=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-04-2024 18:00 − Mittwoch 03-04-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ NIS2-Begutachtungsverfahren gestartet ∗∗∗
---------------------------------------------
Die Regierung hat am 3. April 2024 das Cybersicherheitsgesetz zur europäischen NIS2-Verordnung in Begutachtung geschickt.
---------------------------------------------
https://www.bmi.gv.at/news.aspx?id=7567384169746C75366D413D
∗∗∗ Kritik nach Cyberangriff: Microsoft hat seine Kronjuwelen nicht im Griff ∗∗∗
---------------------------------------------
Ein im Sommer 2023 festgestellter Cyberangriff auf Microsofts Server hatte für einige Kunden verheerende Folgen. Eine US-Kommission erhebt nun schwere Vorwürfe gegen den Konzern.
---------------------------------------------
https://www.golem.de/news/us-kommission-aeussert-kritik-hackerangriff-auf-m…
∗∗∗ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind ∗∗∗
---------------------------------------------
As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. [..] The Jia Tan persona has vanished since the backdoor was discovered [..] In fact, the only real footprints Jia Tan appears to have left behind were their contributions to the open source development community, where they were a prolific contributor: Disturbingly, Jia Tan’s first code change was to the “libarchive” compression library, another very widely used open source component. [..] In total, Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024 [..] Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked.
---------------------------------------------
https://www.wired.com/story/jia-tan-xz-backdoor/
∗∗∗ XZ Utils Backdoor Attack Brings Another Similar Incident to Light ∗∗∗
---------------------------------------------
In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident.
---------------------------------------------
https://www.securityweek.com/xz-utils-backdoor-attack-brings-another-simila…
∗∗∗ Distinctive Campaign Evolution of Pikabot Malware ∗∗∗
---------------------------------------------
PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. [..] During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-e…
∗∗∗ Hohe Handyrechnung durch ungewolltes Abo? ∗∗∗
---------------------------------------------
Per E-Mail oder SMS werden Sie plötzlich von Ihrem Mobilfunkanbieter darüber informiert, dass Sie ein Abo abgeschlossen haben. Sie sind sich aber sicher, dass Sie keinem Vertrag zugestimmt haben und wissen auch nicht, wie es dazu gekommen ist? Wir zeigen Ihnen, was Sie gegen unseriöse Abbuchungen von Ihrer Handyrechnung tun können und wie Sie sich vor Abofallen schützen.
---------------------------------------------
https://www.watchlist-internet.at/news/hohe-handyrechnung-durch-ungewolltes…
∗∗∗ Another Path to Exploiting CVE-2024-1212 in Progress Kemp LoadMaster ∗∗∗
---------------------------------------------
Rhino Labs discovered a pre-authentication command injection vulnerability in the Progress Kemp LoadMaster. [..] This was a really cool find by Rhino Labs. Here I add one additional exploitation path and some additional ways to test for this vulnerability.
---------------------------------------------
https://medium.com/tenable-techblog/another-path-to-exploiting-cve-2024-121…
∗∗∗ Unveiling the Fallout: Operation Cronos Impact on LockBit Following Landmark Disruption ∗∗∗
---------------------------------------------
Our new article provides key highlights and takeaways from Operation Cronos disruption of LockBits operations, as well as telemetry details on how LockBit actors operated post-disruption.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.h…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).
---------------------------------------------
https://lwn.net/Articles/968218/
∗∗∗ Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites ∗∗∗
---------------------------------------------
A critical SQL injection vulnerability in the LayerSlider WordPress plugin allows attackers to extract sensitive information.
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-found-in-layerslider-pl…
∗∗∗ CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED) ∗∗∗
---------------------------------------------
Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-ar…
∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗
---------------------------------------------
Neben Google haben auch Samsung und weitere Hersteller wichtige Sicherheitsupdates für Androidgeräte veröffentlicht.
---------------------------------------------
https://heise.de/-9673480
∗∗∗ Codeschmuggellücke in VMware SD-WAN Edge und Orchestrator ∗∗∗
---------------------------------------------
Drei Sicherheitslücken in VMwares SD-WAN Edge und Orchestrator ermöglichen Angreifern unter anderem, Schadcode einzuschleusen.
---------------------------------------------
https://heise.de/-9673416
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 124 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-17/
∗∗∗ Unify: Credentials disclosure vulnerability in Unify OpenScape Desk Phones CP ∗∗∗
---------------------------------------------
https://networks.unify.com/security/advisories/OBSO-2404-01.pdf
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 29-03-2024 18:00 − Dienstag 02-04-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Staatlich gesponserte "Entwicklung" quelloffener Software ∗∗∗
---------------------------------------------
Wer auf der Suche nach einer kurzen Zusammenfassung der Geschehnisse rund um die (höchstwahrscheinliche) Backdoor in xz, CVE-2024-3094, ist, möge einen Blick auf diese durch den Sicherheitsforscher Thomas Roccia erstellte Grafik werfen. Darin sind die wichtigsten Details zusammengefasst, die in den folgenden Absätze wesentlich ausführlicher beleuchtet werden. Alternativ hätte dieser Blogpost auch einen deutlich knackigeren Titel haben können - "CVE-2024-3094", um jene geht es in diesem Beitrag nämlich.
---------------------------------------------
https://cert.at/de/blog/2024/4/staatlich-gesponserte-entwicklung-quelloffen…
∗∗∗ The amazingly scary xz sshd backdoor, (Mon, Apr 1st) ∗∗∗
---------------------------------------------
The whole story around this is both fascinating and scary – and I’m sure will be told around numerous time, so in this diary I will put some technical things about the backdoor that I reversed for quite some time (and I have a feeling I could spend 2 more weeks on this). [..] Let’s take a look at couple of fascinating things in this backdoor.
---------------------------------------------
https://isc.sans.edu/diary/rss/30802
∗∗∗ On Cybersecurity Alert Levels ∗∗∗
---------------------------------------------
Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems. My answer was negative on both questions, and I think it might be useful if I explain my rationale here.
---------------------------------------------
https://cert.at/en/blog/2024/4/on-cybersecurity-alert-levels
∗∗∗ Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed! ∗∗∗
---------------------------------------------
Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone.
---------------------------------------------
https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed…
∗∗∗ From OneNote to RansomNote: An Ice Cold Intrusion ∗∗∗
---------------------------------------------
In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there were no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
---------------------------------------------
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold…
∗∗∗ Adversaries are leveraging remote access tools now more than ever — here’s how to stop them ∗∗∗
---------------------------------------------
While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.
---------------------------------------------
https://blog.talosintelligence.com/adversaries-are-leveraging-remote-access…
∗∗∗ Earth Freybug Uses UNAPIMON for Unhooking Critical APIs ∗∗∗
---------------------------------------------
This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Update #1: Kritische Sicherheitslücke/Hintertüre in xz-utils (CVE-2024-3094) ∗∗∗
---------------------------------------------
In den Versionen 5.6.0 und 5.6.1 der weit verbreiteten Bibliothek xz-utils wurde eine Hintertür entdeckt. xz-utils wird häufig zur Komprimierung von Softwarepaketen, Kernel-Images und initramfs-Images verwendet. Die Lücke ermöglicht es nicht authentifizierten Angreifer:innen, die sshd-Authentifizierung auf verwundbaren Systemen zu umgehen und unauthorisierten Zugriff auf das gesamte System zu erlangen. Aktuell liegen uns keine Informationen über eine aktive Ausnutzung vor.
---------------------------------------------
https://cert.at/de/warnungen/2024/3/kritische-sicherheitslucke-in-fedora-41…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton).
---------------------------------------------
https://lwn.net/Articles/967851/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).
---------------------------------------------
https://lwn.net/Articles/967959/
∗∗∗ Security Flaw in WP-Members Plugin Leads to Script Injection ∗∗∗
---------------------------------------------
A cross-site scripting vulnerability in the WP-Members Membership plugin could allow attackers to inject scripts into user profile pages.
---------------------------------------------
https://www.securityweek.com/security-flaw-in-wp-members-plugin-leads-to-sc…
∗∗∗ Bitdefender hat hochriskante Sicherheitslücke abgedichtet ∗∗∗
---------------------------------------------
Durch eine Sicherheitslücke konnten Angreifer auf Rechnern mit Bitdefender-Virenschutz ihre Rechte ausweiten. Die Lücke wurde geschlossen.
---------------------------------------------
https://heise.de/-9672841
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ F5: K000139092 : DNS vulnerability CVE-2023-50387 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000139092
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-03-2024 18:00 − Freitag 29-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Doctor Web’s January 2024 review of virus activity on mobile devices ∗∗∗
---------------------------------------------
According to detection statistics collected by the Dr.Web for Android anti-virus, in January 2024, users were most likely to encounter Android.HiddenAds trojan applications; these were detected on protected devices 54.45% more often than in December 2023. At the same time, the activity of another adware trojan family, Android.MobiDash, remained virtually unchanged, increasing by only 0.90%.
---------------------------------------------
https://news.drweb.com/show/review/?lng=en&i=14833
∗∗∗ Quick Forensics Analysis of Apache logs, (Fri, Mar 29th) ∗∗∗
---------------------------------------------
Sometimes, you’ve to quickly investigate a webserver logs for potential malicious activity. If you're lucky, logs are already indexed in real-time in a log management solution and you can automatically launch some hunting queries. If that's not the case, you can download all logs on a local system or a cloud instance and index them manually. But it's not always the easiest/fastest way due to the amount of data to process. These days, I'm always trying to process data as close as possible of their location/source and only download the investigation results.
---------------------------------------------
https://isc.sans.edu/diary/rss/30792
∗∗∗ New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking ∗∗∗
---------------------------------------------
Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a users password or alter the clipboard on certain Linux distributions. The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante.
---------------------------------------------
https://thehackernews.com/2024/03/new-linux-bug-could-lead-to-user.html
∗∗∗ Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds ∗∗∗
---------------------------------------------
Security vulnerabilities discovered in Dormakabas Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms. [..] They were reported to the Zurich-based company in September 2022. [..] Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988.
---------------------------------------------
https://thehackernews.com/2024/03/dormakaba-locks-used-in-millions-of.html
∗∗∗ Pentagon Outlines Cybersecurity Strategy for Defense Industrial Base ∗∗∗
---------------------------------------------
US Defense Department releases defense industrial base cybersecurity strategy with a focus on four key goals. [..] The cybersecurity strategy published this week covers fiscal years 2024 through 2027 and its primary mission is to ensure the generation, reliability and preservation of warfighting capabilities by protecting operational capabilities, sensitive information, and product integrity.
---------------------------------------------
https://www.securityweek.com/pentagon-outlines-cybersecurity-strategy-for-d…
∗∗∗ E-Mail über „fragwürdige Transaktion“ führt zu Schadsoftware ∗∗∗
---------------------------------------------
Aktuell versenden Kriminelle wahllos E-Mails an Unternehmen mit dem Betreff „Questionable Transaction on Credit Card - Need Explanation“. Die Kriminellen bitten darum, auf die E-Mail zu antworten, um zu erklären, woher die „fragwürdige Transaktion“ auf der Kreditkarte kommt. Wer antwortet, erhält prompt eine neue E-Mail. Diesmal wird ein Kontoauszug als Beweis mitgeschickt. Das behaupten zumindest die Kriminellen.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-ueber-fragwuerdige-transaktio…
∗∗∗ Stories from the SOC Part 1: IDAT Loader to BruteRatel ∗∗∗
---------------------------------------------
In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. [..] In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-ida…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15).
---------------------------------------------
https://lwn.net/Articles/967134/
∗∗∗ 26 Security Issues Patched in TeamCity ∗∗∗
---------------------------------------------
TeamCity 2024.03, released on March 27, patches 26 ‘security problems’, according to JetBrains. The company highlighted that it’s not sharing the details of security-related issues “to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity”.
---------------------------------------------
https://www.securityweek.com/26-security-issues-patched-in-teamcity/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ F5: K000139084 : DNS vulnerability CVE-2023-50868 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000139084
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-03-2024 18:00 − Donnerstag 28-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New Darcula phishing service targets iPhone users via iMessage ∗∗∗
---------------------------------------------
A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service…
∗∗∗ Cisco warns of password-spraying attacks targeting VPN services ∗∗∗
---------------------------------------------
Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spra…
∗∗∗ DinodasRAT Linux implant targeting entities worldwide ∗∗∗
---------------------------------------------
In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022.
---------------------------------------------
https://securelist.com/dinodasrat-linux-implant/112284/
∗∗∗ From JavaScript to AsyncRAT, (Thu, Mar 28th) ∗∗∗
---------------------------------------------
It has been a while since I found an interesting piece of JavaScript. This one was pretty well obfuscated. It was called “_Rechnung_01941085434_PDF.js” (Invoice in German) with a low VT score.
---------------------------------------------
https://isc.sans.edu/diary/rss/30788
∗∗∗ Android Malware Vultur Expands Its Wingspan ∗∗∗
---------------------------------------------
The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. [..] In this blog we provide a comprehensive analysis of Vultur, beginning with an overview of its infection chain.
---------------------------------------------
https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its…
∗∗∗ Netz-digitalisierung.com eröffnet Konten in Ihrem Namen! ∗∗∗
---------------------------------------------
Verlockende Nebenjob-Angebote als App-Tester:in oder Studienteilnehmer:in über die Seite netz-digitalisierung.com führen zu Identitätsdiebstahl! Die Kriminellen eröffnen Konten in Ihrem Namen und verwenden diese möglicherweise für kriminelle Zwecke.
---------------------------------------------
https://www.watchlist-internet.at/news/jobbetrug-netz-digitalisierungcom/
∗∗∗ Pre-Ransomware Aktivität: Schadakteure nutzen CitrixBleed (CVE-2023-4966) noch immer und verstärkt für Initialzugriff ∗∗∗
---------------------------------------------
Aktuell sind uns einige Ransomware-Vorfälle in Österreich bekannt, bei denen mit sehr hoher Wahrscheinlichkeit CitrixBleed (CVE-2023-4966) als primärer Angriffsvektor für den initialen Zugriff auf die Organisationsnetzwerke benutzt wurde. Ein Patch steht seit geraumer Zeit zur Verfügung.
---------------------------------------------
https://cert.at/de/aktuelles/2024/3/pre-ransomware-aktivitat-schadakteure-n…
∗∗∗ Schon wieder zu viel Schadcode: Keine neuen Projekte für Python-Registry PyPI ∗∗∗
---------------------------------------------
Ein Ansturm von Paketen mit Schadcode hat die Betreiber des Python Package Index dazu veranlasst, die Aufnahme neuer Projekte und User zu stoppen.
---------------------------------------------
https://heise.de/-9670240
=====================
= Vulnerabilities =
=====================
∗∗∗ Nvidias newborn ChatRTX bot patched for security bugs ∗∗∗
---------------------------------------------
ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. [..] CVE‑2024‑0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE).
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/03/28/nvidia_chatr…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).
---------------------------------------------
https://lwn.net/Articles/966961/
∗∗∗ Splunk Patches Vulnerabilities in Enterprise Product ∗∗∗
---------------------------------------------
Splunk patches high-severity vulnerabilities in Enterprise, including an authentication token exposure issue.
---------------------------------------------
https://www.securityweek.com/splunk-patches-vulnerabilities-in-enterprise-p…
∗∗∗ Neue SugarCRM-Versionen schließen kritische Lücken ∗∗∗
---------------------------------------------
Insgesamt 18, teils kritische Lücken schließen die neuen Versionen SugarCRM 13.03. und 12.05.
---------------------------------------------
https://heise.de/-9670436
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr…
∗∗∗ Synology-SA-24:05 Synology Surveillance Station Client ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_05
∗∗∗ Synology-SA-24:04 Surveillance Station ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_04
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 26-03-2024 18:00 − Mittwoch 27-03-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Ransomware as a Service and the Strange Economics of the Dark Web ∗∗∗
---------------------------------------------
Ransomware is quickly changing in 2024, with massive disruptions and large gangs shutting down. Learn from Flare how affiliate competition is changing in 2024, and what might come next.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-as-a-service-and-…
∗∗∗ CISA tags Microsoft SharePoint RCE bug as actively exploited ∗∗∗
---------------------------------------------
CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-tags-microsoft-sharepoi…
∗∗∗ Row breaks out over true severity of two DNSSEC flaws ∗∗∗
---------------------------------------------
Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/03/26/software_ris…
∗∗∗ Gefälschte Booking.com-Kontaktnummern locken in die Falle! ∗∗∗
---------------------------------------------
Nehmen Sie sich vor betrügerischen Telefonnummern in Acht, wenn Sie nach Booking.com Kontaktinfos googeln. Kriminelle erstellen Fake-Websites mit Booking-Logo und blenden Telefonnummern ein.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-bookingcom-kontaktnummer…
∗∗∗ Advanced Nmap Scanning Techniques ∗∗∗
---------------------------------------------
Beyond its fundamental port scanning capabilities, Nmap offers a suite of advanced techniques designed to uncover vulnerabilities, bypass security measures, and gather valuable insights about target systems.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/advanced-nmap-scann…
=====================
= Vulnerabilities =
=====================
∗∗∗ Hackers exploit Ray framework flaw to breach servers, hijack resources ∗∗∗
---------------------------------------------
A new hacking campaign dubbed "ShadowRay" targets an unpatched vulnerability in Ray, a popular open-source AI framework, to hijack computing power and leak sensitive data from thousands of companies.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-ray-framewor…
∗∗∗ Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions ∗∗∗
---------------------------------------------
A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users systems and carry out malicious actions.
---------------------------------------------
https://thehackernews.com/2024/03/microsoft-edge-bug-could-have-allowed.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow).
---------------------------------------------
https://lwn.net/Articles/966835/
∗∗∗ Exposing a New BOLA Vulnerability in Grafana ∗∗∗
---------------------------------------------
Unit 42 researchers discovered CVE-2024-1313, a broken object level authorization (BOLA) vulnerability in open-source data visualization platform Grafana.
---------------------------------------------
https://unit42.paloaltonetworks.com/new-bola-vulnerability-grafana/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Cisco Security Advisories 2024-03-27 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ Splunk Security Advisories ∗∗∗
---------------------------------------------
https://advisory.splunk.com/advisories
∗∗∗ Google Chrome: Kritische Schwachstelle bedroht Browser-Nutzer ∗∗∗
---------------------------------------------
https://heise.de/-9668035
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 25-03-2024 18:00 − Dienstag 26-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Free VPN apps on Google Play turned Android phones into proxies ∗∗∗
---------------------------------------------
Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/free-vpn-apps-on-google-play…
∗∗∗ New tool: linux-pkgs.sh, (Sun, Mar 24th) ∗∗∗
---------------------------------------------
During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do?
---------------------------------------------
https://isc.sans.edu/diary/rss/30774
∗∗∗ Agent Teslas New Ride: The Rise of a Novel Loader ∗∗∗
---------------------------------------------
This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-tesla…
∗∗∗ The Darkside of TheMoon ∗∗∗
---------------------------------------------
The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. [..] While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours.
---------------------------------------------
https://blog.lumen.com/the-darkside-of-themoon/
∗∗∗ Recent ‘MFA Bombing’ Attacks Targeting Apple Users ∗∗∗
---------------------------------------------
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apples password reset feature. In this scenario, a targets Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Dont Allow" to each prompt. [..] But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).
---------------------------------------------
https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-ap…
∗∗∗ Suspicious NuGet Package Harvesting Information From Industrial Systems ∗∗∗
---------------------------------------------
A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon.
---------------------------------------------
https://www.securityweek.com/suspicious-nuget-package-harvesting-informatio…
∗∗∗ Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script ∗∗∗
---------------------------------------------
This blog entry discusses the Agenda ransomware groups use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/966678/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23252, CVE-2024-23254,CVE-2024-23263, CVE-2024-23280,CVE-2024-23284, CVE-2023-42950,CVE-2023-42956, CVE-2023-42843.
---------------------------------------------
https://webkitgtk.org/security/WSA-2024-0002.html
∗∗∗ macOS 14.4.1 mit jeder Menge Bugfixes – Sicherheitshintergründe zu iOS 17.4.1 ∗∗∗
---------------------------------------------
Apple hat am Montagabend ein weiteres Update für macOS 14 veröffentlicht. Es behebt diverse Fehler. Parallel gibt es Infos zu iOS 17.4.1 und dessen Fixes.
---------------------------------------------
https://heise.de/-9666170
∗∗∗ Loadbalancer: Sicherheitslücken in Loadmaster von Progress/Kemp ∗∗∗
---------------------------------------------
In der Loadbalancer-Software Loadmaster von Progress/Kemp klaffen Sicherheitslücken, durch die Angreifer etwa Befehle einschleusen können.
---------------------------------------------
https://heise.de/-9666253
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Siemens: SSB-201698 V1.0: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssb-201698.html
∗∗∗ Rockwell Automation FactoryTalk View ME ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04
∗∗∗ Rockwell Automation PowerFlex 527 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02
∗∗∗ Rockwell Automation Arena Simulation ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03
∗∗∗ Automation-Direct C-MORE EA9 HMI ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 22-03-2024 18:00 − Montag 25-03-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ New ZenHammer memory attack impacts AMD Zen CPUs ∗∗∗
---------------------------------------------
Academic researchers developed ZenHammer, the first variant of the Rowhammer DRAM attack that works on CPUs based on recent AMD Zen microarchitecture that map physical addresses on DDR4 and DDR5 memory chips.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-zenhammer-memory-attack-…
∗∗∗ New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts ∗∗∗
---------------------------------------------
Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named Tycoon 2FA to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. [..] In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-k…
∗∗∗ Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others ∗∗∗
---------------------------------------------
Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site. [..] The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data.
---------------------------------------------
https://thehackernews.com/2024/03/hackers-hijack-github-accounts-in.html
∗∗∗ New Go loader pushes Rhadamanthys stealer ∗∗∗
---------------------------------------------
A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader…
∗∗∗ Phishing mit gefälschten Rechnungen von Anwaltskanzleien ∗∗∗
---------------------------------------------
Laut BlueVoyant geben sich die Angreifer als Anwaltskanzleien aus und missbrauchen das Vertrauen, das ihre Opfer "seriösen" Juristen entgegenbringen. [..] Die NaurLegal-Kampagne täuscht Legitimität vor, indem sie PDF-Dateien mit seriös anmutenden Dateinamen wie „Rechnung_[Nummer]_von_[Name der Anwaltskanzlei].pdf“ erstellt und versendet. [..] Die Infrastruktur der NaurLegal-Kampagne umfasst Domänen, die mit WikiLoader verknüpft sind und deren Folgeaktivitäten auf eine Zuordnung zu dieser Malware-Familie schließen lassen. WikiLoader ist bekannt für ausgefeilte Verschleierungstechniken, wie z. B. die Überprüfung von Wikipedia-Antworten auf bestimmte Zeichenfolgen, um Sandbox-Umgebungen zu umgehen.
---------------------------------------------
https://www.zdnet.de/88414996/phishing-mit-gefaelschten-rechnungen-von-anwa…
∗∗∗ CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate SQL Injection Vulnerabilities ∗∗∗
---------------------------------------------
Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/03/25/cisa-and-fbi-release-sec…
∗∗∗ APT29 Uses WINELOADER to Target German Political Parties ∗∗∗
---------------------------------------------
In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum.
---------------------------------------------
https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-p…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf).
---------------------------------------------
https://lwn.net/Articles/966611/
∗∗∗ Firefox: Notfall-Update schließt kritische Sicherheitslücken ∗∗∗
---------------------------------------------
Die Mozilla-Entwickler haben zwei kritische Sicherheitslücken mit dem Update auf Firefox 124.0.1 und Firefox ESR 115.9.1 geschlossen.
---------------------------------------------
https://heise.de/-9664148
∗∗∗ Sicherheitslücken in Microsofts WiX-Installer-Toolset gestopft ∗∗∗
---------------------------------------------
Das quelloffene WiX-Installer-Toolset von Microsoft hat zwei Sicherheitslücken. Die dichten aktualisierte Versionen ab.
---------------------------------------------
https://heise.de/-9664602
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ MISP 2.4.188 released major performance improvements and many bugs fixed. ∗∗∗
---------------------------------------------
https://www.misp-project.org/2024/03/25/MISP.2.4.188.released.html/
∗∗∗ MISP 2.4.187 released with security fixes, new features and bugs fixes. ∗∗∗
---------------------------------------------
https://www.misp-project.org/2024/03/24/MISP.2.4.187.released.html/
∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.1.1, 6.2.0 and 6.2.1: SC-202403.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-06
∗∗∗ F5: K000138990 : BIND vulnerability CVE-2023-4408 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138990
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 21-03-2024 18:00 − Freitag 22-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver ∗∗∗
---------------------------------------------
On the first day of Pwn2Own Vancouver 2024, contestants demoed 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux and other devices and software to win $732,500 and a Tesla Model 3 car.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/windows-11-tesla-and-ubuntu-…
∗∗∗ Darknet marketplace Nemesis Market seized by German police ∗∗∗
---------------------------------------------
The German police have seized infrastructure for the darknet Nemesis Market cybercrime marketplace in Germany and Lithuania, disrupting the sites operation.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/darknet-marketplace-nemesis-…
∗∗∗ Mit gefälschten Keycards: Hacker können weltweit Millionen von Hoteltüren öffnen ∗∗∗
---------------------------------------------
Mehr als drei Millionen Türen in Hotels und Mehrfamilienhäusern sind anfällig für Angriffe mit gefälschten RFID-Schlüsselkarten. Teure Spezialausrüstung braucht es dafür nicht.
---------------------------------------------
https://www.golem.de/news/mit-gefaelschten-keycards-hacker-koennen-weltweit…
∗∗∗ Whois "geofeed" Data, (Thu, Mar 21st) ∗∗∗
---------------------------------------------
Attributing a particular IP address to a specific location is hard and often fails miserably.
---------------------------------------------
https://isc.sans.edu/diary/rss/30766
∗∗∗ Unterstützungsmail im Namen von Marlene Engelhorn ist Fake! ∗∗∗
---------------------------------------------
Derzeit kursieren zahlreiche E-Mails im Namen der österreichischen Millionärin Marlene Engelhorn: Angeblich will sie mit einem Teil ihres Erbes „aufstrebende Unternehmer und lokale Projekte“ unterstützen. Achtung: Hinter dieser E-Mail stecken Kriminelle. Antworten Sie daher auf keinen Fall.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-marlene-engelhorn/
∗∗∗ Large-Scale StrelaStealer Campaign in Early 2024 ∗∗∗
---------------------------------------------
We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript.
---------------------------------------------
https://unit42.paloaltonetworks.com/strelastealer-campaign/
∗∗∗ “Pig butchering” is an evolution of a social engineering tactic we’ve seen for years ∗∗∗
---------------------------------------------
In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package.
---------------------------------------------
https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/
∗∗∗ Sicherheit contra Offenheit – ein Kommentar zu Secure Boot ∗∗∗
---------------------------------------------
Secure Boot ist kompliziert, frickelig und wird von Microsoft dominiert. Stattdessen brauchen wir offene sichere Systeme, meint Christof Windeck.
---------------------------------------------
https://heise.de/-9659071
=====================
= Vulnerabilities =
=====================
∗∗∗ KDE advises extreme caution after theme wipes Linux users files ∗∗∗
---------------------------------------------
On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktops appearance.
---------------------------------------------
https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-aft…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).
---------------------------------------------
https://lwn.net/Articles/966415/
∗∗∗ Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect ∗∗∗
---------------------------------------------
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor.
---------------------------------------------
https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-s…
∗∗∗ Microsoft schließt Sicherheitslücke in Xbox-Gaming-Dienst – nach Hickhack ∗∗∗
---------------------------------------------
Microsoft hat ein Sicherheitsleck im Xbox Gaming Service abgedichtet. Dem ging jedoch eine Diskussion voraus.
---------------------------------------------
https://heise.de/-9662746
∗∗∗ Kritische Sicherheitslücke in FortiClientEMS wird angegriffen ∗∗∗
---------------------------------------------
Eine kritische Schwachstelle in FortiClientEMS wird inzwischen aktiv angegriffen. Zudem ist ein Proof-of-Concept-Exploit öffentlich geworden.
---------------------------------------------
https://heise.de/-9662866
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 20-03-2024 18:00 − Donnerstag 21-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Unpatchable vulnerability in Apple chip leaks secret encryption keys ∗∗∗
---------------------------------------------
A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday.
---------------------------------------------
https://arstechnica.com/?p=2011812
∗∗∗ Spa Grand Prix email account hacked to phish banking info from fans ∗∗∗
---------------------------------------------
Hackers hijacked the official contact email for the Belgian Grand Prix event and used it to lure fans to a fake website promising a €50 gift voucher.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spa-grand-prix-email-account…
∗∗∗ Evasive Sign1 malware campaign infects 39,000 WordPress sites ∗∗∗
---------------------------------------------
A previously unknown malware campaign called Sign1 has infected over 39,000 websites over the past six months, causing visitors to see unwanted redirects and popup ads. [..] While Sucuri's client was breached through a brute force attack, Sucuri has not shared how the other detected sites were compromised. However, based on previous WordPress attacks, it probably involves a combination of brute force attacks and exploiting plugin vulnerabilities to gain access to the site.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/evasive-sign1-malware-campai…
∗∗∗ AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st thats used to target Laravel applications and steal sensitive data. [..] Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks."
---------------------------------------------
https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html
∗∗∗ Vulnerability Allowed One-Click Takeover of AWS Service Accounts ∗∗∗
---------------------------------------------
The vulnerability, named FlowFixation by Tenable, has been patched by AWS and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future.
---------------------------------------------
https://www.securityweek.com/vulnerability-allowed-one-click-takeover-of-aw…
∗∗∗ Betrügerische Europol-SMS führt zu Schadsoftware ∗∗∗
---------------------------------------------
In der massenhaft verschickten, betrügerischen SMS wird behauptet, dass Sie als Beteiligter in einem EUROPOL-Fall geführt werden. Um Einspruch zu erheben, sollen Sie eine App installieren. Vorsicht – Sie installieren Schadsoftware auf Ihrem Gerät und geben Kriminellen Zugang zu Ihren Daten!
---------------------------------------------
https://www.watchlist-internet.at/news/fake-europol-sms/
∗∗∗ Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention ∗∗∗
---------------------------------------------
Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. FalseFont is the latest tool in Curious Serpens’ arsenal. The examples we analyzed show how the threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor.
---------------------------------------------
https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/
∗∗∗ Rescoms rides waves of AceCryptor spam ∗∗∗
---------------------------------------------
Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryp…
∗∗∗ Warning Against Infostealer Disguised as Installer ∗∗∗
---------------------------------------------
The StealC malware disguised as an installer is being distributed en masse. It was identified as being downloaded via Discord, GitHub, Dropbox, etc. Considering the cases of distribution using similar routes, it is expected to redirect victims multiple times from a malicious webpage disguised as a download page for a certain program to the download URL. StealC is an Infostealer that extorts a variety of key information such as system, browser, cryptocurrency wallet, Discord, Telegram, and mail client data.
---------------------------------------------
https://asec.ahnlab.com/en/63308/
∗∗∗ New details on TinyTurla’s post-compromise activity reveal full kill chain ∗∗∗
---------------------------------------------
We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises.
---------------------------------------------
https://blog.talosintelligence.com/tinyturla-full-kill-chain/
∗∗∗ The Updated APT Playbook: Tales from the Kimsuky threat actor group ∗∗∗
---------------------------------------------
In this blog we will detail new techniques that we have observed used by this actor group over the recent months. We believe that sharing these evolving techniques gives defenders the latest insights into measures required to protect their assets.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-…
∗∗∗ CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques ∗∗∗
---------------------------------------------
Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/03/21/cisa-fbi-and-ms-isac-rel…
=====================
= Vulnerabilities =
=====================
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 11, 2024 to March 17, 2024) ∗∗∗
---------------------------------------------
Last week, there were 159 vulnerabilities disclosed in 123 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week.
---------------------------------------------
https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi).
---------------------------------------------
https://lwn.net/Articles/966246/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Advantech WebAccess/SCADA ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-081-01
∗∗∗ F5: K000138966 : Intel Xeon CPU vulnerability CVE-2023-23908 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138966
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 19-03-2024 18:00 − Mittwoch 20-03-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Misconfigured Firebase instances leaked 19 million plaintext passwords ∗∗∗
---------------------------------------------
Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/misconfigured-firebase-insta…
∗∗∗ Android malware, Android malware and more Android malware ∗∗∗
---------------------------------------------
In this report, we share our latest Android malware findings: the Tambir spyware, Dwphon downloader and Gigabud banking Trojan.
---------------------------------------------
https://securelist.com/crimeware-report-android-malware/112121/
∗∗∗ Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th) ∗∗∗
---------------------------------------------
Late last week, an exploit surfaced on GitHub for CVE-2024-21762. This vulnerability affects Fortinet's FortiOS. A patch was released on February 8th. Owners of affected devices had over a month to patch.
---------------------------------------------
https://isc.sans.edu/diary/rss/30762
∗∗∗ Phishing im Namen der Österreichischen Gesundheitskasse ÖGK ∗∗∗
---------------------------------------------
Nehmen Sie sich vor betrügerischen E-Mails in Acht, die Sie im Namen der Österreichischen Gesundheitskasse ÖGK erhalten. Aktuell spielt man Ihnen vor, dass es eine ausstehende Rückerstattung für Sie gibt. Folgen Sie hier keinen Links und geben Sie keine Daten bekannt. Man versucht Ihnen Geld und Daten zu stehlen!
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-gesundheitskasse-oegk/
∗∗∗ Gotta Hack ‘Em All: Pokémon passwords reset after attack ∗∗∗
---------------------------------------------
Are you using the same passwords in multiple places online? Well, stop. Stop right now. And make sure that youve told your friends and family to stop being reckless too.
---------------------------------------------
https://www.bitdefender.com/blog/hotforsecurity/gotta-hack-em-all-pokemon-p…
∗∗∗ A prescription for privacy protection: Exercise caution when using a mobile health app ∗∗∗
---------------------------------------------
Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data.
---------------------------------------------
https://www.welivesecurity.com/en/privacy/prescription-privacy-protection-e…
∗∗∗ Loop DoS: Verschiedene Netzwerkdienste leiden unter Protokoll-Endlosschleife ∗∗∗
---------------------------------------------
Unter den Diensten, die Sicherheitsforscher als Gefahr identifiziert haben, sind auch solche aus der Frühzeit des Internets. Nun sind Netzwerk-Admins gefragt.
---------------------------------------------
https://heise.de/-9660179
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, [...]
---------------------------------------------
https://lwn.net/Articles/966053/
∗∗∗ Netgear wireless router open to code execution after buffer overflow vulnerability ∗∗∗
---------------------------------------------
There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-roundup-march-20-2024/
∗∗∗ Atlassian: Patch-Reigen im März für Bamboo, Bitbucket, Confluence und Jira ∗∗∗
---------------------------------------------
Atlassian behandelt 25 Sicherheitslücken in Bamboo, Bitbucket, Confluence und Jira. Eine davon gilt als kritisch.
---------------------------------------------
https://heise.de/-9660075
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Command Injection in Bosch Network Synchronizer ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-152190-bt.html
∗∗∗ Security Update for Ivanti Neurons for ITSM ∗∗∗
---------------------------------------------
https://www.ivanti.com/blog/security-update-for-ivanti-neurons-for-itsm
∗∗∗ Security Update for Ivanti Standalone Sentry ∗∗∗
---------------------------------------------
https://www.ivanti.com/blog/security-update-for-ivanti-standalone-sentry
∗∗∗ Webbrowser Chrome: Google dichtet mehrere Sicherheitslecks ab ∗∗∗
---------------------------------------------
https://heise.de/-9659978
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily