Daily

daily@lists.cert.at

1 participants
3082 discussions

Tageszusammenfassung - 16.09.2024
by Daily end-of-shift report 16 Sep '24

16 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-09-2024 18:00 − Montag 16-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 1.3 million Android-based TV boxes backdoored; researchers still don’t know how ∗∗∗ --------------------------------------------- Infection corrals devices running AOSP-based firmware into a botnet. --------------------------------------------- https://arstechnica.com/?p=2049773 ∗∗∗ Malware locks browser in kiosk mode to steal Google credentials ∗∗∗ --------------------------------------------- A malware campaign uses the unusual method of locking users in their browsers kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kio… ∗∗∗ Nach Cyberangriff: Hacker stellen Daten von Kawasaki ins Darknet ∗∗∗ --------------------------------------------- Kawasaki selbst behauptet, der Cyberangriff sei "nicht erfolgreich" gewesen. Dennoch sind im Darknet fast 500 GBytes an Unternehmensdaten aufgetaucht. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-stellen-daten-von-kawasa… ∗∗∗ Australia Threatens to Force Companies to Break Encryption ∗∗∗ --------------------------------------------- In 2018, Australia passed the Assistance and Access Act, which - among other things - gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include: Technical Assistance .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/09/australia-threatens-to-force… ∗∗∗ Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users credentials."Unlike other phishing webpage .. --------------------------------------------- https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.h… ∗∗∗ Prison just got rougher as band of heinously violent cybercrims sentenced to lengthy stints ∗∗∗ --------------------------------------------- Orchestrators of abductions, torture, crypto thefts, and more get their comeuppance One cybercriminal of the most violent kind will spend his best years behind bars, as will 11 of his thug pals for a string of cryptocurrency robberies in the US. --------------------------------------------- https://www.theregister.com/2024/09/16/prison_just_got_rougher_as/ ∗∗∗ Germany’s CDU still struggling to restore data months after June cyberattack ∗∗∗ --------------------------------------------- Putting a spanner in work for plans of opposition party to launch a comeback during next years elections One of Germanys major political parties is still struggling to restore member data more than three months after a June cyberattack targeting its systems. --------------------------------------------- https://www.theregister.com/2024/09/16/nein_luck_for_germanys_cdu/ ∗∗∗ Acquiring Malicious Browser Extension Samples on a Shoestring Budget ∗∗∗ --------------------------------------------- A friend of mine sent me a link to an article on malicious browser extensions that worked around Google Chrome Manifest V3 and asked if I had or could acquire a sample. In the process of getting a sample, I thought, if I was someone who didn’t have the paid resources that an enterprise might have, how would .. --------------------------------------------- https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-gene… ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit kurzem sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/ddos-angriffe-september-2024 ∗∗∗ German radio station forced to broadcast emergency tape following cyberattack ∗∗∗ --------------------------------------------- Radio Geretsried, a local station in Germany, has blamed “unknown attackers from Russia” after an apparent ransomware incident left it broadcasting music from emergency backups. --------------------------------------------- https://therecord.media/germany-cyberattack-radio-geretsried ∗∗∗ Small Devices, Big Threats: The Dark Side of Removable Devices ∗∗∗ --------------------------------------------- Our new article highlights the security risks of removable devices like USB drives and SD cards, exploring real-world threats and offering key cybersecurity tips to protect sensitive data. --------------------------------------------- https://www.emsisoft.com/en/blog/45977/small-devices-big-threats-the-dark-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git, nodejs, and ring), Fedora (apr, bubblewrap, chromium, clamav, flatpak, mingw-expat, python3-docs, python3.12, and thunderbird), Mageia (assimp, botan2, python-tqdm, and radare2), Slackware (libarchive), and SUSE (curl). --------------------------------------------- https://lwn.net/Articles/990455/ ∗∗∗ MISP 2.4.198 released with bug and security fixes. ∗∗∗ --------------------------------------------- Based on a set of fixes including a security fix, we are pleased to announce the immediate availability of MISP 2.4.198. You can find a list of the detailed changes along with new features further below. As with any security release, we highly encourage everyone to update their instance as soon as .. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.198 ∗∗∗ ZDI-24-1226: mySCADA myPRO Hard-Coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1226/ ∗∗∗ ZDI-24-1225: SolarWinds Access Rights Manager Hard-Coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1225/ ∗∗∗ ZDI-24-1224: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1224/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2024
by Daily end-of-shift report 13 Sep '24

13 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-09-2024 18:00 − Freitag 13-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media ∗∗∗ --------------------------------------------- With the US election on the horizon, it’s a good time to explore the concept of social media weaponization and its use in asymmetrically manipulating public opinion through bots, automation, AI, and shady new tools in what Trustwave SpiderLabs has dubbed the Distributed Denial of Truth (DDoT). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/distributed… ∗∗∗ Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data ∗∗∗ --------------------------------------------- A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online. [..] Fortinet has now published a blog post addressing the incident, which only affected less than 0.3% of its customers. --------------------------------------------- https://hackread.com/fortinet-confirms-data-breach-hacker-data-leak/ ∗∗∗ Nach CrowdStrike: Microsoft plant Security-Lösungen aus dem Windows-Kernel zu entfernen ∗∗∗ --------------------------------------------- Microsoft hat erste Pläne skizziert, wie sich Windows-Systeme so absichern lassen, dass ein kaputtes Update einer Endpunkt-Sicherheitslösung nicht das ganze Betriebssystem in den Abgrund reißt. --------------------------------------------- https://www.borncity.com/blog/2024/09/13/nach-crowdstrike-microsoft-plant-s… ∗∗∗ I stole 20 GB of data from Capgemini – and now Im leaking it, says cybercrook ∗∗∗ --------------------------------------------- A miscreant claims to have broken into Capgemini and leaked a large amount of sensitive data stolen from the technology services giant – including source code, credentials, and T-Mobile's virtual machine logs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/12/capgemini_br… ∗∗∗ 1.3 Million Android TV Boxes Infected by Vo1d Malware ∗∗∗ --------------------------------------------- Doctor Web warns of the new Vo1d Android malware infecting roughly 1.3 million TV boxes running older OS versions. --------------------------------------------- https://www.securityweek.com/1-3-million-android-tv-boxes-infected-by-vo1d-… ∗∗∗ CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. --------------------------------------------- https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-di… ∗∗∗ The Dark Nexus Between Harm Groups and ‘The Com’ ∗∗∗ --------------------------------------------- A cyberattack that shut down two of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023. It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others. --------------------------------------------- https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-… ∗∗∗ Woo Skimmer Uses Style Tags and Image Extension to Steal Card Details ∗∗∗ --------------------------------------------- This post starts the same way many others do on this blog, and it will be familiar to those who keep up with website security: A client came to us having been notified by their payment processor that credit cards were being stolen from the checkout page of their eCommerce website. The question of course was how? During this investigation we uncovered a very interesting (and in fact, creative) way that threat actors were pilfering credit card details from this compromised website. --------------------------------------------- https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-exten… ∗∗∗ We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders ∗∗∗ --------------------------------------------- I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-12-2024/ ∗∗∗ FBI and CISA Release Joint PSA, Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections ∗∗∗ --------------------------------------------- As observed through multiple election cycles, foreign actors and cybercriminals continue to spread false information through various platforms to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions. The FBI and CISA continue to work closely with federal, state, local, and territorial election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of the U.S. elections. --------------------------------------------- https://www.cisa.gov/news-events/news/fbi-and-cisa-release-joint-psa-just-s… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2024
by Daily end-of-shift report 12 Sep '24

12 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-09-2024 18:00 − Donnerstag 12-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitLab warns of critical pipeline execution vulnerability ∗∗∗ --------------------------------------------- GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pip… ∗∗∗ Sicherheitspaket: CCC droht mit Anleitungen zur Überwachungssabotage ∗∗∗ --------------------------------------------- Zivilgesellschaftliche Verbände sind empört über das Sicherheitspaket der Bundesregierung. Der "billige Populismus" spiele Rechtsextremen in die Hände. --------------------------------------------- https://www.golem.de/news/sicherheitspaket-ccc-droht-mit-anleitungen-zur-ue… ∗∗∗ SiteCheck Remote Website Scanner — Mid-Year 2024 Report ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote website scanners may not provide as comprehensive of a scan as server-side scanners, .. --------------------------------------------- https://blog.sucuri.net/2024/09/sitecheck-remote-website-scanner-mid-year-2… ∗∗∗ DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe ∗∗∗ --------------------------------------------- A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.The black hat SEO .. --------------------------------------------- https://thehackernews.com/2024/09/dragonrank-black-hat-seo-campaign.html ∗∗∗ Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking ∗∗∗ --------------------------------------------- Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns."Selenium Grid is a server that facilitates running test cases in parallel .. --------------------------------------------- https://thehackernews.com/2024/09/exposed-selenium-grid-servers-targeted.ht… ∗∗∗ Transport for London confirms 5,000 user bank data exposed, pulls large chunks of IT infra offline ∗∗∗ --------------------------------------------- Hauling in 30,000 staff IN PERSON to do password resets Breaking Transport for Londons ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees passwords will need to be reset via in-person appointments. --------------------------------------------- https://www.theregister.com/2024/09/12/transport_for_londons_cyber_attack/ ∗∗∗ Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey ∗∗∗ --------------------------------------------- Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to .. --------------------------------------------- https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detail… ∗∗∗ Living off the land, GPO style ∗∗∗ --------------------------------------------- TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog .. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ ∗∗∗ Ransomware: Attacks Once More Nearing Peak Levels ∗∗∗ --------------------------------------------- Attacks surge again in second quarter of 2024 as attackers bounce back from disruption. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Introduction to Third-Party Risk Management ∗∗∗ --------------------------------------------- In today’s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations. This way of working, in addition to the digitalization era we’re in, can have great advantages such as being able to offer new services quickly while relying on other’s expertise or cutting costs on already existing processes. --------------------------------------------- https://blog.nviso.eu/2024/09/12/introduction-to-third-party-risk-managemen… ∗∗∗ Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API ∗∗∗ --------------------------------------------- CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-sept-11-2024/ ∗∗∗ Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities ∗∗∗ --------------------------------------------- In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html ∗∗∗ Hadooken Malware Targets Weblogic Applications ∗∗∗ --------------------------------------------- Aqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls itself Hadooken which we think is referring to the attack “surge fist” in the Street Fighter series. When Hadooken is executed, .. --------------------------------------------- https://blog.aquasec.com/hadooken-malware-targets-weblogic-applications-1 ∗∗∗ Microsoft Office: ActiveX wird abgedreht ∗∗∗ --------------------------------------------- Länger war es still darum, aber ActiveX gibt es noch. Kommende Microsoft Office-Versionen schalten die Unterstützung endlich ab. Zumindest fast. --------------------------------------------- https://heise.de/-9865690 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Routed Passive Optical Network Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2024
by Daily end-of-shift report 11 Sep '24

11 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2024 18:00 − Mittwoch 11-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New PIXHELL acoustic attack leaks secrets from LCD screen noise ∗∗∗ --------------------------------------------- A novel acoustic attack named PIXHELL can leak secrets from air-gapped and audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-… ∗∗∗ Air-Gapped-Systeme: Malware nutzt LCD-Pixelmuster für Datenausleitung per Schall ∗∗∗ --------------------------------------------- Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-nutzt-lcd-pixelmuster-… ∗∗∗ Python Libraries Used for Malicious Purposes ∗∗∗ --------------------------------------------- Since I'm interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don't want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Libraries+Used+for+Malicious+Purpo… ∗∗∗ Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments."The new samples were tracked to GitHub projects that .. --------------------------------------------- https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html ∗∗∗ Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack ∗∗∗ --------------------------------------------- CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address. --------------------------------------------- https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/ ∗∗∗ So you paid a ransom demand … and now the decryptor doesnt work ∗∗∗ --------------------------------------------- A really big oh sh*t moment, for sure For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life. --------------------------------------------- https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/ ∗∗∗ Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin ∗∗∗ --------------------------------------------- On August 14th, 2024, we received a submission for a Privilege Escalation vulnerability in Post Grid and Gutenberg Blocks, a WordPress plugin with over 40,000 active installations. This vulnerability can be leveraged by attackers with minimal authenticated access to set their role to administrator utilizing the form submission functionality. --------------------------------------------- https://www.wordfence.com/blog/2024/09/over-40000-wordpress-sites-affected-… ∗∗∗ ADCS Attack Paths in BloodHound — Part 3 ∗∗∗ --------------------------------------------- In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates .. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb008… ∗∗∗ Phishing Pages Delivered Through Refresh HTTP Response Header ∗∗∗ --------------------------------------------- We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refr… ∗∗∗ The September 2024 Security Update Review ∗∗∗ --------------------------------------------- We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from .. --------------------------------------------- https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-re… ∗∗∗ SBOMs and the importance of inventory ∗∗∗ --------------------------------------------- Can a Software Bill of Materials (SBOM) provide organisations with better insight into their supply chains? --------------------------------------------- https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory ∗∗∗ We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI ∗∗∗ --------------------------------------------- Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.SummaryWhat started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel .. --------------------------------------------- https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-beca… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311). --------------------------------------------- https://lwn.net/Articles/989772/ ∗∗∗ Cisco Releases Security Updates for Cisco Smart Licensing Utility ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/cisco-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2024
by Daily end-of-shift report 10 Sep '24

10 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 09-09-2024 18:00 − Dienstag 10-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Quad7 botnet targets more SOHO and VPN routers, media servers ∗∗∗ --------------------------------------------- The Quad7 botnet is expanding its targeting scope with the addition of new clusters and custom implants that now also target Zyxel VPN appliances and Ruckus wireless routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/quad7-botnet-targets-more-so… ∗∗∗ NoName ransomware gang deploying RansomHub malware in recent attacks ∗∗∗ --------------------------------------------- The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. --------------------------------------------- https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deplo… ∗∗∗ Trustwave SpiderLabs Research: 20% of Ransomware Attacks in Financial Services Target Banking Institutions ∗∗∗ --------------------------------------------- The 2024 Trustwave Risk Radar Report: Financial Services Sector underscores the escalating threat landscape facing the industry. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-s… ∗∗∗ Russias top-secret military unit reportedly plots undersea cable sabotage ∗∗∗ --------------------------------------------- US alarmed by heightened Kremlin naval activity worldwide Russias naval activity near undersea cables is reportedly drawing the scrutiny of US officials, further sparking concerns that the Kremlin may be plotting to "sabotage" underwater infrastructure via a secretive, dedicated military unit called the General Staff Main Directorate for Deep Sea Research (GUGI). --------------------------------------------- https://www.theregister.com/2024/09/09/russia_readies_submarine_cable_sabot… ∗∗∗ Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics ∗∗∗ --------------------------------------------- Introduction Following the 2024 ThreatLabz Phishing Report, Zscaler ThreatLabz has been closely tracking domains associated with typosquatting and brand impersonation - common techniques used by threat actors to proliferate phishing campaigns. Typosquatting involves registering domains with misspelled versions of popular websites or .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/phishing-typosquatting-and-… ∗∗∗ Slim CD Data Breach Impacts 1.7 Million Individuals ∗∗∗ --------------------------------------------- Slim CD says the personal and credit card information of 1.7 million was compromised in a ten-month-long data breach. --------------------------------------------- https://www.securityweek.com/slim-cd-data-breach-impacts-1-7-million-indivi… ∗∗∗ Study Finds Excessive Use of Remote Access Tools in OT Environments ∗∗∗ --------------------------------------------- The excessive use of remote access tools in OT environments can increase the attack surface, complicate identity management, and hinder visibility. --------------------------------------------- https://www.securityweek.com/study-finds-excessive-use-of-remote-access-too… ∗∗∗ Smart home security advice. Ring, SimpliSafe, Swann, and Yale ∗∗∗ --------------------------------------------- Introduction This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you’re looking to monitor your property remotely, enhance your home’s security, or .. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-home-security-advice-ri… ∗∗∗ Firmen überschätzen eigene Abwehrbereitschaft gegen Hacker ∗∗∗ --------------------------------------------- Laut einer aktuellen Studie zahlten 86 Prozent der befragten Firmen im vergangenen Jahr "Lösegeld", nachdem ihre Systeme infiziert wurden --------------------------------------------- https://www.derstandard.at/story/3000000235958/firmen-ueberschaetzen-eigene… ∗∗∗ Threat Assessment: North Korean Threat Groups ∗∗∗ --------------------------------------------- Explore Unit 42s review of North Korean APT groups and their impact, detailing the top 10 malware and tools weve seen from these threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-g… ∗∗∗ Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware ∗∗∗ --------------------------------------------- Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more. --------------------------------------------- https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomwar… ∗∗∗ August 2024’s Most Wanted Malware: RansomHub Reigns Supreme While Meow Ransomware Surges ∗∗∗ --------------------------------------------- Check Point’s latest threat index reveals RansomHub’s continued dominance and Meow ransomware’s rise with novel tactics and significant impact. Check Point’s Global Threat Index for August 2024 revealed ransomware remains a dominant force, with RansomHub sustaining its position as the top ransomware group. This Ransomware-as-a-Service (RaaS) .. --------------------------------------------- https://blog.checkpoint.com/research/august-2024s-most-wanted-malware-ranso… ∗∗∗ CISA says SonicWall bug being exploited as experts warn of ransomware gang use ∗∗∗ --------------------------------------------- Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month. --------------------------------------------- https://therecord.media/cisa-orders-patching-of-sonicwall-bug-ransomware ∗∗∗ CISA Releases Election Security Focused Checklists for Both Cybersecurity and Physical Security ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) released two election security checklists as part of the comprehensive suite of resources available for election officials, the Physical Security Checklist for Election Offices and Election Infrastructure Cybersecurity Readiness and Resilience Checklist. These checklists are tools to quickly review existing practices and take steps to enhance physical and cyber resilience in preparation for election day. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-election-security-focus… ∗∗∗ Do We Need Yet Another Vulnerability Scoring System? If it’s SSVC that’s a resounding YASS ∗∗∗ --------------------------------------------- Want to know about Yet Another Vulnerability Scoring System (YASS)? Ben Edwards breaks down Stakeholder Specific Vulnerability Categorization and how to make it work. --------------------------------------------- https://www.bitsight.com/blog/do-we-need-yet-another-vulnerability-scoring-… ∗∗∗ Wegen US-Verbannung: Kaspersky-Kunden erhalten UltraAV von Pango ∗∗∗ --------------------------------------------- Nach dem Bann in den USA stellt das Unternehmen Kunden nun auf UltraAV um, bestätigt Kaspersky gegenüber heise online. --------------------------------------------- https://heise.de/-9862992 ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Releases Security Updates for Citrix Workspace App for Windows ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/citrix-releases-security… ∗∗∗ September 2024 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/september-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2024
by Daily end-of-shift report 09 Sep '24

09 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-09-2024 18:00 − Montag 09-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transport for London staff faces systems disruptions after cyberattack ∗∗∗ --------------------------------------------- Transport for London, the citys public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/transport-for-london-staff-f… ∗∗∗ Softwarefehler bei Landtagswahl: CCC kritisiert Intransparenz bei Wahlsoftware ∗∗∗ --------------------------------------------- Eine "stümperhafte Implementierung" könnte zu dem Berechnungsfehler bei der Landtagswahl in Sachsen geführt haben. Der CCC fordert mehr Transparenz. --------------------------------------------- https://www.golem.de/news/softwarefehler-bei-landtagswahl-ccc-kritisiert-in… ∗∗∗ Angriff auf Air-Gapped-Systeme: Malware exfiltriert Daten drahtlos durch den RAM ∗∗∗ --------------------------------------------- Die Angriffstechnik liefert zwar keine hohe Datenrate, für ein Keylogging in Echtzeit sowie das Ausleiten von Passwörtern und RSA-Keys reicht sie aber aus. --------------------------------------------- https://www.golem.de/news/angriff-auf-air-gapped-systeme-malware-exfiltrier… ∗∗∗ North Korean threat actor Citrine Sleet exploiting Chromium zero-day ∗∗∗ --------------------------------------------- Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet, a North Korean threat actor that commonly targets the cryptocurrency .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threa… ∗∗∗ The Underground World of Black-Market AI Chatbots is Thriving ∗∗∗ --------------------------------------------- An anonymous reader shares a report: ChatGPTs 200 million weekly active users have helped propel OpenAI, the company behind the chatbot, to a $100 billion valuation. But outside the mainstream theres still plenty of money to be made -- especially if youre catering to the underworld. Illicit large language models (LLMs) can make up to $28,000 in two months .. --------------------------------------------- https://slashdot.org/story/24/09/06/1648218/the-underground-world-of-black-… ∗∗∗ Hypervisor Development in Rust for Security Researchers (Part 1) ∗∗∗ --------------------------------------------- In the ever-evolving field of information security, curiosity and continuous learning drive innovation. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hypervisor-… ∗∗∗ Exploring an Experimental Windows Kernel Rootkit in Rust ∗∗∗ --------------------------------------------- Around two years ago, memN0ps took the initiative to create one of the first publicly available rootkit proof of concepts (PoCs) in Rust as an experimental project, while learning a new programming language. It still lacks many features, which are relatively easy to add once the concept is understood, but it was developed within a month, at a part-time capacity. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploring-a… ∗∗∗ Predator Spyware Resurfaces With Fresh Infrastructure ∗∗∗ --------------------------------------------- Recorded Future observes renewed Predator spyware activity on fresh infrastructure after a drop caused by US sanctions. --------------------------------------------- https://www.securityweek.com/predator-spyware-resurfaces-with-fresh-infrast… ∗∗∗ Chinese APT Abuses VSCode to Target Government in Asia ∗∗∗ --------------------------------------------- A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims environments for Southeast Asian espionage. --------------------------------------------- https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-… ∗∗∗ Sextortion-Betrugsversuch I: Aufzeichnung des Porno-Konsums; und "Rechnungszahlung" ∗∗∗ --------------------------------------------- Aktuell laufen wieder sogenannte Sextortion-Kampagnen, bei der Opfer per E-Mail mit angeblich kompromittierendem Material erpresst werden sollen. Ich fasse daher einige Informationen der letzten Tage über laufende Sextortion-Kampagnen in .. --------------------------------------------- https://www.borncity.com/blog/2024/09/09/sextortion-betrugsversuch-i-aufzei… ∗∗∗ AI Firm’s Misconfigured Server Exposed 5.3 TB of Mental Health Records ∗∗∗ --------------------------------------------- A misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health… --------------------------------------------- https://hackread.com/ai-firm-misconfigured-server-exposed-mental-health-dat… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/09/cisa-adds-three-known-ex… ∗∗∗ Eigene Identität im Blick: Google Dark Web Report warnt vor Datenlecks ∗∗∗ --------------------------------------------- Mit dem Dark Web Report von Google lässt sich die eigene Identität auf Datenpannen überwachen. Der Dienst ist nun kostenlos und nicht mehr Abo-Bestandteil. --------------------------------------------- https://heise.de/-9860797 ∗∗∗ Polen zerschlägt Ring von Cybersaboteuren ∗∗∗ --------------------------------------------- Das EU- und Nato-Land Polen ist zunehmend Ziel von Cyberattacken. Warschau vermutet dahinter die Tätigkeit russischer und belarussischer Geheimdienste. --------------------------------------------- https://heise.de/-9862555 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1196: Adobe Acrobat Reader DC Doc Object Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-45107. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1196/ ∗∗∗ DSA-5767-1 thunderbird - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00180.html ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2024
by Daily end-of-shift report 06 Sep '24

06 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-09-2024 18:00 − Freitag 06-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US charges Russian GRU hackers behind WhisperGate intrusions ∗∗∗ --------------------------------------------- Feds post $10 million bounty for each of the sixs whereabouts The US today charged five Russian military intelligence officers and one civilian for their involvement with the data-wiping WhisperGate campaign conducted against Ukraine in January 2022 before the ground invasion began. --------------------------------------------- https://www.theregister.com/2024/09/05/uncle_sam_charges_russian_gru/ ∗∗∗ Ransomware Gang Claims Cyberattack on Planned Parenthood ∗∗∗ --------------------------------------------- Planned Parenthood confirms "cybersecurity incident" as RansomHub ransomware gang threatens to leak 93 Gb of data stolen from the nonprofit last week. --------------------------------------------- https://www.securityweek.com/ransomware-gang-claims-cyberattack-on-planned-… ∗∗∗ Sicherheitslücken in Veeam Backup & Replication - Updates verfügbar ∗∗∗ --------------------------------------------- Der Softwarehersteller Veeam hat Aktualisierungen für mehrere seiner Produkte veröffentlicht. Unter den Sicherheitslücken die im Rahmen dieser Veröffentlichung behoben wurden befindet sich CVE-2024-40711, eine schwerwiegende Schwachstelle in Veeam Backup & Replication. Die Ausnutzung dieser Lücke ermöglicht es Angreifer:innen unauthentifiziert .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/sicherheitslucken-in-veeam-backup-r… ∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in SonicWall SonicOS (CVE-2024-40766) ∗∗∗ --------------------------------------------- Der Hersteller SonicWall hat am 21.08.2024 ein Advisory zu einer schwerwiegenden Sicherheitslücke in seinem Betriebssystem für Netzwerkgeräte, SonicOS, veröffentlicht. Die Ausnutzung besagter Schwachstelle, CVE-2024-40766, könnte es Angreifer:innen erlauben, betroffene Geräte zum Absturz zu bringen. Zeitgleich mit der .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/aktive-ausnutzung-einer-sicherheits… ∗∗∗ Colombian president suggests prior administration illegally sent $11 million in cash to Israel for spyware ∗∗∗ --------------------------------------------- Colombia’s President Gustavo Petro said Wednesday that his administration is probing the disappearance of $11 million allegedly used to buy powerful Pegasus spyware, which he said he believes was acquired by the previous administration. --------------------------------------------- https://therecord.media/colombian-president-pegasus-spyware-israel-missing-… ∗∗∗ Passwort Spraying-Angriffe auf (Sophos-) Firewalls von IP 92.53.65.166 ∗∗∗ --------------------------------------------- Kurze Information für Administratoren von Sophos Firewalls - ein Leser hat mich darauf hingewiesen, dass er seit dem seit dem 5. September 2024 vermehrt Angriffsversuche auf seine Firewalls von Sophos beobachtet. Und speziell das VPN-Portal wird über Port 443 mit Login-Versionen überschüttet .. --------------------------------------------- https://www.borncity.com/blog/2024/09/06/passwort-spraying-angriffe-auf-sop… ∗∗∗ Hunting Chromium Notifications ∗∗∗ --------------------------------------------- Browser notifications provide social-engineering opportunities. In this post well cover the associated forensic artifacts, threat hunting possibilities and hardening recommendations. --------------------------------------------- https://blog.nviso.eu/2024/09/06/hunting-chromium-notifications/ ∗∗∗ The best and worst ways to get users to improve their account security ∗∗∗ --------------------------------------------- In my opinion, mandatory enrollment is best enrollment. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-5-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1195: Malwarebytes Antimalware Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1195/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2024
by Daily end-of-shift report 05 Sep '24

05 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2024 18:00 − Donnerstag 05-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords ∗∗∗ --------------------------------------------- Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-trap-fake-onlyfans-to… ∗∗∗ Windows 11/Server 2024 SMB Security-Hardening ∗∗∗ --------------------------------------------- Microsoft hat im Vorgriff auf die kommenden Releases von Windows 11 24H2 und Windows Server 2025 Ende August 2024 einen Techcommunity-Beitrag zum Thema "SMB Security-Hardening" veröffentlicht. Das Ganze ist Teil der Microsoft Secure Future Initiative (SFI), und die Betriebssysteme sollen bereits vom Start an über gehärtete SMB-Einstellungen verfügen, um sich vor Cyberangriffen besser zu schützen. --------------------------------------------- https://www.borncity.com/blog/2024/09/05/windows-11-server-2024-smb-securit… ∗∗∗ CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed) ∗∗∗ --------------------------------------------- Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution (CVE-2024-45195) on Linux and Windows. Exploitation is facilitated by bypassing previous patches. [..] Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause. Since the patch bypass we are disclosing today elaborates on those previous disclosures, we’ll outline them now. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-una… ∗∗∗ Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions ∗∗∗ --------------------------------------------- In this blog, we explain how we managed to leverage typosquatting in GitHub Actions and got several applications with inadvertent typos to run our ‘fake’ action. If we had bad intentions, these mistakenly triggered actions could have included malicious code, for instance installing malware, stealing secrets, or making covert changes to code. --------------------------------------------- https://orca.security/resources/blog/typosquatting-in-github-actions/ ∗∗∗ Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 ∗∗∗ --------------------------------------------- On July 1, the project maintainers released an advisory for the vulnerability CVE-2024-36401 (CVSS score: 9.8). Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. [..] In this article, we will explore the details of the payload and malware. --------------------------------------------- https://feeds.fortinet.com/~/904077668/0/fortinet/blogs~Threat-Actors-Explo… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam warns of critical RCE flaw in Backup & Replication software ∗∗∗ --------------------------------------------- Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. --------------------------------------------- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-… ∗∗∗ Angreifer können durch Hintertür in Cisco Smart Licensing Utility schlüpfen ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen sind Attacken auf Cisco Expressway Edge, Duo Epic for Hyperdrive, Identity Services Engine, Meraki Systems Manager und Smart Licensing Utility vorstellbar. [..] Smart Licensing Utility ist durch zwei "kritische" Sicherheitslücken (CVE-2024-20439, CVE-2024-20440) bedroht. Im ersten Fall kann ein entfernter Angreifer ohne Anmeldung aufgrund von statischen Admin-Zugangsdaten auf Instanzen zugreifen. Mit den Adminrechten des Accounts erlangt ein Angreifer die volle Kontrolle. [..] Meraki Systems Manager Agent for Windows kann sich aufgrund einer Lücke (CVE-2024-20430 "hoch") an einer mit Schadcode präparierten DLL-Datei verschlucken. [..] --------------------------------------------- https://heise.de/-9857962 ∗∗∗ Drupal: Security advisories 2024-September-04 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories (1x Critical, 4x Moderately critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bubblewrap and flatpak, containernetworking-plugins, fence-agents, ghostscript, krb5, orc, podman, python3.11, python3.9, resource-agents, runc, and wget), Debian (chromium, cinder, glance, gnutls28, nova, nsis, python-oslo.utils, ruby-sinatra, and setuptools), Fedora (kernel), Oracle (bubblewrap and flatpak, buildah, containernetworking-plugins, fence-agents, ghostscript, gvisor-tap-vsock, kernel, krb5, libndp, nodejs:18, orc, podman, postgresql, python-urllib3, python3.11, python3.12, python3.9, runc, skopeo, and wget), SUSE (hdf5, netcdf, trilinos), and Ubuntu (firefox, imagemagick, ironic, openssl, python-django, vim, and znc). --------------------------------------------- https://lwn.net/Articles/989046/ ∗∗∗ Juniper: SA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP9 IF02 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2024
by Daily end-of-shift report 04 Sep '24

04 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2024 18:00 − Mittwoch 04-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YubiKeys klonen? ∗∗∗ --------------------------------------------- Heute gab es dazu eine reißerische Meldung: diese lassen sich klonen. [..] Das ist mal klarerweise nicht gut. Aber wie so oft bei Schlagzeilen dieser Art lohnt es sich, genauer zu lesen, was eigentlich passiert ist, und wie realistisch die Angriffe wirklich sind. --------------------------------------------- https://www.cert.at/de/blog/2024/9/yubikeys-eucleak ∗∗∗ Hackers Hijack 22,000 Removed PyPI Packages, Spreading Malicious Code to Developers ∗∗∗ --------------------------------------------- A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. --------------------------------------------- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html ∗∗∗ Hackers inject malicious JS in Cisco store to steal credit cards, credentials ∗∗∗ --------------------------------------------- Ciscos site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at checkout. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-inject-malicious-js-… ∗∗∗ Mallox ransomware: in-depth analysis and evolution ∗∗∗ --------------------------------------------- In this report, we provide an in-depth analysis of the Mallox ransomware, its evolution, ransom strategy, encryption scheme, etc. --------------------------------------------- https://securelist.com/mallox-ransomware/113529/ ∗∗∗ Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion ∗∗∗ --------------------------------------------- While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html ∗∗∗ Advanced forensic techniques for recovering hidden data in wearable device ∗∗∗ --------------------------------------------- This blog post covers how forensic skills and tooling can be used to recover potentially sensitive data left on phones from devices such as Google’s Fitbit. The principles and techniques here also apply to similar products with similar functionality. --------------------------------------------- https://www.pentestpartners.com/security-blog/advanced-forensic-techniques-… ∗∗∗ Vorsicht vor US Green Card Lotterie Anbietern wie AmericanGC.com ∗∗∗ --------------------------------------------- Die USA gelten für viele als Wunschziel fürs Auswandern. Über die Green Card Lotterie wird bis zu 50.000 Menschen jährlich eine Einwanderung mit Greencard ermöglicht. Der Andrang auf diese Lotterie ist groß und das machen sich auch unseriöse und betrügerische Anbieter wie AmericanGC.com zunutze. --------------------------------------------- https://www.watchlist-internet.at/news/green-card-americangccom/ ∗∗∗ US-Behörden sollen Internet-Routing absichern ∗∗∗ --------------------------------------------- Das Weiße Haus macht Druck auf Behörden: Sie sollen ihre Netzrouten kryptografisch absichern. Erst dann können Fehler auffallen. --------------------------------------------- https://heise.de/-9856483 ∗∗∗ Mesh-WLAN von Plume Design: Teure Bespitzelung ∗∗∗ --------------------------------------------- Mesh-Netzwerke sind gut gegen WLAN-Funklöcher. Doch Vorsicht: Ein US-Hersteller überwacht mit seinen Routern und Extendern Nutzer und gibt munter vertrauliche Daten weiter. Eine Recherche von Erik Bärwaldt (Datenschutz, WLAN) --------------------------------------------- https://www.golem.de/news/mesh-wlan-von-plume-design-teure-bespitzelung-240… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, nodejs:18, python-urllib3, and skopeo), Debian (firefox-esr and openssl), Fedora (apr and seamonkey), Red Hat (podman), Slackware (mozilla and seamonkey), SUSE (bubblewrap and flatpak, buildah, docker, dovecot23, ffmpeg, frr, go1.21-openssl, graphviz, java-1_8_0-openj9, kubernetes1.26, kubernetes1.27, kubernetes1.28, openssl-1_0_0, openssl-3, perl-DBI, python-aiohttp, python-Django, python-WebOb, thunderbird, tiff, ucode-intel, unbound, webkit2gtk3, and xen), and Ubuntu (drupal7 and twisted). --------------------------------------------- https://lwn.net/Articles/988746/ ∗∗∗ Android Patchday: Updates schließen mehrere hochriskante Lücken ∗∗∗ --------------------------------------------- Jetzt ist es an den Handy-Herstellern, die sicherheitsrelevanten Fehlerkorrekturen in Firmware-Updates für die Android-Smartphones zu gießen und an die betroffenen Kunden zu verteilen. --------------------------------------------- https://heise.de/-9856847 ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67963942/ ∗∗∗ Progress: OpenEdge Third-Party Vulnerabilities Fixed In OpenEdge LTS Update 11.7.20 ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/OpenEdge-Third-Party-Vulnerabiliti… ∗∗∗ Hitachi Energy: Multiple vulnerabilities in Hitachi Energy MicroSCADA X SYS600 product ∗∗∗ --------------------------------------------- https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageC… ∗∗∗ Zyxel security advisory for OS command injection vulnerability in APs and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox and Focus ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ C-MOR: Mehrere Sicherheitsschwachstellen in Videoüberwachungssoftware C-MOR (SYSS-2024-020 bis -030) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-video… ∗∗∗ F5: K000140908: MySQL Server vulnerabiliity CVE-2024-21134 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2024
by Daily end-of-shift report 03 Sep '24

03 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2024 18:00 − Dienstag 03-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ D-Link says it is not fixing four RCE flaws in DIR-846W routers ∗∗∗ --------------------------------------------- D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported. [..] The researcher published the information on August 27, 2024, but has withheld the publication of proof-of-concept (PoC) exploits for now. --------------------------------------------- https://www.bleepingcomputer.com/news/security/d-link-says-it-is-not-fixing… ∗∗∗ The state of sandbox evasion techniques in 2024 ∗∗∗ --------------------------------------------- This post is about sandbox evasion techniques and their usefulness in more targeted engagements. --------------------------------------------- https://fudgedotdotdot.github.io/posts/sandbox-evasion-in-2024/sandboxes.ht… ∗∗∗ CVE-2024-37084: Spring Cloud Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2024-37084 is a critical security vulnerability in Spring Cloud Skipper, specifically related to how the application processes YAML input. [..] The vulnerability affects versions 2.11.0 through 2.11.3 of Spring Cloud Skipper. --------------------------------------------- https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/ ∗∗∗ Intel Responds to SGX Hacking Research ∗∗∗ --------------------------------------------- Intel has shared some clarifications on claims made by a researcher regarding the hacking of its SGX security technology. --------------------------------------------- https://www.securityweek.com/intel-responds-to-sgx-hacking-research/ ∗∗∗ Rechnungen und Mahnungen von cvneed.com ignorieren ∗∗∗ --------------------------------------------- Sie haben einen Lebenslauf auf cvneed.com erstellt? Sie sind davon ausgegangen, dass dies kostenlos ist? Doch plötzlich flattern Rechnungen und sogar Mahnungen ins Haus? Ignorieren Sie diese und zahlen Sie nichts. Es handelt sich um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-von-cvneed/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2021-20123/CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability, CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/03/cisa-adds-three-known-ex… ∗∗∗ Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.” --------------------------------------------- https://blog.talosintelligence.com/threat-actors-using-macropack/ ∗∗∗ A look into Web Application Security ∗∗∗ --------------------------------------------- An in-depth look into Web Application Security, and Bitsights approach to related security metrics. --------------------------------------------- https://www.bitsight.com/blog/look-web-application-security ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel: Mehrere hochriskante Sicherheitslücken in Firewalls ∗∗∗ --------------------------------------------- Zyxel warnt vor mehreren Sicherheitslücken in den Firewalls des Unternehmens. Updates stehen bereit, die Lecks abdichten. [..] Am schwerwiegendsten ist eine Lücke, die Angreifern das Einschleusen von Befehlen im IPSec VPN der Zyxel-Firewalls ermöglicht. Mit manipulierten Nutzernamen können sie Befehle schmuggeln, die vom Betriebssystem ausgeführt werden. --------------------------------------------- https://heise.de/-9855938 ∗∗∗ VMSA-2024-0018:VMware Fusion update addresses a code execution vulnerability (CVE-2024-38811) ∗∗∗ --------------------------------------------- VMware Fusion contains a code-execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ OpenSSL Security Advisory [3rd September 2024] ∗∗∗ --------------------------------------------- Possible denial of service in X.509 name checks (CVE-2024-6119) [..] OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. --------------------------------------------- https://openssl-library.org/news/secadv/20240903.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12), Debian (calibre, exfatprogs, frr, git, libtommath, nbconvert, ruby-nokogiri, ruby-tzinfo, and webkit2gtk), Fedora (flatpak, lua-mpack, and python3.12), Red Hat (389-ds-base, 389-ds:1.4, buildah, fence-agents, gvisor-tap-vsock, httpd:2.4, kernel, kernel-rt, nodejs:18, orc, postgresql, postgresql:12, postgresql:13, postgresql:15, python-urllib3, python3.12, and skopeo), SUSE (389-ds, bubblewrap and flatpak, cacti, cacti-spine, curl, glib2, kernel-firmware, libqt5-qt3d, libqt5-qtquick3d, opera, python39, qemu, unbound, xen, and zziplib), and Ubuntu (ffmpeg, linux-raspi-5.4, and python-webob). --------------------------------------------- https://lwn.net/Articles/988570/ ∗∗∗ Chrome 128 Updates Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/chrome-128-updates-patch-high-severity-vulnera… ∗∗∗ Lenze: Install Directory with insufficient permissions ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-053/ ∗∗∗ LOYTEC Electronics LINX Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

← Newer
1
...
6
7
8
9
10
11
12
...
309
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily