Daily

daily@lists.cert.at

1 participants
3154 discussions

Tageszusammenfassung - 27.03.2025
by Daily end-of-shift report 27 Mar '25

27 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-03-2025 18:00 − Donnerstag 27-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Dozens of solar inverter flaws could be exploited to attack power grids ∗∗∗ --------------------------------------------- Dozens of vulnerabilities in products from three leading makers of solar inverters, Sungrow, Growatt, and SMA, could be exploited to control devices or execute code remotely on the vendors cloud platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-fla… ∗∗∗ Cybercrime-Tool Atlantis AIO soll automatisierte Passwort-Attacken optimieren ∗∗∗ --------------------------------------------- Dahinter stecken organisierte Profi-Verbrecher, die ihre Werkzeuge im Darknet mit Werbeanzeigen und Support anpreisen. So auch im Fall des jüngst von Sicherheitsforschern entdeckten Tools Atlantis AIO. --------------------------------------------- https://www.heise.de/news/Cybercrime-Tool-Atlantis-AIO-soll-automatisierte-… ∗∗∗ Abonnement gekündigt? Achtung: Phishing-Versuch mit Disney+! ∗∗∗ --------------------------------------------- Mit einer angeblich von Disney+ stammenden E-Mail versuchen Kriminelle ihre Opfer auf eine Fake-Loginseite zu locken. Dort fragen sie die Anmeldeinformationen des Abos und Kreditkartendaten ab. Woran Sie den Phishing-Versuch ganz einfach erkennen können, zeigen wir Ihnen hier. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-versuch-disney/ ===================== = Vulnerabilities = ===================== ∗∗∗ Backuplösung SnapCenter: Angreifer können als Admin Systeme übernehmen ∗∗∗ --------------------------------------------- Die Backupsoftware SnapCenter ist verwundbar und Angreifer können sich durch das erfolgreiche Ausnutzen einer „kritischen“ Sicherheitslücke Admin-Rechte verschaffen. In einem Beitrag zur Schwachstelle (CVE-2025-26512) führen die Entwickler aus, die Versionen 6.0.1P1 und 6.1P1 repariert zu haben. Alle vorigen Ausgaben sind attackierbar. --------------------------------------------- https://www.heise.de/news/Backuploesung-SnapCenter-Angreifer-koennen-als-Ad… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode). --------------------------------------------- https://lwn.net/Articles/1015589/ ∗∗∗ Security Vulnerability fixed in Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1 ∗∗∗ --------------------------------------------- Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/ ∗∗∗ Splunk: Teils hochriskante Sicherheitslecks in mehreren Produkten ∗∗∗ --------------------------------------------- Splunk hat eine Reihe an Sicherheitslücken in mehreren Produkten gemeldet. Aktualisierte Software-Pakete stehen zum Herunterladen bereit, mit denen Admins diese Sicherheitslecks stopfen können. --------------------------------------------- https://heise.de/-10330630 ∗∗∗ DSA-5888-1 ghostscript - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00050.html ∗∗∗ ABB: Cyber Security Advisory - ABB Low Voltage DC Drives and Power Controllers CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9494&Lan… ∗∗∗ ABB: Cyber Security Advisory - ABB ACS880 +N8010 Drives CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9491&Lan… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 17, 2025 to March 23, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2025
by Daily end-of-shift report 26 Mar '25

26 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-03-2025 18:00 − Mittwoch 26-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New npm attack poisons local packages with backdoors ∗∗∗ --------------------------------------------- Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the victim removes the malicious packages, the backdoor remains on their system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local… ∗∗∗ NCSC taps influencers to make 2FA go viral ∗∗∗ --------------------------------------------- The world's biggest brands have benefited from influencer marketing for years – now the UK's National Cyber Security Centre (NCSC) has hopped on the bandwagon to preach two-factor authentication (2FA) to the masses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/03/26/ncsc_influen… ∗∗∗ CoffeeLoader: A Brew of Stealthy Techniques ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. --------------------------------------------- https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-… ∗∗∗ Have I Been Pwned: Projektbetreiber Troy Hunt gepwned ∗∗∗ --------------------------------------------- Troy Hunt, Betreiber des Dienstes Have-I-Been-Pwned (HIBP), wurde Opfer einer Phishing-Attacke und damit selbst "Pwned". Es sind 16.627 E-Mail-Adressen der Mailingliste für den Newsletter zu Troys persönlichen Blog dadurch in unbefugte Hände abgeflossen. In einem Blog-Beitrag erklärt Hunt, wie es zu dem Vorfall kommen konnte. --------------------------------------------- https://heise.de/-10328970 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in Kubernetes Ingress NGINX Controller - Updates verfügbar ∗∗∗ --------------------------------------------- Im Kubernetes Ingress NGINX Controller, einer Kernkomponente von Kubernetes, wurden mehrere kritische Sicherheitslücken entdeckt. Diese ermöglichen unter anderem unauthentifizierte Remote Code Execution (RCE) und unberechtigten Zugriff auf Secrets. --------------------------------------------- https://www.cert.at/de/warnungen/2025/3/kubernetes-ingress-nginx-controller… ∗∗∗ Dringend patchen: Gefährliche Zero-Day-Lücke in Chrome für Spionage ausgenutzt ∗∗∗ --------------------------------------------- Nachdem Google in seinem Webbrowser Chrome erst in der vergangenen Woche eine kritische Sicherheitslücke geschlossen hatte, legt der Konzern jetzt nochmal nach. Mit einem am Dienstag veröffentlichten Update beseitigt Google eine Schwachstelle, die bereits im Rahmen gezielter Spionageangriffe aktiv ausgenutzt wird. [..] Die Ausnutzung der als CVE-2025-2783 registrierten Chrome-Lücke wurde Mitte März von Sicherheitsforschern von Kaspersky entdeckt. [..] Den Angaben zufolge lässt sich die Sicherheitslücke durch speziell präparierte Webseiten ausnutzen, die die jeweilige Zielperson lediglich aufrufen muss. [..] Einen Bericht mit weiteren technischen Details wollen die Sicherheitsforscher zu einem späteren Zeitpunkt veröffentlichen. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gefaehrliche-zero-day-luecke-in-… ∗∗∗ VMware Tools ermöglichen Rechteausweitung in VMs ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung von Broadcom erörtern die Autoren, dass aufgrund unzureichender Zugriffskontrollen die Umgehung der Authentifizierung möglich ist (CVE-2025-22230, CVSS 7.8, Risiko "hoch"). Bösartige Akteure mit nicht-administrativen Rechten in einem Windows-Gastsystem können dadurch Operationen, die höhere Zugriffsrechte benötigen, ausführen. --------------------------------------------- https://www.heise.de/-10328819 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx and ruby-rack), Fedora (expat and libxslt), Mageia (bluez, dcmtk, ffmpeg, and radare2), Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman), SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), and Ubuntu (freerdp2 and varnish). --------------------------------------------- https://lwn.net/Articles/1015464/ ∗∗∗ MISP v2.4.206 and v2.5.8 Released - new workflow modules, improved graph object relationship management and many other improvements ∗∗∗ --------------------------------------------- [security] Fixed stored XSS in event reports (mermaid rendering function). --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.8 ∗∗∗ ZDI-25-181: (0Day) Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Minimal user interaction is required to exploit this vulnerability. CVE-2025-2767 --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-181/ ∗∗∗ Huawei: Security Advisory - Authentication Bypass Vulnerability in Huawei PC Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-20250325-… ∗∗∗ ZDI-25-180: (0Day) 70mai A510 Use of Default Password Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-180/ ∗∗∗ ZDI-25-178: (0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-178/ ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2025
by Daily end-of-shift report 25 Mar '25

25 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-03-2025 18:00 − Dienstag 25-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Browser-in-the-Browser attacks target CS2 players Steam accounts ∗∗∗ --------------------------------------------- A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steams login page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attac… ∗∗∗ Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH ∗∗∗ --------------------------------------------- OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project. --------------------------------------------- https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating… ∗∗∗ Zero Day: Russische Firma zahlt für Telegram-Lücken Millionen ∗∗∗ --------------------------------------------- Die stetig wachsende Nutzerbasis macht die Plattform auch für Cyberangriffe immer interessanter. Aus diesem Grund bietet der russische Schwachstellenhändler Operation Zero mittlerweile bis zu vier Millionen US-Dollar für ungepatchte Sicherheitslücken in Telegram. --------------------------------------------- https://www.golem.de/news/zero-day-russische-firma-zahlt-millionen-fuer-tel… ∗∗∗ Achtung: Phishing-Mails im Namen des Wiener Tourismusverbands! ∗∗∗ --------------------------------------------- Aktuell kursieren E-Mails im Namen der Buchhaltung, die dazu auffordern, Rechnungen aufgrund technischer Probleme direkt per E-Mail zu senden. Vorsicht: Diese E-Mails stammen nicht von Mitarbeitenden des Wiener Tourismusverband sondern von Kriminellen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-mails-im-namen-des-… ∗∗∗ Oracle angeblich gehackt: Nutzerdaten im Darknet zum Verkauf ∗∗∗ --------------------------------------------- Sicherheitsforscher von CloudSEK berichten, dass im Darknet sensible Daten von rund 140.000 Oracle-Kunden zum Verkauf stehen. Diese Informationen sollen aus einer Cyberattacke stammen. Dem Hard- und Softwarehersteller zufolge hat es keinen IT-Sicherheitsvorfall gegeben. --------------------------------------------- https://heise.de/-10327980 ∗∗∗ US-Behörde stoppt Gelder für Lets Encrypt und Tor ‒ Open Tech Fund wehrt sich ∗∗∗ --------------------------------------------- Nach einem Dekret von US-Präsident Trump erhält der Open Technology Fund keine Fördermittel mehr. Deswegen zieht die Organisation jetzt vor Gericht. --------------------------------------------- https://heise.de/-10328226 ∗∗∗ Fake Hiring Challenge for Developers Steals Sensitive Data ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have uncovered a GitHub repository masquerading as a hiring coding challenge that tricks developers into downloading a backdoor to steal sensitive data. [..] There is evidence that the campaign may be expanding beyond a fake hiring challenge for developers, as Cyble Research and Intelligence Labs (CRIL) researchers also found invoice-themed lures. --------------------------------------------- https://thecyberexpress.com/fake-hiring-challenge-targets-developers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP ∗∗∗ --------------------------------------------- On Friday, March 21, 2025, file transfer software maker CrushFTP disclosed a new vulnerability to customers via email. While the email [...] indicates only CrushFTP v11 is affected by the still-CVE-less (as of March 25) unauthenticated port access vulnerability, the extremely sparse vendor advisory indicates that both CrushFTP v10 and v11 are affected. According to the vendor, the issue is not exploitable if customers have the DMZ function of CrushFTP in place. --------------------------------------------- https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-… ∗∗∗ RCE Vulnerabilities in k8s Ingress NGINX (9.8 CVE for ingress-nginx) ∗∗∗ --------------------------------------------- Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover. --------------------------------------------- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities ∗∗∗ Kubernetes: CVE-2025-1974 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131009 ∗∗∗ Kubernetes: CVE-2025-1098 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131008 ∗∗∗ Kubernetes: CVE-2025-1097 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131007 ∗∗∗ Kubernetes: CVE-2025-24514 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131006 ∗∗∗ Kubernetes: CVE-2025-24513 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131005 ∗∗∗ Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it ∗∗∗ --------------------------------------------- https://blog.0patch.com/2025/03/scf-file-ntlm-hash-disclosure.html ∗∗∗ Rockwell Automation 440G TLS-Z ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-03 ∗∗∗ Rockwell Automation Verve Asset Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-02 ∗∗∗ ABB RMC-100 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-01 ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER Mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2025
by Daily end-of-shift report 24 Mar '25

24 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-03-2025 18:00 − Montag 24-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ FBI warnings are true—fake file converters do push malware ∗∗∗ --------------------------------------------- The FBI is warning that fake online document converters are being used to steal peoples information and, in worst-case scenarios, lead to ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-f… ∗∗∗ Cloudflare now blocks all unencrypted traffic to its API endpoints ∗∗∗ --------------------------------------------- Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-un… ∗∗∗ Trusted Signing: Hacker signieren Windows-Malware über Microsoft-Plattform ∗∗∗ --------------------------------------------- Forscher haben Malware entdeckt, die über Microsofts neue Trusted-Signing-Plattform signiert wurde. Windows-Systeme lassen sich damit leichter infizieren. --------------------------------------------- https://www.golem.de/news/trusted-signing-microsoft-dienst-zum-signieren-vo… ∗∗∗ Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories CI/CD Secrets Exposed ∗∗∗ --------------------------------------------- The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbases open-source projects, before evolving into something more widespread in scope."The payload was focused on .. --------------------------------------------- https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html ∗∗∗ Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 .. --------------------------------------------- https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html ∗∗∗ Oracle Cloud says its not true someone broke into its login servers and stole data ∗∗∗ --------------------------------------------- Despite evidence to the contrary as alleged pilfered info goes on sale Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen. --------------------------------------------- https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credenti… ∗∗∗ Verfassungsschutz: Deutsche NGOs Ziel von russischen Cyberangriffen ∗∗∗ --------------------------------------------- Das Bundesamt für Verfassungsschutz hat einige zivilgesellschaftliche Organisationen alarmiert, dass sie verstärkt im Fokus russischer Cyberattacken stünden. --------------------------------------------- https://www.heise.de/news/Verfassungsschutz-warnt-NGOs-vor-zunehmenden-russ… ∗∗∗ Google Maps: Falsche Schlüsseldienste und Co. spähen Nutzer aus ∗∗∗ --------------------------------------------- Der Navigationsdienst Google Maps klagt gegen unechte Geschäfte auf seiner Plattform, die Nutzerdaten abschöpften und verkauften. --------------------------------------------- https://heise.de/-10325360 ∗∗∗ How to find Next.js on your network ∗∗∗ --------------------------------------------- On March 22nd, 2025, Next.js disclosed an authentication bypass vulnerability in the middleware layer. Exploitation is trivial and can be achieved by sending an extra HTTP header. For specifics, please see .. --------------------------------------------- https://www.runzero.com/blog/next-js/ ∗∗∗ Next.js Patches Critical Middleware Vulnerability (CVE-2025-29927) ∗∗∗ --------------------------------------------- This weekend, the Next.js team released emergency patches addressing a critical vulnerability (CVE-2025-29927) that allowed attackers to bypass middleware-based security checks, including authentication and .. --------------------------------------------- https://socket.dev/blog/next-js-patches-critical-middleware-vulnerability -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2025
by Daily end-of-shift report 21 Mar '25

21 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-03-2025 18:00 − Freitag 21-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Angreifer machen sich an Hintertür in Cisco Smart Licensing Utility zu schaffen ∗∗∗ --------------------------------------------- Wie Sicherheitsforscher berichten, fangen Angreifer derzeit an, zwei Schwachstellen in Cisco Smart Licensing Utility auszunutzen. Darüber verschaffen sie sich Zugang mit Adminrechten. Sicherheitspatches sind schon länger verfügbar. [..] Die „kritischen“ Lücken (CVE-2024-20439, CVE-2024-20440) sind seit Anfang September 2024 bekannt. --------------------------------------------- https://heise.de/-10323893 ∗∗∗ VSCode extensions found downloading early-stage ransomware ∗∗∗ --------------------------------------------- Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsofts review process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vscode-extensions-found-down… ∗∗∗ Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates ∗∗∗ --------------------------------------------- The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. --------------------------------------------- https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.h… ∗∗∗ How to Avoid US-Based Digital Services—and Why You Might Want To ∗∗∗ --------------------------------------------- Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Heres what you need to know. --------------------------------------------- https://www.wired.com/story/trump-era-digital-expat/ ∗∗∗ Fake-Shops wie eu.stanlaystore.com locken mit günstigen Stanley Cups ∗∗∗ --------------------------------------------- Stanley Cups gehören aktuell zu den beliebtesten Thermoskannen auf dem Markt. Leider machen sich auch Kriminelle die hohe Nachfrage zunutze und bieten die trendigen Becher in Fake-Shops an. Wie zum Beispiel die Website eu.stanlaystore.com, die mit unschlagbar günstigen Preisen lockt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-wie-eustanlaystorecom-loc… ∗∗∗ Achtung Phishing: So funktioniert der neue Debitkarten-Betrug ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit vermehrt gefälschte E-Mails im Namen der Erste Bank. Darin wird behauptet, dass Ihre Debitkarte veraltet sei und Sie eine neue Karte beantragen müssen. Mit dieser Betrugsmasche versuchen Kriminelle, an Ihre Debitkarte samt PIN zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-so-funktioniert-der… ∗∗∗ GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21) ∗∗∗ --------------------------------------------- Updated March 20: The recent compromise of the GitHub action tj-actions/changed-files and additional actions within the reviewdog organization has captured the attention of the GitHub community, marking another major software supply chain attack. Our team conducted an in-depth investigation into this incident and uncovered many more details about how the attack occurred and its timeline. [..] Our team also discovered that the initial attack targeted Coinbase. The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises. However, the attacker was not able to use Coinbase secrets or publish packages. --------------------------------------------- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/ ∗∗∗ Major web services go dark in Russia amid reported Cloudflare block ∗∗∗ --------------------------------------------- Website outages were observed across Russia this week, with regulators attributing them to issues with foreign servers. Observers said the problems might be tied to Russian government moves to block Cloudflare services. --------------------------------------------- https://therecord.media/russia-websites-dark-reported-cloudflare-block ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in NAKIVO Backup ＆ Replication ∗∗∗ --------------------------------------------- A vulnerability has been discovered in NAKIVO Backup ＆ Replication 10.11.3.86570 and earlier. [..] We have already removed the affected versions from App Center and requested NAKIVO to provide a fixed version as soon as possible. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-08 ∗∗∗ Siemens: SSA-656895 V1.2 (Last Update: 2025-03-20): Open Redirect Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-656895.html ∗∗∗ [R1] Nessus Agent Version 10.8.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-02 ∗∗∗ F5: K000150484: Apache Tomcat vulnerability CVE-2025-24813 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150484 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2025
by Daily end-of-shift report 20 Mar '25

20 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-03-2025 18:00 − Donnerstag 20-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ HellCat hackers go on a worldwide Jira hacking spree ∗∗∗ --------------------------------------------- Swiss global solutions provider Ascom has confirmed a cyberattack on its IT infrastructure as a hacker group known as Hellcat targets Jira servers worldwide using compromised credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worl… ∗∗∗ Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data ∗∗∗ --------------------------------------------- The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. [..] In these attacks, targets were added to a WhatsApp group, and then sent a PDF document, which is subsequently parsed automatically to trigger the now-patched zero-day vulnerability and load the Graphite spyware. --------------------------------------------- https://thehackernews.com/2025/03/six-governments-likely-use-israeli.html ∗∗∗ Phishing-Versuche im Namen der Oberbank – „Bitte aktualisieren Sie Ihre persönlichen Informationen“ ∗∗∗ --------------------------------------------- Mit Fake-SMS-Nachrichten versuchen Kriminelle gerade verstärkt, Opfer auf gefälschte Kundenportale der Oberbank zu leiten. Ziel der Phishing-Attacke sind sensible Bankdaten. Hier erfahren Sie, wie der Betrugsversuch abläuft und wie Sie den Fake erkennen. Außerdem erklären wir, was Sie tun können, falls Sie Ihre persönlichen Informationen bereits an die Betrüger:innen übermittelt haben. --------------------------------------------- https://www.watchlist-internet.at/news/persoenlichen-informationen-phishing… ∗∗∗ Presseaussendung: Fake-Shops, Produktpiraterie und Co. als Bedrohung für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Fake-Shops, Markenfälschungen, Produktpiraterie oder Verletzungen des geistigen Eigentums: Die Bedrohungen im E-Commerce sind vielfältig und können für österreichische Unternehmer:innen nicht nur zu finanziellen Verlusten durch betrügerische Konkurrenz führen, sondern auch das Vertrauen der Kund:innen in den Online-Handel als Ganzes untergraben. --------------------------------------------- https://www.watchlist-internet.at/news/presseaussendung-bedrohungen-fuer-de… ∗∗∗ UK sets timeline for country’s transition to quantum-resistant encryption ∗∗∗ --------------------------------------------- The U.K. National Cyber Security Centre issued new guidance to help organizations transition to cryptographic algorithms and protocols that can protect data threatened by quantum computing. --------------------------------------------- https://therecord.media/uk-ncsc-quantum-resistant-algorithms-transition ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress security plugin WP Ghost vulnerable to remote code execution bug ∗∗∗ --------------------------------------------- Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [..] The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp… ∗∗∗ Google warnt: Kritische Sicherheitslücke in Chrome gefährdet Nutzer ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für seinen Webbrowser Chrome veröffentlicht. [..] Mit Details zu der als CVE-2025-2476 registrierten Schwachstelle hält sich Google in seiner Versionsankündigung aus Sicherheitsgründen noch zurück. --------------------------------------------- https://www.golem.de/news/google-warnt-kritische-sicherheitsluecke-in-chrom… ∗∗∗ Veeam Backup & Replication RCE-Schwachstelle CVE-2025-23120 ∗∗∗ --------------------------------------------- Nutzer von Veeam Backup & Replication müssen reagieren. Der Anbieter Veeam hat zum 19. März 2025 über eine Remote Code Execution (RCE) Schwachstelle CVE-2025-23120 in verschiedenen Versionen des genannten Produkts informiert. Es gibt Sicherheitsupdates, um diese Schwachstelle zu schließen. --------------------------------------------- https://www.borncity.com/blog/2025/03/19/veeam-backup-replication-rce-schwa… ∗∗∗ ZDI-25-175: (0Day) Luxion KeyShot USDC File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-175/ ∗∗∗ ZDI-25-174: (0Day) Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-174/ ∗∗∗ Schwerwiegende Sicherheitslücken bedrohen Serverbetriebssystem IBM AIX ∗∗∗ --------------------------------------------- https://www.heise.de/news/Schwerwiegende-Sicherheitsluecken-bedrohen-Server… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0002.html ∗∗∗ SMA Sunny Portal ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-04 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2025
by Daily end-of-shift report 19 Mar '25

19 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-03-2025 18:00 − Mittwoch 19-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious Android Vapor apps on Google Play installed 60 million times ∗∗∗ --------------------------------------------- Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-vapor-apps… ∗∗∗ Why its time for phishing prevention to move beyond email ∗∗∗ --------------------------------------------- While phishing has evolved, email security hasnt kept up. Attackers now bypass MFA & detection tools with advanced phishing kits, making credential theft harder to prevent. Learn how Push Securitys browser-based security stops attacks as they happen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/why-its-time-for-phishing-pr… ∗∗∗ iOS-Nutzer gefährdet: Phishing-Lücke in Passwords-App erst nach Monaten gepatcht ∗∗∗ --------------------------------------------- Apples Passwords-App hat Weiterleitungen zur Passwortänderung über unsicheres HTTP abgewickelt. Angreifer hätten auf Phishingseiten umleiten können. --------------------------------------------- https://www.golem.de/news/unsicheres-http-ios-nutzer-durch-phishing-luecke-… ∗∗∗ Malware im Anmarsch: Ungepatchte Windows-Lücke wird seit 8 Jahren ausgenutzt ∗∗∗ --------------------------------------------- Hacker nutzen die Schwachstelle schon mindestens seit 2017 aus. Ein Patch ist bisher nicht in Sicht. Auch Ziele in Deutschland sind bereits attackiert worden. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-ungepatchte-windows-luecke-wi… ∗∗∗ Arcane stealer: We want all your data ∗∗∗ --------------------------------------------- The new Arcane stealer spreads via YouTube and Discord, collecting data from many applications, including VPN and gaming clients, network utilities, messaging apps, and browsers. --------------------------------------------- https://securelist.com/arcane-stealer/115919/ ∗∗∗ Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source ∗∗∗ --------------------------------------------- Today, were thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta version. This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities .. --------------------------------------------- https://security.googleblog.com/2025/03/announcing-osv-scanner-v2-vulnerabi… ∗∗∗ Buying browser extensions for fun and profit ∗∗∗ --------------------------------------------- Your browser extensions could be secretly sold to malicious actors without your knowledge. What starts as helpful tools created by passionate developers can transform into dangerous spyware when sold to the highest bidder. As these extensions grow to hundreds of thousands of users, their creators—overwhelmed by maintenance and lacking .. --------------------------------------------- https://secureannex.com/blog/buying-browser-extensions/ ∗∗∗ Which passwords are attackers using against RDP ports right now? ∗∗∗ --------------------------------------------- The Specops research team has been analyzing 15 million passwords being used to attack RDP ports, in live attacks happening against networks right now. Our team have found the ten most common passwords attackers are using and analyzed their wordlists for the most common complexity rules and password lengths. We shared the results of a .. --------------------------------------------- https://specopssoft.com/blog/passwords-used-in-attacking-rdp-ports/ ∗∗∗ AMOS and Lumma stealers actively spread to Reddit users ∗∗∗ --------------------------------------------- Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2025/03/amos-and-lumma-stealers-act… ∗∗∗ Website-Kidnapping: So schützen Sie Ihre Website vor Hackingangriffen! ∗∗∗ --------------------------------------------- Immer öfter geraten österreichische Unternehmen ins Visier von Kriminellen, die ihre Website unbemerkt manipulieren, um Kund:innen auf Fake-Shops oder andere illegale Inhalte weiterzuleiten. Besonders gefährdet sind kleine und mittlere Unternehmen (KMU), da sie oft nicht über ausreichende IT-Sicherheitsmaßnahmen verfügen. --------------------------------------------- https://www.watchlist-internet.at/news/website-kidnapping-so-schuetzen-sie-… ∗∗∗ Russland vergiftet KI-Chatbots wie ChatGPT gezielt mit Propaganda ∗∗∗ --------------------------------------------- Rund 3,6 Millionen Artikel des russischen Pravda-Netzwerks sollen in das Trainingsmaterial westlicher KI-Systeme eingeflossen sein. So werden Fake News via KI verbreitet --------------------------------------------- https://www.derstandard.at/story/3000000261876/russland-vergiftet-ki-chatbo… ∗∗∗ The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it ∗∗∗ --------------------------------------------- In an interview with Recorded Future News, Deibert explained the technical aspects of the Citizen Lab’s methods and how spyware companies continue to evolve to evade detection. --------------------------------------------- https://therecord.media/ron-deibert-citizen-lab-spyware-interview ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-149: Adobe Acrobat Reader DC AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-271561. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-149/ ∗∗∗ ZDI-25-151: Progress Software Kemp LoadMaster mangle Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-1758. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-151/ ∗∗∗ ZDI-25-150: Microsoft Windows MSC File Insufficient UI Warning Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-26633. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-150/ ∗∗∗ ZDI-25-172: Apple macOS MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-24124. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-172/ ∗∗∗ Multiple Vulnerabilities in Autodesk AutoCAD and certain AutoCAD-based Products ∗∗∗ --------------------------------------------- Autodesk AutoCAD and certain AutoCAD-based products are affected by multiple vulnerabilities. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2025
by Daily end-of-shift report 18 Mar '25

18 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-03-2025 18:00 − Dienstag 18-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Critical AMI MegaRAC bug can let attackers hijack, brick servers ∗∗∗ --------------------------------------------- A new critical severity vulnerability found in American Megatrends Internationals MegaRAC Baseboard Management Controller (BMC) software can let attackers hijack and potentially brick vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bug-can… ∗∗∗ StilachiRAT analysis: From system reconnaissance to cryptocurrency theft ∗∗∗ --------------------------------------------- Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. This blog primarily focuses on analysis of the WWStartupCtrl64.dll module that contains the RAT capabilities and summarizes .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analys… ∗∗∗ New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious .. --------------------------------------------- https://thehackernews.com/2025/03/new-rules-file-backdoor-attack-lets.html ∗∗∗ Britische Hintertüren: Verdacht nach Apple auch bei Google ∗∗∗ --------------------------------------------- Britische Überwacher verlangen weltweiten Zugriff auf Apple-Backups. Apple darf das nicht bestätigen und ist damit offenbar kein Einzelfall. --------------------------------------------- https://www.heise.de/news/Auch-Google-kann-britischen-Ueberwachungsbefehl-n… ∗∗∗ FBI-Warnung: Betrügerische Online-Dateikonverter schleusen Trojaner in Dokumente ∗∗∗ --------------------------------------------- Wer kostenlose Onlinedienste zum Umwandeln von etwa Textdateien nutzt, kann sich Malware einfangen. Darauf weist das FBI hin. --------------------------------------------- https://www.heise.de/news/Malwareverteiler-FBI-warnt-vor-betruegerischen-On… ∗∗∗ Bogus ‘DeepSeek’ AI Installers Are Infecting Devices with Malware, Research Finds ∗∗∗ --------------------------------------------- In a digital landscape hungry for the next big thing in Artificial Intelligence, a new contender called DeepSeek recently burst .. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/bogus-deepseek-ai-inst… ∗∗∗ Betrügerisches Gewinnspiel: Abofalle statt günstigem Thermomix! ∗∗∗ --------------------------------------------- Frau S. wünscht sich schon lange einen Thermomix. Bisher schreckte sie jedoch der hohe Preis der Küchenmaschine ab. Umso größer ist ihre Freude, als sie im Internet sieht, dass sie nach der Teilnahme an einer Umfrage den Thermomix für nur zwei Euro erhalten kann. Doch Vorsicht: Statt eines günstigen Thermomix erwartet sie eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-gewinnspiel-abofalle… ∗∗∗ Google-Mutter Alphabet bietet für Cybersecurity-Startup Wiz 30 Milliarden Dollar ∗∗∗ --------------------------------------------- Es wäre die größte Transaktion von Alphabet. Ein Angebot über 23 Milliarden Dollar war im Vorjahr abgelehnt worden --------------------------------------------- https://www.derstandard.at/story/3000000261775/wsj-alphabet-bietet-f252r-cy… ∗∗∗ Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds ∗∗∗ --------------------------------------------- OKX said it detected a coordinated effort by one of North Korea’s most prolific hacking outfits to misuse its decentralized finance (DeFi) services. --------------------------------------------- https://therecord.media/crypto-okx-shuts-down-exchange ∗∗∗ Password reuse is rampant: nearly half of observed user logins are compromised ∗∗∗ --------------------------------------------- Accessing private content online, whether it's checking email or streaming your favorite show, almost always starts with a “login” step. Beneath this everyday task lies a widespread human mistake we still have not resolved: password reuse. Many users recycle passwords across multiple services, creating a ripple effect of risk when their credentials are leaked. --------------------------------------------- https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-comprom… ∗∗∗ Offline PKI using 3 YubiKeys and an ARM single board computer ∗∗∗ --------------------------------------------- An offline PKI enhances security by physically isolating the certificate authority from network threats. A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA. --------------------------------------------- https://vincent.bernat.ch/en/blog/2025-offline-pki-yubikeys ∗∗∗ Security Risks of Setting Access Control Allow Origin: * ∗∗∗ --------------------------------------------- Wildcard CORS: convenient or careless? What are the ACTUAL scenarios that could lead to a loose CORS policy being exploited? --------------------------------------------- https://projectblack.io/blog/security-risks-of-setting-access-control-allow… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-003 ∗∗∗ TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-002 ∗∗∗ Varnish Enterprise vulnerability in MSE4 when handling range requests ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VEV00001/ ∗∗∗ HTTP/1 client-side desync vulnerability ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00015/ ∗∗∗ Schneider Electric EcoStruxure Power Automation System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-077-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2025
by Daily end-of-shift report 17 Mar '25

17 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-03-2025 18:00 − Montag 17-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase phishing email tricks users with fake wallet migration ∗∗∗ --------------------------------------------- A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tric… ∗∗∗ Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts ∗∗∗ --------------------------------------------- Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oau… ∗∗∗ Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th) ∗∗∗ --------------------------------------------- Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vi… ∗∗∗ Credit Card Skimmer and Backdoor on WordPress E-commerce Site ∗∗∗ --------------------------------------------- The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a .. --------------------------------------------- https://blog.sucuri.net/2025/03/credit-card-skimmer-and-backdoor-on-wordpre… ∗∗∗ Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as .. --------------------------------------------- https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html ∗∗∗ Microsoft wouldnt look at a bug report without a video. Researcher maliciously complied ∗∗∗ --------------------------------------------- Maddening techno loop, Zoolander reference, and 14 minutes of time wasted A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation. --------------------------------------------- https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/ ∗∗∗ Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern ∗∗∗ --------------------------------------------- Sicherheitsforscher berichten über Angriffsversuche auf rund 12.000 Github-Repositories. Dabei wollen Angreifer die volle Kontrolle über Konten erlangen. --------------------------------------------- https://www.heise.de/news/Fake-Sicherheitswarnung-Betrueger-versuchen-Githu… ∗∗∗ ClickFix: How to Infect Your PC in Three Easy Steps ∗∗∗ --------------------------------------------- A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish .. --------------------------------------------- https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three… ∗∗∗ RCS: Apple und Google einigen sich auf Ende-zu-Ende-verschlüsselte Kommunikation ∗∗∗ --------------------------------------------- Neue Version des SMS-Nachfolgers unterstützt sichere Verschlüsselung, die beiden Branchengrößen wollen das bei Android und iPhone übernehmen --------------------------------------------- https://www.derstandard.at/story/3000000261679/rcs-apple-und-google-einigen… ∗∗∗ Telegram CEO confirms leaving France amid criminal probe ∗∗∗ --------------------------------------------- The Russian-born founder and owner of the messaging app Telegram said he returned to Dubai after spending several months in France due to a criminal investigation related to activity on the app. --------------------------------------------- https://therecord.media/telegram-pavel-durov-leaves-france-amid-probe ∗∗∗ Mora_001 ransomware gang exploiting Fortinet bug spotlighted by CISA in January ∗∗∗ --------------------------------------------- Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group. --------------------------------------------- https://therecord.media/mora001-ransomware-gang-exploiting-vulnerability-lo… ∗∗∗ Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters ∗∗∗ --------------------------------------------- Scammers are sending fake extortion and ransom demands while posing as ransomware gangs, including the notorious Cl0p ransomware. --------------------------------------------- https://hackread.com/scammers-pose-cl0p-ransomware-fake-extortion-letters/ ∗∗∗ BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique ∗∗∗ --------------------------------------------- The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across various web applications.MFA Remains Crucial, But Not Invulnerable: .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-b… ∗∗∗ Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised ∗∗∗ --------------------------------------------- On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers .. --------------------------------------------- https://blog.aquasec.com/supply-chain-security-threat-github-action-tj-acti… ∗∗∗ Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS ∗∗∗ --------------------------------------------- I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, .. --------------------------------------------- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), .. --------------------------------------------- https://lwn.net/Articles/1014437/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2025
by Daily end-of-shift report 14 Mar '25

14 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-03-2025 18:00 − Freitag 14-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SuperBlack ransomware exploits Fortinet auth bypass flaws ∗∗∗ --------------------------------------------- A new ransomware operator named Mora_001 is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-ex… ∗∗∗ Ransomware gang creates tool to automate VPN brute-force attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware operation created an automated brute-forcing framework dubbed BRUTED to breach edge networking devices like firewalls and VPNs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creat… ∗∗∗ Jailbreaking is (mostly) simpler than you think ∗∗∗ --------------------------------------------- Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack (CCA), that has proven effective against most leading AI systems. We are disseminating this research to promote awareness and encourage system designers to implement appropriate safeguards. --------------------------------------------- https://msrc.microsoft.com/blog/2025/03/jailbreaking-is-mostly-simpler-than… ∗∗∗ CISA: We didnt fire red teams, we just unhired a bunch of them ∗∗∗ --------------------------------------------- Agency tries to save face as it also pulls essential funding for election security initiatives Uncle Sams cybersecurity agency is trying to save face by seeking to clear up what its calling "inaccurate reporting" after a former senior pen-tester claimed the organization axed two red teams. --------------------------------------------- https://www.theregister.com/2025/03/13/cisa_red_team_layoffs/ ∗∗∗ A New Era of Attacks on Encryption Is Starting to Heat Up ∗∗∗ --------------------------------------------- The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say. --------------------------------------------- https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-… ∗∗∗ Fernzugriff: Ivanti Secure Access Client als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt unter Windows eine Lücke in Ivanti Secure Access Client. --------------------------------------------- https://www.heise.de/news/Fernzugriff-Ivanti-Secure-Access-Client-als-Einfa… ∗∗∗ Off the Beaten Path: Recent Unusual Malware ∗∗∗ --------------------------------------------- Three unusual malware samples analyzed here include an ISS backdoor developed in a rare language, a bootkit and a Windows implant of a post-exploit framework. --------------------------------------------- https://unit42.paloaltonetworks.com/unusual-malware/ ∗∗∗ Ransomware attack takes down health system network in Micronesia ∗∗∗ --------------------------------------------- One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agency offline. --------------------------------------------- https://therecord.media/ransomware-attack-micronesia-health-system ∗∗∗ Europes telecoms sector under increased threat from cyber spies, warns Denmark ∗∗∗ --------------------------------------------- State-sponsored cyber espionage is a bigger threat than ever to Europes telecommunications networks, according to a new assessment from Denmarks government. --------------------------------------------- https://therecord.media/europe-increased-cyber-espionage-telecoms-denmark-r… ∗∗∗ Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court ∗∗∗ --------------------------------------------- Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said. --------------------------------------------- https://therecord.media/lockbit-alleged-russian-developer-extradited-us-isr… ∗∗∗ SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware ∗∗∗ --------------------------------------------- Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techni… ∗∗∗ Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes ∗∗∗ --------------------------------------------- Expat 2.7.0 has been released earlier today. I will make this a more detailed post than usual because in many ways there is more to tell about this release than the average libexpat release: there is a story this time --------------------------------------------- https://blog.hartwork.org/posts/expat-2-7-0-released/ ∗∗∗ Memory Corruption in Delphi ∗∗∗ --------------------------------------------- Our team at Include Security is often asked to examine applications coded in languages that are usually considered “unsafe”, such as C and C++, due to their lack of memory safety functionality. Critical aspects of reviewing such code include identifying where bounds-checking, input validation, and pointer handling/dereferencing are .. --------------------------------------------- https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/ ∗∗∗ My Scammer Girlfriend: Baiting A Romance Fraudster ∗∗∗ --------------------------------------------- At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign. --------------------------------------------- https://www.bentasker.co.uk/posts/blog/security/seducing-a-romance-scammer.… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-135: Adobe Acrobat Reader DC AcroForm Use of Uninitialized Variable Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27162. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-135/ ∗∗∗ ZDI-25-134: Adobe Acrobat Reader DC Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24431. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-134/ ∗∗∗ ZDI-25-133: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27174. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-133/ ∗∗∗ ZDI-25-132: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27159. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-132/ ∗∗∗ ZDI-25-131: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27160. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-131/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily