===================== = End-of-Day report = =====================
Timeframe: Dienstag 10-12-2024 18:00 − Mittwoch 11-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a
===================== = News = =====================
∗∗∗ Global Ongoing Phishing Campaign Targets Employees Across 12 Industries ∗∗∗ --------------------------------------------- Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions. [..] What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. [..] This campaign is ongoing therefore, companies need to watch out for what comes to their inbox. --------------------------------------------- https://hackread.com/ongoing-phishing-campaign-targets-employees/
∗∗∗ AMD’s trusted execution environment blown wide open by new BadRAM attack ∗∗∗ --------------------------------------------- On Tuesday, an international team of researchers unveiled BadRAM, a proof-of-concept attack that completely undermines security assurances that chipmaker AMD makes to users of one of its most expensive and well-fortified microprocessor product lines. Starting with the AMD Epyc 7003 processor, a feature known as SEV-SNP—short for Secure Encrypted Virtualization and Secure Nested Paging—has provided the cryptographic means for certifying that a VM hasn’t been compromised by any sort of backdoor installed by someone with access to the physical machine running it. --------------------------------------------- https://arstechnica.com/information-technology/2024/12/new-badram-attack-neu...
∗∗∗ Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a "critical" security vulnerability in Microsofts multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victims account. [..] Following responsible disclosure, the issue – codenamed AuthQuake – was addressed by Microsoft in October 2024. --------------------------------------------- https://thehackernews.com/2024/12/microsoft-mfa-authquake-flaw-enabled.html
∗∗∗ Decrypting Full Disk Encryption with Dissect ∗∗∗ --------------------------------------------- Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. [..] One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft’s BitLocker or its Linux equivalent LUKS. Internally at Fox-IT we were able to already use these capabilities. With the release of Dissect version 3.17 these capabilities are now also available to the community at large. --------------------------------------------- https://blog.fox-it.com/2024/12/11/decrypting-full-disk-encryption-with-diss...
∗∗∗ The Stealthy Stalker: Remcos RAT ∗∗∗ --------------------------------------------- As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-re...
∗∗∗ How easily access cards can be cloned and why your PACS might be vulnerable ∗∗∗ --------------------------------------------- PACS can be bad, but also good if you configure them right. These systems protect your building, and control access to your most sensitive systems. Give them some love. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-easily-access-cards-can-be...
∗∗∗ Zeitplan veröffentlicht: Lets Encrypt schafft OCSP-Zertifikatsüberprüfung ab ∗∗∗ --------------------------------------------- Das Protokoll zur Echtzeit-Gültigkeitsprüfung hat Datenschutzprobleme. Die weltgrößte CA ersetzt es nun durch Zertifikats-Sperrlisten. --------------------------------------------- https://heise.de/-10195107
===================== = Vulnerabilities = =====================
∗∗∗ Ivanti: December Security Update ∗∗∗ --------------------------------------------- Today, fixes have been released for the Ivanti solutions detailed below. [..] Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Policy Secure, Ivanti Sentry, Ivanti Patch SDK, Ivanti Application Control, Ivanti Automation, Ivanti Workspace Control, Ivanti Performance Manager, Ivanti Security Controls (iSec) [..] Ivanti Cloud Services Application (CSA) 10.0 (Critical): An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access. CVE-2024-11639 --------------------------------------------- https://www.ivanti.com/blog/december-security-update
∗∗∗ Microsoft Security Update Summary (10. Dezember 2024) ∗∗∗ --------------------------------------------- Am 10. Dezember 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 70 Schwachstellen (CVEs), davon 16 kritische Sicherheitslücken, davon eine als 0-day klassifiziert (bereits ausgenutzt). --------------------------------------------- https://www.borncity.com/blog/2024/12/10/microsoft-security-update-summary-1...
∗∗∗ Solarwinds Web Help Desk: Software-Update schließt kritische Lücken ∗∗∗ --------------------------------------------- In Solarwinds Web Help Desk haben die Entwickler teils kritische Sicherheitslücken korrigiert. IT-Verantwortliche sollten rasch aktualisieren. --------------------------------------------- https://heise.de/-10195207
∗∗∗ Patchday: Adobe schließt mehr als 160 Sicherheitslücken in Acrobat & Co. ∗∗∗ --------------------------------------------- Insgesamt hat der Softwarehersteller mehr als 160 Schwachstellen mit Updates für die Produkte geschlossen. --------------------------------------------- https://www.heise.de/-10194979
∗∗∗ Synology-SA-24:28 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to read specific files. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_28
∗∗∗ PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement ∗∗∗ --------------------------------------------- The CERT/CC is creating this Vulnerability Note to advise and make users of PDQ Deploy aware of potential avenues of attack through the deploy service. System administrators that are using PDQ Deploy should employ LAPS to mitigate this vulnerability. --------------------------------------------- https://kb.cert.org/vuls/id/164934
∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro). --------------------------------------------- https://lwn.net/Articles/1001728/
∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 128.5.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-69/
∗∗∗ F5: K000148931: Linux kernel vulnerability CVE-2024-26923 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148931
∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-9...
∗∗∗ Numerix: Reflected Cross-Site Scripting in Numerix License Server Administration System Login ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scri...
∗∗∗ Splunk: SVD-2024-1207: Third-Party Package Updates in Splunk Universal Forwarder - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1207
∗∗∗ Splunk: SVD-2024-1206: Third-Party Package Updates in Splunk Enterprise - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1206
∗∗∗ Splunk: SVD-2024-1205: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1205
∗∗∗ Splunk: SVD-2024-1204: Sensitive Information Disclosure through SPL commands ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1204
∗∗∗ Splunk: SVD-2024-1203: Information Disclosure due to Username Collision with a Role that has the same Name as the User ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1203
∗∗∗ Splunk: SVD-2024-1202: Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameter ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1202
∗∗∗ Splunk: SVD-2024-1201: Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1201