Daily

daily@lists.cert.at

1 participants
3082 discussions

Tageszusammenfassung - 28.10.2024
by Daily end-of-shift report 28 Oct '24

28 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2024 18:00 − Montag 28-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Amazon seizes domains used in rogue Remote Desktop campaign to steal data ∗∗∗ --------------------------------------------- Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data using malicious Remote Desktop Protocol connection files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-i… ∗∗∗ Redline, Meta infostealer malware operations seized by police ∗∗∗ --------------------------------------------- The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malwar… ∗∗∗ 70 Zero-Day-Lücken ausgenutzt: Pwn2Own-Hacker knacken Samsung Galaxy S24 und mehr ∗∗∗ --------------------------------------------- Bei dem Wettbewerb wurden auch diverse Kameras, Drucker und NAS-Systeme attackiert. An ein Pixel 8 oder iPhone 15 hat sich aber niemand rangetraut. --------------------------------------------- https://www.golem.de/news/70-zero-day-luecken-ausgenutzt-pwn2own-hacker-kna… ∗∗∗ The Windows Registry Adventure #4: Hives and the registry layout ∗∗∗ --------------------------------------------- To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system. But as one tries to dig deeper and understand how the registry .. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventu… ∗∗∗ Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining ∗∗∗ --------------------------------------------- The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties."The group is currently .. --------------------------------------------- https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.h… ∗∗∗ Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China ∗∗∗ --------------------------------------------- A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers. --------------------------------------------- https://www.wired.com/story/cybercriminals-disruptive-hacking-us-elections-… ∗∗∗ Vulnerabilities of Realtek SD card reader driver, part 1 ∗∗∗ --------------------------------------------- These vulnerabilities enable non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device. The vulnerabilities have remained undisclosed for years, affecting many OEMs, including Dell, .. --------------------------------------------- https://zwclose.github.io/2024/10/14/rtsper1.html ∗∗∗ Inside the Open Directory of the “You Dun” Threat Group ∗∗∗ --------------------------------------------- The DFIR Report’s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves “You Dun” .. --------------------------------------------- https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-d… ∗∗∗ Die NSA empfiehlt wöchentliches Smartphone-Reboot ∗∗∗ --------------------------------------------- Interessante Information, die mir die Woche untergekommen ist. Die US-Sicherheitsbehörde NSA (National Security Agency, Inlandsgeheimdienst) empfiehlt einmal wöchentlich sein Smartphone neu zu starten. Das ganze hat einen sicherheitstechnischen Hintergrund. Durch den Neustart soll Malware, die nicht persistent .. --------------------------------------------- https://www.borncity.com/blog/2024/10/27/die-nsa-empfiehlt-woechentliches-s… ∗∗∗ Anatomy of an LLM RCE ∗∗∗ --------------------------------------------- As large language models (LLMs) become more advanced and are granted additional capabilities by developers, security risks increase dramatically. Manipulated LLMs are no longer just a .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-r… ∗∗∗ Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives ∗∗∗ --------------------------------------------- In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-… ∗∗∗ Secure Coding: Unbefugten Zugriff durch Path Traversal (CWE-22) verhindern ∗∗∗ --------------------------------------------- CWE-22 beschreibt die unsachgemäße Veränderung eines Pfadnamens auf ein eingeschränktes Verzeichnis. Wie lässt sich die Schwachstelle in den Griff bekommen? --------------------------------------------- https://heise.de/-9982270 ∗∗∗ Black Basta-Gruppe nutzt Microsoft Teams-Chatfunktion ∗∗∗ --------------------------------------------- Die als "Black Basta" bekannte Ransomware-Gruppe hat einen neuen Mechanismus entwickelt, der die Chatfunktion von Microsoft Teams zur Kontaktaufnahme ausnutzt. --------------------------------------------- https://heise.de/-9995322 ∗∗∗ Nvidia: Rechteausweitung durch Sicherheitslücken in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia warnt vor mehreren Sicherheitslücken in den Grafiktreibern, die etwa das Ausweiten der Rechte ermöglichen. Updates stehen bereit. --------------------------------------------- https://heise.de/-9995842 ∗∗∗ Lagebericht 2024: Fast 8 Millionen Mal installierte Malware in Google Play ∗∗∗ --------------------------------------------- IT-Forscher haben die mobile-Malware-Situation der vergangenen 12 Monate untersucht. Mehr als 200 App-Fälschungen lauerten in Google Play. --------------------------------------------- https://heise.de/-9996456 ∗∗∗ VMware Tanzu Spring Security: Umgehung von Autorisierungsregeln möglich ∗∗∗ --------------------------------------------- In VMware Tanzu Spring Security klafft eine kritische Sicherheitslücke, die Angreifern die Umgehung von Autorisierungsregeln ermöglicht. --------------------------------------------- https://heise.de/-9996582 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, .. --------------------------------------------- https://lwn.net/Articles/996085/ ∗∗∗ Chatwork Desktop Application (Windows) uses a potentially dangerous function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78335885/ ∗∗∗ K000148252: Python tarfile vulnerability CVE-2024-6232 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148252 ∗∗∗ K000148256: libarchive vulnerability CVE-2018-1000880 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148256 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2024
by Daily end-of-shift report 25 Oct '24

25 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2024 18:00 − Freitag 25-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Denial of Service in Cisco ASA & FTD und weitere Cisco Advisories ∗∗∗ --------------------------------------------- Cisco berichtet in einem kürzlich veröffentlichten Advisory, sich "malicious use" einer Denial-of-Service Sicherheitslücke in Cisco Adaptive Security Appliance & Firepower Threat Defense Software Remote Access VPN bewusst zu sein. Berichten nach handelt es sich hierbei aber nicht um gezielte Denial-of-Service Angriffe, sondern um Seiteneffekte von breitgestreuten Brute-Force oder Credential-Spraying Attacken. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/denial-of-service-in-cisco-asa-ftd… ∗∗∗ Objektorientiert und weniger redundant: Das BSI stellt den IT-Grundschutz++ vor ∗∗∗ --------------------------------------------- Das BSI hat sich das Ziel gesetzt, den IT-Grundschutz anwenderfreundlicher zu machen. Dafür setzt man auf Maschinenlesbarkeit und eine schlankere Dokumentation. --------------------------------------------- https://heise.de/-9994010 ∗∗∗ AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances. [..] Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July. --------------------------------------------- https://thehackernews.com/2024/10/aws-cloud-development-kit-vulnerability.h… ∗∗∗ NotLockBit: ransomware discovery serves as wake-up call for Mac users ∗∗∗ --------------------------------------------- Historically, Mac users havent had to worry about malware as much as their Windows-using cousins. But that doesnt mean that Mac users should be complacent. And the recent discovery of a new malware strain emphasises that the threat - even if much smaller than on Windows - remains real. --------------------------------------------- https://www.tripwire.com/state-of-security/notlockbit-rransomware-discovery… ∗∗∗ Embargo ransomware: Rock’n’Rust ∗∗∗ --------------------------------------------- Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit --------------------------------------------- https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrus… ∗∗∗ From crisis to confidence: How the University of Rijeka used a network breach to reboot their cybersecurity ∗∗∗ --------------------------------------------- How would your institution respond if a seemingly ordinary system check uncovered a major security incident? That’s exactly what the University of Rijeka faced when a member of the IT team discovered an unauthorised virtual machine template during a routine check — just as a new academic year began. --------------------------------------------- https://connect.geant.org/2024/10/25/from-crisis-to-confidence-how-the-univ… ∗∗∗ Moderne Datenkraken: Smart-TVs tracken sogar HDMI-Inhalte ∗∗∗ --------------------------------------------- Smart-TVs werten sogar dann Bildinhalte aus, wenn ein HDMI-Zuspieler genutzt wird. Die Analysen dienen gezielter Werbung. --------------------------------------------- https://heise.de/-9994787 ∗∗∗ Vonovia in der Kritik: Smarte Rauchmelder bergen Risiko der Spionage ∗∗∗ --------------------------------------------- Die Rauchmelder erfassen allerhand Informationen über die Luftqualität und schicken sie durchs Internet - für Kriminelle ein willkommener Datenschatz. [..] Vonovia selbst verarbeitet die Daten angeblich nur in anonymisierter Form. --------------------------------------------- https://www.golem.de/news/vonovia-in-der-kritik-smarte-rauchmelder-bergen-r… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2024
by Daily end-of-shift report 24 Oct '24

24 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2024 18:00 − Donnerstag 24-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Qilin ransomware encryptor features stronger encryption, evasion ∗∗∗ --------------------------------------------- A new Rust-based variant of the Qilin (Agenda) ransomware strain, dubbed Qilin.B, has been spotted in the wild, featuring stronger encryption, better evasion from security tools, and the ability to disrupt data recovery mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-qilin-ransomware-encrypt… ∗∗∗ Neue OpenSSL-Lücke ist gefährlich, aber sehr schwer auszunutzen ∗∗∗ --------------------------------------------- Während SuSE und BSI ein hohes Risiko sehen, verweist das OpenSSL-Projekt auf umfangreiche Vorbedingungen eines Exploits. Vorerst kommen keine Updates. [..] Das Risiko der Lücke mit der CVE-ID CVE-2024-9143 schätzten sie als niedrig ein, weil der Fehler schwierig auszunutzen sei. --------------------------------------------- https://heise.de/-9992067 ∗∗∗ Location tracking of phones is out of control. Here’s how to fight back. ∗∗∗ --------------------------------------------- Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew? You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. --------------------------------------------- https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-… ∗∗∗ Investigating volatile data with advanced memory forensics tools – part 1 ∗∗∗ --------------------------------------------- In this two post series I want to highlight how memory forensics plays a crucial role in enhancing forensic investigations. Specifically by providing access to volatile data that cannot be retrieved from storage devices like hard drives. --------------------------------------------- https://www.pentestpartners.com/security-blog/investigating-volatile-data-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Zero-Day Schwachstelle in FortiManager wird aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In FortiManager wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, beliebigen Code oder Befehle auszuführen. CVE-2024-47575, CVSS Base Score: 9.8 --------------------------------------------- https://www.cert.at/de/warnungen/2024/10/kritische-zero-day-schwachstelle-i… ∗∗∗ Cisco meldet mehr als 35 Sicherheitslücken in Firewall-Produkten ∗∗∗ --------------------------------------------- Ciscos ASA, Firepower und Secure Firewall Management Center weisen teils kritische Sicherheitslücken auf. Mehr als 35 schließen nun verfügbare Updates. [..] Drei der Sicherheitsmeldungen behandeln als kritisches Risiko eingestufte Sicherheitslücken, elf solche mit hohem Risiko, 21 als mittleren Bedrohungsgrad eingestufte Schwachstellen und eine weitere Meldung hat informativen Charakter ohne Risikobewertung. --------------------------------------------- https://heise.de/-9992639 ∗∗∗ Drupal Security Advisories 2024-10-23 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories. (1 Critical, 3 Moderately Critical, 1 Less Critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana, NetworkManager-libreswan, python3.11, and python39:3.9 and python39-devel:3.9), Fedora (dotnet6.0, koji, python-fastapi, python-openapi-core, python-platformio, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, and yarnpkg), Oracle (grafana, kernel, linux-firmware, NetworkManager-libreswan, and python3.11), Slackware (php81), and SUSE (apache2, buildah, cups-filters, go1.21-openssl, podman, postgresql16, python-pyOpenSSL, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/995550/ ∗∗∗ VU#123336: Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/123336 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unauthentifizierte Path Traversal Schwachstelle in Lawo AG vsm LTC Time Sync (vTimeSync) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthenticated-path-… ∗∗∗ iniNet Solutions SpiderControl SCADA PC HMI Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-02 ∗∗∗ VIMESA VHF/FM Transmitter Blue Plus ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01 ∗∗∗ Deep Sea Electronics DSE855 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2024
by Daily end-of-shift report 23 Oct '24

23 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2024 18:00 − Mittwoch 23-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Exploit released for new Windows Server "WinReg" NTLM Relay attack ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now public for a vulnerability in Microsofts Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-new-win… ∗∗∗ Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Ireland, participants demonstrated 52 zero-day vulnerabilities across a range of devices, earning a total of $486,250 in cash prizes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days… ∗∗∗ Fortinet warns of new critical FortiManager flaw used in zero-day attacks ∗∗∗ --------------------------------------------- Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critic… ∗∗∗ Android und iOS: Fest codierte Cloud-Zugangsdaten in populären Apps entdeckt ∗∗∗ --------------------------------------------- Betroffen sind mehrere Apps mit teils Millionen von Downloads. Den Entdeckern zufolge gefährdet dies nicht nur Backend-Dienste, sondern auch Nutzerdaten. --------------------------------------------- https://www.golem.de/news/android-und-ios-fest-codierte-cloud-zugangsdaten-… ∗∗∗ Grandoreiro, the global trojan with grandiose ambitions ∗∗∗ --------------------------------------------- In this report, Kaspersky experts analyze recent Grandoreiro campaigns, new targets, tricks, and banking trojan versions. --------------------------------------------- https://securelist.com/grandoreiro-banking-trojan/114257/ ∗∗∗ The Crypto Game of Lazarus APT: Investors vs. Zero-days ∗∗∗ --------------------------------------------- Kaspersky GReAT experts break down the new campaign of Lazarus APT which uses social engineering and exploits a zero-day vulnerability in Google Chrome for financial gain. --------------------------------------------- https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ ∗∗∗ CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) ∗∗∗ --------------------------------------------- A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active .. --------------------------------------------- https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html ∗∗∗ Achtung Fake-Shop: sparhimmel24.de ∗∗∗ --------------------------------------------- sparhimmel24.de ist ein betrügerischer Online-Shop, der Sie mit vermeintlichen Schnäppchen in die Falle lockt. Bestellungen werden trotz Bezahlung nicht geliefert. Wir zeigen Ihnen wie Sie Fake-Shops erkennen und sich vor Betrug schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sparhimmel24de ∗∗∗ Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction ∗∗∗ --------------------------------------------- We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate.The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distr… ∗∗∗ Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs ∗∗∗ --------------------------------------------- Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. --------------------------------------------- https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerabi… ∗∗∗ Threat Spotlight: WarmCookie/BadSpace ∗∗∗ --------------------------------------------- WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. --------------------------------------------- https://blog.talosintelligence.com/warmcookie-analysis/ ∗∗∗ Sicherheitslücke in Samsung-Android-Treiber wird angegriffen ∗∗∗ --------------------------------------------- Treiber für Samsungs Mobilprozessoren ermöglichen Angreifern das Ausweiten ihrer Rechte. Google warnt vor laufenden Angriffen darauf. --------------------------------------------- https://heise.de/-9991521 ∗∗∗ Public Report: WhatsApp Contacts Security Assessment ∗∗∗ --------------------------------------------- In May 2024, Meta engaged NCC Group’s Cryptography Services practice to perform a cryptography security assessment of selected aspects of the WhatsApp Identity Proof Linked Storage (IPLS) protocol implementation. IPLS underpins the WhatsApp Contacts solution, which aims to store .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/public-report-whatsapp-contacts-s… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices ∗∗∗ --------------------------------------------- InterMesh Subscriber devices contain multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code with root privileges. CVSS v4.0 Base Score: 10.0, CVE-2024-47901 --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-333468.html?ste_sid=23… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dmitry, libheif, and python-sql), Fedora (suricata and wireshark), SUSE (cargo-c, libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/995293/ ∗∗∗ 2024-10-21: Cyber Security Advisory - ABB Relion 611, 615, 620, 630 series, REX610, REX640, SMU615, SSC600, Arctic solution, COM600, SPA ZC-400, SUE3000 Guidelines to Prevent Unauthorized Modifications of Firmware and Configuration ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001911&Language… ∗∗∗ Authenticated Remote Code Execution in multiple Xerox printers ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/authenticated-remote-cod… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2024
by Daily end-of-shift report 22 Oct '24

22 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2024 18:00 − Dienstag 22-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab ∗∗∗ --------------------------------------------- Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken. --------------------------------------------- https://heise.de/-9990393 ∗∗∗ Auch ein .rdp File kann gefährlich sein ∗∗∗ --------------------------------------------- Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein ∗∗∗ Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers ∗∗∗ --------------------------------------------- Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html ∗∗∗ Pixel perfect Ghostpulse malware loader hides inside PNG image files ∗∗∗ --------------------------------------------- The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_m… ∗∗∗ OpenSSL 3.4.0 released ∗∗∗ --------------------------------------------- Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details. --------------------------------------------- https://lwn.net/Articles/995098/ ∗∗∗ Akira ransomware continues to evolve ∗∗∗ --------------------------------------------- As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs. --------------------------------------------- https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/ ∗∗∗ Threat actor abuses Gophish to deliver new PowerRAT and DCRAT ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT, as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. --------------------------------------------- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ ∗∗∗ Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach ∗∗∗ --------------------------------------------- In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-crypto… ∗∗∗ Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery ∗∗∗ --------------------------------------------- This is a continuation of the series on web application security where we dive into cookie dynamics. --------------------------------------------- https://www.bitsight.com/blog/web-application-security-devops-site-and-orig… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware fixes bad patch for critical vCenter Server RCE flaw ∗∗∗ --------------------------------------------- VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-c… ∗∗∗ Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls ∗∗∗ --------------------------------------------- The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke). --------------------------------------------- https://lwn.net/Articles/995095/ ∗∗∗ Dell Product Security Update Advisory (CVE-2024-45766) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83995/ ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-45711) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84002/ ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2024
by Daily end-of-shift report 21 Oct '24

21 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2024 18:00 − Montag 21-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New macOS vulnerability, “HM Surf”, could lead to unauthorized data access ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent. [..] Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerab… ∗∗∗ Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails ∗∗∗ --------------------------------------------- Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). [..] In this blog, we will showcase the different spam techniques used in these phishing emails. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hooked-by-t… ∗∗∗ Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials ∗∗∗ --------------------------------------------- Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. [..] The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser. --------------------------------------------- https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html ∗∗∗ Severe flaws in E2EE cloud storage platforms used by millions ∗∗∗ --------------------------------------------- Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. [..] The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. [..] BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-s… ∗∗∗ Open source LLM tool primed to sniff out Python zero-days ∗∗∗ --------------------------------------------- The static analyzer uses Claude AI to identify vulns and suggest exploit code Researchers with Seattle-based Protect AI plan to release a free, open source tool that can find zero-day vulnerabilities in Python codebases with the help of Anthropics Claude AI model. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/20/python_zero_… ∗∗∗ Hunting for Remote Management Tools: Detecting RMMs ∗∗∗ --------------------------------------------- Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we’ll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe. --------------------------------------------- https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detect… ∗∗∗ Cisco bestätigt Attacke auf DevHub-Portal und nimmt es offline ∗∗∗ --------------------------------------------- Cisco hat aktuell laufende Untersuchungen zu einem IT-Sicherheitsvorfall vorangetrieben und nun eine Attacke bestätigt. Dabei sollen Angreifer Zugriff auf nicht für die Öffentlichkeit bestimmte Daten gehabt haben. --------------------------------------------- https://heise.de/-9987412 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode). --------------------------------------------- https://lwn.net/Articles/994941/ ∗∗∗ Angreifer können PCs mit Virenschutz von Bitdefender und Trend Micro attackieren ∗∗∗ --------------------------------------------- Sicherheitslücken in Virenschutz-Software von Bitdefender und Trend Micro gefährden Systeme. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren, um Attacken vorzubeugen. [..] Im Supportbereich der Bitdefender-Website geben die Entwickler an, in diesem Kontext insgesamt fünf Sicherheitslücken (CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, CVE-2023-6057) mit dem Bedrohungsgrad "hoch" geschlossen zu haben. Damit so eine Attacke klappt, können Angreifer etwa über Hashkollsionen (MD5 und SHA1) Zertifikate erzeugen, die als legitim durchgewunken werden. Die Sicherheitsprobleme sollen in der sich automatisch installierenden Total-Security-Version 27.0.25.11 gelöst sein. --------------------------------------------- https://heise.de/-9987394 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2024
by Daily end-of-shift report 18 Oct '24

18 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2024 18:00 − Freitag 18-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia ∗∗∗ --------------------------------------------- A close look at the utilities, techniques, and infrastructure used by the hacktivist group Crypt Ghouls has revealed links to groups such as Twelve, BlackJack, etc. --------------------------------------------- https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/1142… ∗∗∗ Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack) ∗∗∗ --------------------------------------------- Introduction In the perpetually evolving field of cybersecurity, new threats materialize daily. Attackers are on the prowl for weaknesses in infrastructure and software like a cat eyeing its helpless prey. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/feline-hack… ∗∗∗ U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign ∗∗∗ --------------------------------------------- Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks."Since October 2023, Iranian ..d --------------------------------------------- https://thehackernews.com/2024/10/us-and-allies-warn-of-iranian.html ∗∗∗ Intel hits back at Chinas accusations it bakes in NSA backdoors ∗∗∗ --------------------------------------------- Chipzilla says it obeys the law wherever it is, which is nice Intel has responded to Chinese claims that its chips include security backdoors at the direction of Americas NSA. --------------------------------------------- https://www.theregister.com/2024/10/18/intel_china_security_allegations/ ∗∗∗ Alleged Bitcoin crook faces 5 years after SECs X account pwned ∗∗∗ --------------------------------------------- SIM swappers strike again, warping cryptocurrency prices An Alabama man faces five years in prison for allegedly attempting to manipulate the price of Bitcoin by pwning the US Securities and Exchange Commissions X account earlier this year. --------------------------------------------- https://www.theregister.com/2024/10/18/sec_bitcoin_arrest/ ∗∗∗ Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach ∗∗∗ --------------------------------------------- Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being "USDoD," a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBIs InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led .. --------------------------------------------- https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infr… ∗∗∗ EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs ∗∗∗ --------------------------------------------- One of my Mastodon followers sent me an interesting toot today, which lead to this forum post .. --------------------------------------------- https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targe… ∗∗∗ What I’ve learned in my first 7-ish years in cybersecurity ∗∗∗ --------------------------------------------- Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-oct-17-2024/ ∗∗∗ Call stack spoofing explained using APT41 malware ∗∗∗ --------------------------------------------- Summary Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, .. --------------------------------------------- https://cybergeeks.tech/call-stack-spoofing-explained-using-apt41-malware/ ∗∗∗ Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom ∗∗∗ --------------------------------------------- North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom. --------------------------------------------- https://hackread.com/fake-north-korean-it-workers-west-firms-demand-ransom/ ∗∗∗ U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now ∗∗∗ --------------------------------------------- Joint U.S. and UK advisory identifies 24 vulnerabilities exploited by Russian state-sponsored APT 29, with GreyNoise detecting active probing on nine of these critical CVEs. Stay informed with real-time .. --------------------------------------------- https://www.greynoise.io/blog/u-s-and-uk-warn-of-russian-cyber-threats-9-of… ∗∗∗ Apple Passwörter: So lautet das Rezept für generierte Passwörter ∗∗∗ --------------------------------------------- Ein leitender Softwareentwickler Apples erklärt in einem Blogpost, nach welchem Muster Apple Passwörter generiert. --------------------------------------------- https://heise.de/-9986503 ===================== = Vulnerabilities = ===================== ∗∗∗ SVD-2024-1013: Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1013 ∗∗∗ Synology-SA-24:17 Synology Camera ∗∗∗ --------------------------------------------- The vulnerabilities allow remote attackers to execute arbitrary code, remote attackers to bypass security constraints and remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Camera BC500 Firmware, Synology Camera TC500 Firmware and Synology Camera CC400W Firmware. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_17 ∗∗∗ ZDI-24-1419: Trend Micro Deep Security Improper Access Control Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1419/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2024
by Daily end-of-shift report 17 Oct '24

17 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-10-2024 18:00 − Donnerstag 17-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Iranian hackers act as brokers selling critical infrastructure access ∗∗∗ --------------------------------------------- Iranian hackers are breaching critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks from other threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-broke… ∗∗∗ Mit Standard-Zugangsdaten: Kubernetes-Lücke ermöglicht Root-Zugriff per SSH ∗∗∗ --------------------------------------------- Betroffen sind Images, die mit dem Kubernetes Image Builder erstellt wurden. Es gibt zwar einen Patch, doch der schützt bestehende Images nicht. --------------------------------------------- https://www.golem.de/news/mit-standard-zugangsdaten-kubernetes-luecke-ermoe… ∗∗∗ The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future ∗∗∗ --------------------------------------------- The 2024 State of ICS/OT report shows our industry’s growth since 2019 and offers insight into how we may improve going into 2029. --------------------------------------------- https://www.sans.org/blog/the-2024-state-of-ics-ot-cybersecurity-our-past-a… ∗∗∗ DORA-Kernkonzepte verstehen: Fokus auf "Kritische oder wichtige Funktionen" ∗∗∗ --------------------------------------------- Mit dem Ziel, ein hohes Maß an digitaler operativer Widerstandsfähigkeit zu erreichen, bietet DORA einen umfassenden Rahmen für das wirksame .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-core-concepts-critical-or-impor… ∗∗∗ Cisco confirms ongoing investigation after crims brag about selling tons of data ∗∗∗ --------------------------------------------- Networking giant says no evidence of impact on its systems but will tell customers if their info has been stolen UPDATED Cisco has confirmed it is investigating claims of stealing — and now selling — data belonging .. --------------------------------------------- https://www.theregister.com/2024/10/15/cisco_confirm_ongoing_investigation/ ∗∗∗ New ThreatLabz Report: Mobile remains a top threat vector with 111% spyware growth while IoT attacks rise 45% ∗∗∗ --------------------------------------------- The role of the CISO continues to expand, driven by the rising number of breaches and cyberattacks like ransomware, as well as SEC requirements for public organizations to disclose material breaches. Among the fastest-moving .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/new-threatlabz-report-mobil… ∗∗∗ Sudanese Brothers Arrested in ‘AnonSudan’ Takedown ∗∗∗ --------------------------------------------- The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the .. --------------------------------------------- https://krebsonsecurity.com/2024/10/sudanese-brothers-arrested-in-anonsudan… ∗∗∗ Russische Hackergruppe bekennt sich zu Angriff auf das Internet Archive ∗∗∗ --------------------------------------------- Eine Gruppe namens "SN_BLACKMETA" hat nach eigenen Angaben DDoS-Attacken auf die Internetbibliothek durchgeführt --------------------------------------------- https://www.derstandard.at/story/3000000241091/russische-hackergruppe-beken… ∗∗∗ Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism ∗∗∗ --------------------------------------------- Explore how macOS Gatekeepers security could be compromised by third-party apps not enforcing quarantine attributes effectively. --------------------------------------------- https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/ ∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗ --------------------------------------------- Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Cyber Resilience Act beschlossen ∗∗∗ --------------------------------------------- Der Cyber Resilience Act (CRA) ist eine EU-Verordnung für die Sicherheit in Hard- und Softwareprodukten mit digitalen Elementen, die am 10.10.2024 im Rat der Europäischen Union verabschiedet wurde. Nach der Veröffentlichung im Amtsblatt der EU wird das .. --------------------------------------------- https://certitude.consulting/blog/de/cyber-resilience-act-beschlossen/ ∗∗∗ Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil ∗∗∗ --------------------------------------------- Police did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the attacks that were highlighted by Brazilian law enforcement following the arrest. --------------------------------------------- https://therecord.media/hacker-behind-fbi-npd-airbus-attacks-arrested-brazil ∗∗∗ Why Hackers May Be Targeting You ∗∗∗ --------------------------------------------- In todays evolving cyber threat landscape, small and mid-sized businesses can reduce their risk by understanding cybercriminals, addressing misconceptions, and enhancing their cybersecurity and incident .. --------------------------------------------- https://www.emsisoft.com/en/blog/46073/why-hackers-may-be-targeting-you/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Releases Quarterly Critical Patch Update Advisory for October 2024 ∗∗∗ --------------------------------------------- Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/17/oracle-releases-quarterl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/994630/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2024
by Daily end-of-shift report 16 Oct '24

16 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-10-2024 18:00 − Mittwoch 16-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ASEC and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat. --------------------------------------------- https://asec.ahnlab.com/en/83877/ ∗∗∗ Exfiltration over Telegram Bots: Skidding Infostealer Logs ∗∗∗ --------------------------------------------- Bitsight’s visibility over infostealer malware which exfiltrates over Telegram suggests that the most infected countries are the USA, Turkey, and Russia, followed by India and Germany. --------------------------------------------- https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-info… ∗∗∗ EDRSilencer red team tool used in attacks to bypass security ∗∗∗ --------------------------------------------- A tool for red-team operations called EDRSilencer has been observed in malicious incidents attempting to identify security tools and mute their alerts to management consoles. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-us… ∗∗∗ Mehrere Dienste betroffen: Microsoft warnt Kunden vor Datenverlust beim Logging ∗∗∗ --------------------------------------------- Durch einen Softwarefehler hat Microsoft einige für seine Kunden wichtige Protokolldaten verloren. Betroffen sind mehrere Clouddienste des Konzerns. --------------------------------------------- https://www.golem.de/news/mehrere-dienste-betroffen-microsoft-warnt-kunden-… ∗∗∗ New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists ∗∗∗ --------------------------------------------- The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said. --------------------------------------------- https://thehackernews.com/2024/10/new-linux-variant-of-fastcash-malware.html ∗∗∗ Windows 11 24H2: Probleme mit VPN-Verbindungen, Direct Access … ∗∗∗ --------------------------------------------- Seit Microsoft Windows 11 24H2 allgemein freigegeben hat, sind mir Meldungen zu Problemen rund um das Thema VPN-Verbindungen (CheckPoint VPN, WireGuard, Direct Access) untergekommen. Ich fasse mal einige dieser Meldungen in einem Beitrag zusammen, auch um ein Bild zu bekommen, ob es nur Einzelfälle sind oder ob mehr Leute betroffen sind. --------------------------------------------- https://www.borncity.com/blog/2024/10/15/windows-11-24h2-probleme-mit-vpn-v… ∗∗∗ Windows 11 24H2: Recall nicht deinstallierbar … ∗∗∗ --------------------------------------------- Trotz gegenteiliger Zusicherungen stellt sich momentan heraus, dass Microsofts umstrittene Funktion Recall sich nicht [ohne Kollateralschäden] unter Windows 11 24H2 deinstallieren lässt – das Ganze ist aktuell aber wohl noch im Fluss. --------------------------------------------- https://www.borncity.com/blog/2024/10/16/windows-11-24h2-recall-nicht-deins… ∗∗∗ Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data ∗∗∗ --------------------------------------------- This article uncovers a Golang ransomware abusing AWS S3 for data theft, and masking as LockBit to further pressure victims. The discovery of hard-coded AWS credentials in these samples led to AWS account suspensions. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ran… ∗∗∗ Comparing AI Against Traditional Static Analysis Tools to Highlight Buffer Overflows ∗∗∗ --------------------------------------------- The idea of this blog post is to use open-source software tools to analyze unknown binaries for buffer overflows. In particular we are focusing on using Ollama3 to access multiple large language models. Ollama is a platform designed to simplify the deployment and usage of LLMs on local machines.This enables private data to be held locally instead of being sent to a cloud for processing. --------------------------------------------- https://www.nccgroup.com/us/research-blog/comparing-ai-against-traditional-… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2024 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2024.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim). --------------------------------------------- https://lwn.net/Articles/994436/ ∗∗∗ HP-DesignJet-Drucker: Angreifer können SMTP-Server-Logins abgreifen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, ist die Schwachstelle (CVE-2024-5749) mit dem Bedrohungsgrad "hoch" eingestuft. Klappen Attacken, sind SMTP-Server-Zugangsdaten einsehbar. Wie so ein Angriff ablaufen könnte, führen die HP-Entwickler derzeit nicht aus. Konkret davon betroffen sind die DesignJet-Modelle T730 und T830. --------------------------------------------- https://heise.de/-9983364 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 131.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/ ∗∗∗ Synology-SA-24:14 Synology Photos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_14 ∗∗∗ Synology-SA-24:13 BeePhotos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_13 ∗∗∗ Bosch: Unrestricted resource consumption in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-162032-bt.html ∗∗∗ F5: K000141463: Multiple Angular JS vulnerabilities CVE-2019-10768, CVE-2023-26116, CVE-2023-26117, and CVE-2023-26118 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141463 ∗∗∗ F5: K000141459: Angular JS vulnerabilities CVE-2019-14863 and CVE-2022-25869 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141459 ∗∗∗ F5: K000141302: Quarterly Security Notification (October 2024) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141302 ∗∗∗ F5: K000140061: BIG-IP monitors vulnerability CVE-2024-45844 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140061 ∗∗∗ F5: K000141080: BIG-IQ vulnerability CVE-2024-47139 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2024
by Daily end-of-shift report 15 Oct '24

15 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 14-10-2024 18:00 − Dienstag 15-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TrickMo malware steals Android PINs using fake lock screen ∗∗∗ --------------------------------------------- Forty new variants of the TrickMo Android banking trojan have been identified in the wild, linked to 16 droppers and 22 distinct command and control (C2) infrastructures, with new features designed to steal Android PINs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickmo-malware-steals-andro… ∗∗∗ New FIDO proposal lets you securely move passkeys across platforms ∗∗∗ --------------------------------------------- The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fido-proposal-lets-you-s… ∗∗∗ BEC-ware the phish (part 1). Investigating incidents in M365 ∗∗∗ --------------------------------------------- This blog post is the first of three, that look at the key steps for an effective investigation, response, and remediation to email-based threats in M365. Part two covers response actions as well as short- and long-term remediations to prevent attackers getting back in. Part three considers the native detection and prevention options in M365. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-inv… ∗∗∗ Vorsicht vor Anrufen vom „Bankbetrugssystem Österreich“ ∗∗∗ --------------------------------------------- Derzeit werden uns wieder vermehrt Tonbandanrufe gemeldet. Eine computergenerierte Stimme gibt sich als Bankbetrugssystem Österreich aus und behauptet, dass eine Zahlung von 1500 Euro abgelehnt wurde und Ihr Konto möglicherweise gehackt wurde. Sie werden aufgefordert, die Taste „1“ zu drücken, um mit einer echten Person verbunden zu werden. Legen Sie auf, das ist Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-vom-bankbetrugs… ∗∗∗ New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users ∗∗∗ --------------------------------------------- ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers. --------------------------------------------- https://hackread.com/telekopye-scam-toolkit-hit-booking-com-airbnb-users/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability, CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability, CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-ex… ∗∗∗ Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 ∗∗∗ --------------------------------------------- Today wed like to share a recent journey into (yet another) SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinets FortiGate devices. It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild. --------------------------------------------- https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-comple… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2024-10-14 ∗∗∗ --------------------------------------------- Splunk released 12 security advisories: 4x high, 8x medium --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Kritische Schwachstellen in Industrieroutern mbNET ∗∗∗ --------------------------------------------- In industriellen Fernwartungsgateways und Industrieroutern mbNET wurden mehrere, teils schwerwiegende Sicherheitsschwachstellen identifiziert. Sie ermöglichen es, das Gerät vollständig zu kompromittieren sowie verschlüsselte Konfigurationen zu entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstellen-in-industrieroute… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (packages and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3). --------------------------------------------- https://lwn.net/Articles/994268/ ∗∗∗ WordPress plugin Jetpack fixes nearly decade-old critical security flaw ∗∗∗ --------------------------------------------- The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites. [..] The flaw, which is not believed to have been exploited, was found in the plugin’s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve. --------------------------------------------- https://therecord.media/wordpress-jetpack-plugin-fixes-flaw ∗∗∗ ZDI-24-1382: QEMU SCSI Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1382/ ∗∗∗ Zahlreiche Schwachstellen im Rittal IoT Interface & CMC III Processing Unit ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83868/ ∗∗∗ Kubernetes: CVE-2024-9594 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128007 ∗∗∗ Kubernetes: CVE-2024-9486 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
309
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily