, and the devmode includes an OGNL console. OGNL, the Object-Graph Navigation Language, can interact with Java, but in the end, executing OGNL results in arbitrary code execution. --------------------------------------------- https://isc.sans.edu/diary/rss/30866 ∗∗∗ An Analysis of the DHEat DoS Against SSH in Cloud Environments ∗∗∗ --------------------------------------------- The DHEat attack remains viable against most SSH installations, as default settings are inadequate at deflecting it. Very little bandwidth is needed to cause a dramatic effect on targets, including those with a high degree of resources. --------------------------------------------- https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-a… ∗∗∗ Neu auf Vinted? Scannen Sie keinen QR-Code! ∗∗∗ --------------------------------------------- Vorsicht! Kriminelle kontaktieren gezielt neue Vinted-Nutzer:innen. Sie geben vor, den Artikel kaufen zu wollen und schicken einen QR-Code. Der QR-Code führt jedoch zu einer gefälschten Zahlungsseite von Vinted. Dort erfragen die Kriminellen Ihre Bankdaten und versuchen Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/neu-auf-vinted-scannen-sie-keinen-qr… ∗∗∗ Suspected CoralRaider continues to expand victimology using three information stealers ∗∗∗ --------------------------------------------- Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. --------------------------------------------- https://blog.talosintelligence.com/suspected-coralraider-continues-to-expan… ∗∗∗ GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining ∗∗∗ --------------------------------------------- Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. --------------------------------------------- https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-fo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid). --------------------------------------------- https://lwn.net/Articles/970889/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Welotec: Clickjacking Vulnerability in WebUI ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-023/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2024
by Daily end-of-shift report 22 Apr '24

22 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-04-2024 18:00 − Montag 22-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Double Agents and User Agents: Navigating the Realm of Malicious Python Packages ∗∗∗ --------------------------------------------- Have you ever encountered the term double agent? Recently, weve had the opportunity to revisit this concept in Austria. Setting aside real-world affairs for prosecutors and journalists, let’s explore what this term means in the digital world as I continue my journey tracking malicious Python packages. --------------------------------------------- https://cert.at/en/blog/2024/4/double-agents-and-user-agents-navigating-the… ∗∗∗ Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack ∗∗∗ --------------------------------------------- Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-discloses-more.html ∗∗∗ Research Shows How Attackers Can Abuse EDR Security Products ∗∗∗ --------------------------------------------- Vulnerabilities in Palo Alto Networks Cortex XDR allowed a security researcher to turn it into a malicious offensive tool. --------------------------------------------- https://www.securityweek.com/research-shows-how-attackers-can-abuse-edr-sec… ∗∗∗ HelloKitty ransomware rebrands, releases CD Projekt and Cisco data ∗∗∗ --------------------------------------------- The Cisco entry on the data leak site contains a list of NTLM (NT LAN Manager) hashes (encrypted account passwords) supposedly extracted during a security breach. Cisco previously admitted in 2022 that it had been hacked by the Yanluowang ransomware group, an incident allegedly limited to the theft of non-sensitive data from a single compromised account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-rebran… ∗∗∗ GitLab affected by GitHub-style CDN flaw allowing malware hosting ∗∗∗ --------------------------------------------- BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. It turns out, GitLab is also affected by this issue and could be abused in a similar fashion. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-st… ∗∗∗ Sicherheitslücke aufgedeckt: Forscher knackt Cisco-Appliance und zockt Doom ∗∗∗ --------------------------------------------- Mit einem eigens entwickelten Exploit-Toolkit hat er sich auf dem BMC einer Cisco ESA C195 einen Root-Zugriff verschafft. [..] Um auf der C195 Doom auszuführen, reicht CVE-2024-20356 allein allerdings nicht aus. Thacker nahm zuerst diverse Modifikationen am Bios der Cisco ESA vor und verschaffte sich erst danach mit Ciscown über das Netzwerk einen Root-Zugriff auf den BMC. [..] Eine Liste der Systeme, die in der Standardkonfiguration anfällig sind, ist im Sicherheitshinweis von Cisco zu finden – ebenso wie die jeweiligen Systemversionen, die einen Patch beinhalten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-aufgedeckt-forscher-knackt-cisc… ∗∗∗ ToddyCat is making holes in your infrastructure ∗∗∗ --------------------------------------------- We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts. --------------------------------------------- https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112… ∗∗∗ Vorsicht vor Jobangeboten per WhatsApp, SMS oder Telegram ∗∗∗ --------------------------------------------- Die Betrugsmasche beginnt direkt auf Ihrem Smartphone: Sie bekommen auf WhatsApp, Telegram oder einen anderen Messenger eine Nachricht von einer Jobvermittlung. Ihnen wird ein Nebenjob mit flexibler Zeiteinteilung angeboten. Ihre Aufgabe ist es, Hotels, Online-Shops oder andere Dienstleistungen zu bewerten oder zu testen. Angeblich kann man damit zwischen 300 und 1000 Euro pro Tag verdienen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-whatsa… ∗∗∗ NATO-Cyberübung "Locked Shields": Phishing verhindern, Container verteidigen ∗∗∗ --------------------------------------------- Das Cybersicherheitszentrum der NATO bittet zur Großübung. Sie simuliert, wie kritische Infrastruktur vor digitalen Angriffen geschützt werden kann. --------------------------------------------- https://heise.de/-9691854 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Forminator plugin flaw impacts over 300k WordPress sites ∗∗∗ --------------------------------------------- On Thursday, Japan's CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-forminator-plugin-f… ∗∗∗ Siemens: SSA-750274 V1.0: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW ∗∗∗ --------------------------------------------- Palo Alto Networks has published information on CVE-2024-3400 in PAN-OS. This advisory addresses Siemens Industrial products affected by this vulnerability. --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-750274.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox and java-1.8.0-openjdk), Debian (chromium, flatpak, guix, openjdk-11, openjdk-17, thunderbird, and tomcat9), Fedora (chromium, firefox, glibc, nghttp2, nodejs18, python-aiohttp, python-django3, python-pip, and uxplay), Mageia (putty & filezilla), Red Hat (Firefox, firefox, java-1.8.0-openjdk, java-21-openjdk, nodejs:18, shim, and thunderbird), Slackware (freerdp), SUSE (apache-commons-configuration2, nodejs14, perl-CryptX, putty, shim, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, lxd, percona-xtrabackup, and pillow). --------------------------------------------- https://lwn.net/Articles/970793/ ∗∗∗ Jetzt patchen! Attacken auf Dateiübertragungsserver CrushFTP beobachtet ∗∗∗ --------------------------------------------- Der Anbieter der Dateiübertragungsserversoftware CrushFTP warnt vor einer Sicherheitslücke, die Angreifer Sicherheitsforschern zufolge bereits ausnutzen. Dagegen gerüstete Versionen stehen zum Download bereit. Aus einer Sicherheitswarnung geht hervor, dass die Ausgaben 10.7.1 und 11.1.0 gegen die Angriffe gerüstet sind. --------------------------------------------- https://heise.de/-9693009 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2024
by Daily end-of-shift report 19 Apr '24

19 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-04-2024 18:02 − Freitag 19-04-2024 18:02 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google ad impersonates Whales Market to push wallet drainer malware ∗∗∗ --------------------------------------------- A legitimate-looking Google Search advertisement for the crypto trading platform Whales Market redirects visitors to a wallet-draining phishing site that steals all of your assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ad-impersonates-whale… ∗∗∗ Fake cheat lures gamers into spreading infostealer malware ∗∗∗ --------------------------------------------- A new info-stealing malware linked to Redline poses as a game cheat called Cheat Lab, promising downloaders a free copy if they convince their friends to install it too. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-cheat-lures-gamers-into… ∗∗∗ SAP Applications Increasingly in Attacker Crosshairs, Report Shows ∗∗∗ --------------------------------------------- Malicious hackers are targeting SAP applications at an alarming pace, according to warnings from Onapsis and Flashpoint. --------------------------------------------- https://www.securityweek.com/sap-applications-increasingly-in-attacker-cros… ∗∗∗ Erneut Phishing-Mails im Namen der ÖGK im Umlauf! ∗∗∗ --------------------------------------------- Derzeit erreichen uns wieder zahlreiche Meldungen über betrügerische Nachrichten, die im Namen der Österreichischen Gesundheitskasse ÖGK versendet werden. Darin wird Ihnen vorgegaukelt, dass Sie eine Rückerstattung von 150,95 Euro erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/erneut-phishing-mails-im-namen-der-o… ∗∗∗ #StopRansomware: Akira Ransomware ∗∗∗ --------------------------------------------- The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a ∗∗∗ "iMessage abschalten": Warnung vor angeblichem Exploit verunsichert Nutzer ∗∗∗ --------------------------------------------- Ein bekanntes Krypto-Wallet warnt iOS-Nutzer vor einem "hochriskanten Zero-Day-Exploit für iMessage". Der angebliche Exploit könnte aber ein Scam sein. --------------------------------------------- https://heise.de/-9690778 ∗∗∗ DDoS-Plattform von internationalen Strafverfolgern abgeschaltet ∗∗∗ --------------------------------------------- Internationale Strafverfolger haben eine DDoS-as-a-service-Plattform abgeschaltet und die Domain beschlagnahmt. --------------------------------------------- https://heise.de/-9691053 ∗∗∗ Ionos-Phishing: Masche mit neuen EU-Richtlinien soll Opfer überzeugen ∗∗∗ --------------------------------------------- Das Phishingradar warnt vor einer Phishing-Masche, bei der Ionos-Kunden angeblich zu neuen EU-Richtlinien zustimmen müssen. --------------------------------------------- https://heise.de/-9691259 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark). --------------------------------------------- https://lwn.net/Articles/970508/ ∗∗∗ FIDO2-Sticks: Lücke in Yubikey-Verwaltungssoftware erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Um die FIDO2-Sticks von Yubikey zu verwalten, stellt der Hersteller eine Software bereit. Eine Lücke darin ermöglicht die Ausweitung der Rechte. --------------------------------------------- https://heise.de/-9690597 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2024
by Daily end-of-shift report 18 Apr '24

18 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-04-2024 18:00 − Donnerstag 18-04-2024 18:02 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Stellungnahme von CERT.at zum NISG 2024 ∗∗∗ --------------------------------------------- Die EU hat noch Ende 2022 die NIS2-Richtlinie angenommen, was den EU Mitgliedstaaten eine Frist bis Herbst 2024 einräumt, diese in nationales Recht zu gießen. Jetzt liegt ein Entwurf für dieses Gesetz vor und wir haben uns genau angesehen, wie die Punkte umgesetzt sind, die uns als nationales CSIRT betreffen. Dabei sind uns einige Stellen aufgefallen, wo wir klares und einfaches Verbesserungspotential sehen. --------------------------------------------- https://cert.at/de/blog/2024/4/nisg2024-stellungnahme ∗∗∗ Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks ∗∗∗ --------------------------------------------- Microsoft, which first spotted the attacks, says the five flaws have been actively exploited since early April to hijack Internet-exposed OpenMedata workloads left unpatched. [..] The security vulnerabilities exploited in these attacks (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) were patched one month ago, on March 15, in OpenMedata versions 1.2.4 and 1.3.1. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-openmetadata-… ∗∗∗ Cybercriminals pose as LastPass staff to hack password vaults ∗∗∗ --------------------------------------------- The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-lastp… ∗∗∗ Mit CVE-Beschreibung: GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen ∗∗∗ --------------------------------------------- Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann. --------------------------------------------- https://www.golem.de/news/mit-cve-beschreibung-gpt-4-kann-eigenstaendig-bek… ∗∗∗ Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor ∗∗∗ --------------------------------------------- A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell."The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh said. --------------------------------------------- https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html ∗∗∗ Redline Stealer: A Novel Approach ∗∗∗ --------------------------------------------- A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior. [..] In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-nove… ∗∗∗ Analysis of Pupy RAT Used in Attacks Against Linux Systems ∗∗∗ --------------------------------------------- Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. --------------------------------------------- https://asec.ahnlab.com/en/64258/ ∗∗∗ Kapeka: Neuartige Malware aus Russland? ∗∗∗ --------------------------------------------- Berichte über eine neuartige "Kapeka"-Malware tauchen allerorten auf. Die ist jedoch gar nicht neu und seit fast einem Jahr nicht mehr aktiv. [..] Die Entdeckung der Malware als "großen Schlag gegen Russland" zu werten, wie sich ein WithSecure-Sprecher gegenüber der Presseagentur dpa zitieren ließ, wirkt jedoch wie ein PR-Manöver. Schließlich wurde Kapeka auch ohne Intervention von Schadsoftware-Jägern seit Mitte vergangenen Jahres nicht mehr in freier Wildbahn gesichtet. --------------------------------------------- https://heise.de/-9688970 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/970324/ ∗∗∗ Update für Solarwinds FTP-Server Serv-U schließt Lücke mit hohem Risiko ∗∗∗ --------------------------------------------- Im Solarwinds Serv-U-FTP-Server klafft eine als hohes Risiko eingestufte Sicherheitslücke. Der Hersteller dichtet sie mit einem Update ab. --------------------------------------------- https://heise.de/-9689092 ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco IMC können bevorstehen ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Cisco Integrated Management Controller und IOS erschienen. Exploitcode ist in Umlauf. --------------------------------------------- https://heise.de/-9689086 ∗∗∗ Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software SNMP Extended Named Access Control List Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Integrated Management Controller CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unitronics Vision Series PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2024
by Daily end-of-shift report 17 Apr '24

17 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-04-2024 18:00 − Mittwoch 17-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ SoumniBot: the new Android banker’s unique techniques ∗∗∗ --------------------------------------------- We review the new mobile Trojan banker SoumniBot, which exploits bugs in the Android manifest parser to dodge analysis and detection. --------------------------------------------- https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112… ∗∗∗ Malicious PDF File Used As Delivery Mechanism, (Wed, Apr 17th) ∗∗∗ --------------------------------------------- Billions of PDF files are exchanged daily and many people trust them because they think the file is "read-only" and contains just "a bunch of data". In the past, badly crafted PDF files could trigger nasty vulnerabilities in PDF viewers. --------------------------------------------- https://isc.sans.edu/diary/rss/30848 ∗∗∗ Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware ∗∗∗ --------------------------------------------- Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. --------------------------------------------- https://thehackernews.com/2024/04/critical-atlassian-flaw-exploited-to.html ∗∗∗ Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new campaign thats exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-fortinet-flaw-deploy.html ∗∗∗ Neue Phishing-Masche: Gefälschte Postbriefe ∗∗∗ --------------------------------------------- Die Polizei warnt vor vermehrten Phishing-Fällen in der Steiermark. In Postkästen hinterlegten unbekannte Täter gefälschte Postbenachrichtigungen mit angeführten QR-Codes. Damit sollen Opfer auf eine gefälschte Website gelockt und persönliche Daten abgesaugt werden. --------------------------------------------- https://steiermark.orf.at/stories/3253261/ ∗∗∗ Vorsicht vor unseriösen Ticketangeboten für die UEFA EURO 2024 in Deutschland! ∗∗∗ --------------------------------------------- Fußball-Fans aufgepasst: Wenn Sie jetzt noch auf der Suche nach Eintrittskarten in die Europameisterschaftsstadien für die EM 2024 sind, müssen Sie sich vor betrügerischen und unseriösen Angeboten in Acht nehmen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-ticketangebote-euro2024/ ∗∗∗ OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal ∗∗∗ --------------------------------------------- The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. --------------------------------------------- https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confident… ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti warns of critical flaws in its Avalanche MDM solution ∗∗∗ --------------------------------------------- Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-fla… ∗∗∗ VU#253266: Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models ∗∗∗ --------------------------------------------- Lambda Layers in third party TensorFlow-based Keras models allow attackers to inject arbitrary code into versions built prior to Keras 2.13 that may then unsafely run with the same permissions as the running application. --------------------------------------------- https://kb.cert.org/vuls/id/253266 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot). --------------------------------------------- https://lwn.net/Articles/970169/ ∗∗∗ Oracle Critical Patch Update Advisory - April 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2024.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Huawei Security Bulletins ∗∗∗ --------------------------------------------- https://securitybulletin.huawei.com/enterprise/en/security-advisory -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2024
by Daily end-of-shift report 16 Apr '24

16 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-04-2024 18:00 − Dienstag 16-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- At watchTowr, we no longer publish Proof of Concepts. Why prove something is vulnerable when we can just believe its so? Iinstead, weve decided to do something better - thats right! Were proud to release another detection artefact generator tool, this time in the form of an HTTP request: --------------------------------------------- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-c… ∗∗∗ Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th) ∗∗∗ --------------------------------------------- One of our readers, Mark, observed attacks attempting to exploit the vulnerability from two IP addresses: 173.255.223.159: An Akamai/Linode IP address. We do not have any reports from this IP address. Shodan suggests that the system may have recently hosted a WordPress site. 146.70.192.174: A system in Singapore that has been actively scanning various ports in March and April. --------------------------------------------- https://isc.sans.edu/diary/rss/30838 ∗∗∗ New SteganoAmor attacks use steganography to target 320 orgs globally ∗∗∗ --------------------------------------------- A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [..] The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-… ∗∗∗ AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs ∗∗∗ --------------------------------------------- New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. [..] Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager. --------------------------------------------- https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html ∗∗∗ Vorsicht vor falschen Bankanrufen ∗∗∗ --------------------------------------------- Sie erhalten einen Anruf – angeblich von einer Bank. Die Person am Telefon behauptet, Sie hätten einen Kreditantrag eingereicht. Wenn Sie widersprechen, erklärt die Person am Telefon, dass dann wohl Kriminelle in Ihrem Namen den Kreditantrag gestellt hätten. Legen Sie auf! Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-bankanrufen/ ∗∗∗ Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials ∗∗∗ --------------------------------------------- Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. [..] We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here. --------------------------------------------- https://blog.talosintelligence.com/large-scale-brute-force-activity-targeti… ∗∗∗ Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen ∗∗∗ --------------------------------------------- Die Privileged-Access-Management-Lösung (PAM) Secret Server von Delinea ist verwundbar. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-9686457 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwere Sicherheitslücke in PuTTY - CVE-2024-31497 ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen haben in PuTTY, einer verbreiteten quelloffenen Software zur Herstellung von Verbindungen über Secure Shell (SSH), eine schwere Sicherheitslücke gefunden. Die Ausnutzung von CVE-2024-31497 erlaubt es Angreifer:innen unter bestimmten Umständen, den privaten Schlüssel eines kryptographischen Schlüsselpaares wiederherzustellen. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/schwere-sicherheitslucke-in-putty-cve-2… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/970036/ ∗∗∗ Proscend Communications M330-W and M330-W5 vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23835228/ ∗∗∗ B&R: 2024-04-15: Cyber Security Advisory - Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P002_xPCs_vulnerable_to_LogoFai… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 125 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/ ∗∗∗ Libreswan: IKEv1 default AH/ESP responder can crash and restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt ∗∗∗ Measuresoft ScadaPro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-01 ∗∗∗ Electrolink FM/DAB/TV Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02 ∗∗∗ Rockwell Automation ControlLogix and GuardLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-03 ∗∗∗ RoboDK RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2024
by Daily end-of-shift report 15 Apr '24

15 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-04-2024 18:00 − Montag 15-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report. --------------------------------------------- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthent… ∗∗∗ Cisco Duo warns third-party data breach exposed SMS MFA logs ∗∗∗ --------------------------------------------- Cisco Duos security team warns that hackers stole some customers VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-… ∗∗∗ Angriff via WebGPU: Sensible Nutzerdaten lassen sich per Javascript auslesen ∗∗∗ --------------------------------------------- Einem Forscherteam der TU Graz ist es gelungen, durch drei verschiedene Seitenkanalangriffe über die in modernen Webbrowsern integrierte Grafikschnittstelle WebGPU sicherheitsrelevante Nutzerdaten wie Tastatureingaben oder Verschlüsselungsschlüssel auszuspähen. Durch die Forschungsarbeit will das Team vor allem auf die Risiken aufmerksam machen, die mit der Implementierung von WebGPU einhergehen können. --------------------------------------------- https://www.golem.de/news/angriff-via-webgpu-sensible-nutzerdaten-lassen-si… ∗∗∗ Using the LockBit builder to generate targeted ransomware ∗∗∗ --------------------------------------------- Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder. --------------------------------------------- https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/ ∗∗∗ Delinea Secret Server customers should apply latest patches ∗∗∗ --------------------------------------------- Customers of Delinea's Secret Server are being urged to upgrade their installations "immediately" after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access. [..] Delinea sent us a statement post publication: "We confirm there was a vulnerability in Secret Server. Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable. We have provided a remediation guide for our on-premise customers to fix the vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/04/15/delinea_secr… ∗∗∗ Unpacking the Blackjack Groups Fuxnet Malware ∗∗∗ --------------------------------------------- Blackjack claims its initial compromise of Moscollector began in June 2023, and since then the group said it has worked slowly in an attempt to cripple the industrial sensors and monitoring infrastructure managed by the company. [..] Screenshots released by the attackers indicate that the impacted sensors are manufactured by a company named AO SBK, a Russian company that manufactures a variety of sensor types, ranging from gas measurement sensors to environmental monitoring equipment. --------------------------------------------- https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-m… ∗∗∗ Falsche Google-Anrufe zu Ihrem Google-Business-Eintrag ∗∗∗ --------------------------------------------- Vorsicht, wenn Anrufer:innen vorgeben, von Google zu sein. Vermehrt geben sich Kriminelle als Google aus und behaupten, dass die Testphase Ihres Google-Business-Profils abgelaufen und der Eintrag nun kostenpflichtig sei. Legen Sie gleich auf! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-google-anrufe-zu-ihrem-googl… ∗∗∗ “Totally Unexpected” Package Malware Using Modified Notepad++ Plug-in (WikiLoader) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file. --------------------------------------------- https://asec.ahnlab.com/en/64106/ ∗∗∗ Lancom-Setup-Assistent leert Root-Passwort ∗∗∗ --------------------------------------------- Wer Lancom-Router mit dem Windows-Setup-Assistenten konfiguriert, läuft Gefahr, das Root-Passwort durch ein leeres zu ersetzen. --------------------------------------------- https://heise.de/-9682694 ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability ∗∗∗ --------------------------------------------- Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-releases-urgent.html ∗∗∗ Sicherheitsupdates: Schwachstellen in PHP gefährden Websites ∗∗∗ --------------------------------------------- Die PHP-Entwickler haben mehrere Schwachstellen geschlossen. Eine Sicherheitslücke gilt als kritisch. --------------------------------------------- https://heise.de/-9684558 ∗∗∗ Telegram Desktop: Tippfehler im Quellcode mündet in RCE-Schwachstelle ∗∗∗ --------------------------------------------- Ein Tippfehler im Code der Windows-App von Telegram ermöglicht die Ausführung von Schadcode auf fremden Systemen. Es reicht ein Klick auf ein vermeintliches Video. [..] Der Tippfehler im Telegram-Quellcode bezieht sich aber nicht auf .exe, sondern auf die Dateiendung .pyzw, die ausführbaren Python-Zip-Archiven zugeordnet wird. Diese war im Code noch bis zum 11. April als .pywz hinterlegt, so dass die oben genannte Sicherheitswarnung bei einem Klick auf eine .pyzw-Datei gar nicht erst erschien. [..] Zwar hat Telegram den Fehler im Quellcode inzwischen behoben, ein entsprechendes Update für die Windows-App wurde bisher aber offenbar nicht verteilt. --------------------------------------------- https://www.golem.de/news/telegram-desktop-tippfehler-im-quellcode-muendet-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard). --------------------------------------------- https://lwn.net/Articles/969873/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Xen: XSA-456 ∗∗∗ --------------------------------------------- https://xenbits.xenproject.org/people/gdunlap/xsa-draft/advisory-456.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2024
by Daily end-of-shift report 12 Apr '24

12 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-04-2024 18:00 − Freitag 12-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Anweisung von oben: US-Behörden müssen nach Cyberangriff auf Microsoft aufräumen ∗∗∗ --------------------------------------------- Die Angreifer haben offenbar auch E-Mails abgegriffen, die zwischen Microsoft und US-Behörden ausgetauscht wurden. Letztere müssen nun handeln. --------------------------------------------- https://www.golem.de/news/anweisung-von-oben-us-behoerden-muessen-nach-cybe… ∗∗∗ Sicherheit: Apple warnt iPhone-Nutzer großflächig vor Spyware-Attacke ∗∗∗ --------------------------------------------- Apple hat iPhone-Besitzer in 92 Ländern vor Auftrags-Spyware-Angriffen gewarnt. Betroffene sollten die Warnung ernst nehmen und sich Hilfe suchen. --------------------------------------------- https://www.golem.de/news/sicherheit-apple-warnt-iphone-nutzer-grossflaechi… ∗∗∗ XZ backdoor story – Initial analysis ∗∗∗ --------------------------------------------- Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-1/112354/ ∗∗∗ Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a credit card skimmer thats concealed within a fake Meta Pixel tracker script in an attempt to evade detection. --------------------------------------------- https://thehackernews.com/2024/04/sneaky-credit-card-skimmer-disguised-as.h… ∗∗∗ Betrügerische Casino-Apps werden massiv über Facebook und Instagram beworben! ∗∗∗ --------------------------------------------- Mit zahlreichen Werbeanzeigen versuchen Kriminelle, ihre Opfer zum Download verschiedener Casino-Apps zu bewegen. Meist werden unglaubliche Gewinne versprochen, dazu kommen Freispiele und Boni von mehreren tausend Euro. In manchen Werbeanzeigen werden sogar Deepfake-Videos eingesetzt. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-casino-apps-werden-ma… ∗∗∗ IBM QRadar - When The Attacker Controls Your Security Stack (CVE-2022-26377) ∗∗∗ --------------------------------------------- Today, in this iteration of 'watchTowr Labs takes aim at yet another piece of software' we wonder why the industry panics about backdoors in libraries that have taken 2 years to be unsuccessfully introduced - while security vendors like IBM can't even update libraries used in their flagship security products that subsequently allow for trivial exploitation. [..] For those unfamiliar with defensive security products, QRadar is the mastermind application that can sit on-premise or in the cloud via IBM's SaaS offering. Quite simply, it's IBM's Security Information and Event Management (SIEM) product - and is the heart of many enterprise's security software stack. --------------------------------------------- https://labs.watchtowr.com/ibm-qradar-when-the-attacker-controls-your-secur… ∗∗∗ Krypto-Scams: Coinbase warnt EU-Kunden vor iPhone-Sideloading ∗∗∗ --------------------------------------------- Die Kryptobörse weist europäische Kunden an, die App nur aus Apples App Store zu beziehen. Auch dort wurden zuletzt aber Fake-Wallets gesichtet. --------------------------------------------- https://heise.de/-9683728 ∗∗∗ Intellexa: Spyware des Predator-Herstellers kommt über Online-Werbung ∗∗∗ --------------------------------------------- Der Malware-Dealer Intellexa stellt Spähsoftware vor, die Handys rein über Werbebanner infiziert. [..] Die neue Malware heißt Aladdin und installiert sich ohne Klick des Opfers (Zero-Click-Exploits). [..] Das Gesamtpaket kostet vier Millionen Euro, inklusive einjähriger Garantie und 24-Stunden-Support. Telefonnummern aus den USA, Griechenland und Israel sollen nicht angegriffen werden dürfen, was offenbar auf verhängte Sanktionen zurückgeht. --------------------------------------------- https://heise.de/-9682500 ∗∗∗ Sicherheitslücken: Angreifer können Juniper-Netzwerkgeräte lahmlegen ∗∗∗ --------------------------------------------- Wichtige Patches schließen mehrere Schwachstellen in Junos OS, die Firewalls, Router und Switches verwundbar machen. --------------------------------------------- https://heise.de/-9682955 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Palo Alto PAN-OS (Global Protect) ∗∗∗ --------------------------------------------- n Palo Altos PAN-OS GlobalProtect-Funktion wurde eine kritische Sicherheitslücke identifiziert, welche das Einschleusen von Kommandos erlaubt. Zur Ausnutzung der Schwachstelle muss ein Gateway konfiguriert, und die sogenannte "Device Telemetry" aktiviert sein (zweiteres ist den betroffenen Versionen standardmäßig gegeben). Da noch keine Updates verfügbar sind, kann die Schwachstelle lediglich durch Konfigurationsänderungen mitigiert werden - beachten Sie den Abschnitt "Abhilfe". [..] CVE-2024-3400 --------------------------------------------- https://cert.at/de/warnungen/2024/4/palo-alto-cve-2024-3400 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-expl… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss). --------------------------------------------- https://lwn.net/Articles/969590/ ∗∗∗ Linux-Kernel: Neuer Exploit verschafft Root-Rechte ∗∗∗ --------------------------------------------- Ob die Lücke in den jüngsten Kernelversionen behoben ist, ist selbst Sicherheitsexperten unklar. Auch um die Urheberschaft gibt es Streit. --------------------------------------------- https://heise.de/-9682586 ∗∗∗ B&R: 2024-04-10: Cyber Security Advisory - B&R APROL Several vulnerabilities in the Docker Engine ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P006_Several_vulnerabilities_in… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2024
by Daily end-of-shift report 11 Apr '24

11 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-04-2024 18:00 − Donnerstag 11-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Spectre v2 attack impacts Linux systems on Intel CPUs ∗∗∗ --------------------------------------------- Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. [..] The hardware vendor has indicated that future processors will include mitigations for BHI and potentially other speculative execution vulnerabilities. For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-spectre-v2-attack-impact… ∗∗∗ CISA says Sisense hack impacts critical infrastructure orgs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating the recent breach of data analytics company Sisense, an incident that also impacted critical infrastructure organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-sisense-hack-impac… ∗∗∗ DragonForce Ransomware - What You Need To Know ∗∗∗ --------------------------------------------- A relatively new strain of ransomware called DragonForce has making the headlines after a series of high-profile attacks. Like many other ransomware groups, DragonForce attempts to extort money from its victims in two ways - locking companies out of their computers and data through encryption, and exfiltrating data from compromised systems with the threat of releasing it to others via the dark web. So far, so normal. How did DragonForce come to prominence? --------------------------------------------- https://www.tripwire.com/state-of-security/dragonforce-ransomware-what-you-… ∗∗∗ CISA Releases Malware Next-Gen Analysis System for Public Use ∗∗∗ --------------------------------------------- CISAs Malware Next-Gen system is now available for any organization to submit malware samples and other suspicious artifacts for analysis. --------------------------------------------- https://www.securityweek.com/cisa-releases-malware-next-gen-analysis-system… ∗∗∗ Metasploit Meterpreter Installed via Redis Server ∗∗∗ --------------------------------------------- Redis is an abbreviation of Remote Dictionary Server, which is an open-source in-memory data structure storage that is also used as a database. It is presumed that the threat actors abused inappropriate settings or ran commands through vulnerability attacks. --------------------------------------------- https://asec.ahnlab.com/en/64034/ ∗∗∗ Control Web Panel - Fingerprinting Open-Source Software using a Consolidation Algorithm approach ∗∗∗ --------------------------------------------- This blog post details one of these very unique cases: `CVE-2022-44877`, an unauthenticated Command Injection issue, flagged by CISA as a Known Exploited Vulnerability (CISA KEV), affecting Control Web Panel, an open-source control panel for servers and VPS management. Initially, the team could not find a way to straightforwardly fingerprint the software’s version, nor another way to detect it without intrusive exploitation - thus we used a novelty technique: an algorithm that retrieves the web application’s static web content files and consolidates them to pin-point the software’s version. --------------------------------------------- https://www.bitsight.com/blog/control-web-panel-fingerprinting-open-source-… ===================== = Vulnerabilities = ===================== ∗∗∗ Node.js Security Advisories Apr 10, 2024 ∗∗∗ --------------------------------------------- Node v21.7.3 (Current), Node v20.12.2 (LTS), Node v18.20.2 (LTS): CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows. --------------------------------------------- https://nodejs.org/en/blog/release/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux). --------------------------------------------- https://lwn.net/Articles/969468/ ∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2023-46842, CVE-2024-2201 and CVE-2024-31142 ∗∗∗ --------------------------------------------- Two issues have been identified that affect XenServer and Citrix Hypervisor; each issue may allow malicious unprivileged code in a guest VM to infer the contents of memory belonging to its own or other VMs on the same host. --------------------------------------------- https://support.citrix.com/article/CTX633151/xenserver-and-citrix-hyperviso… ∗∗∗ Google Chrome: Sandbox-Ausbruch durch bestimmte Gesten möglich ∗∗∗ --------------------------------------------- Mit etwas Verspätung haben Googles Entwickler das wöchentliche Update für den Chrome-Webbrowser veröffentlicht. Insgesamt drei Sicherheitslücken stopfen die Programmierer darin. Alle tragen die Risikoeinstufung "hoch". --------------------------------------------- https://heise.de/-9681413 ∗∗∗ WLAN-Access-Points von TP-Link 15 Minuten nach Reboot attackierbar ∗∗∗ --------------------------------------------- Angreifer können die WLAN-Access-Points von TP-Link AC1350 Wireless und N300 Wireless N Ceiling Mount attackieren und unter anderem auf Werksweinstellungen zurücksetzen. [..] Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9681863 ∗∗∗ Palo Alto Security Advisories ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily