===================== = End-of-Day report = =====================
Timeframe: Freitag 28-02-2025 18:00 − Montag 03-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a
===================== = News = =====================
∗∗∗ Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks ∗∗∗ --------------------------------------------- Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-para...
∗∗∗ Ohne Nutzerinteraktion: Wie Hacker fremde Gitlab-Accounts übernehmen konnten ∗∗∗ --------------------------------------------- Letztes Jahr hat Gitlab eine gefährliche Sicherheitslücke geschlossen. Ein neuer Bericht zeigt, wie leicht sich damit fremde Konten kapern ließen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-per-passwort-reset-fremde-gitlab...
∗∗∗ Mobile malware evolution in 2024 ∗∗∗ --------------------------------------------- The most notable mobile threats of 2024, and statistics on Android-specific malware, adware and potentially unwanted software. --------------------------------------------- https://securelist.com/mobile-threat-report-2024/115494/
∗∗∗ Dornröschenschlaf: mit diesem einfachen Trick Crowdstrike Falcon zähmen ∗∗∗ --------------------------------------------- Nachdem Angreifer die Rechte eines Benutzers mit "NT AUTHORITY\SYSTEM" Berechtigungen erlangt haben, indem andere Schwachstellen .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dornroeschenschlaf-mit-diesem-einfach...
∗∗∗ Vo1d Botnets Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries ∗∗∗ --------------------------------------------- Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d.The improved variant of Vo1d has been found to encompass 800,000 daily active IP .. --------------------------------------------- https://thehackernews.com/2025/03/vo1d-botnets-peak-surpasses-159m.html
∗∗∗ Cybersecurity not the hiring-em-like-hotcakes role it once was ∗∗∗ --------------------------------------------- Ghost positions, HR AI no help – biz should talk to infosec staff and create realistic job outline, say experts Analysis Its a familiar refrain in the security industry that there is a massive skills gap in the sector. And while its true there are specific shortages in certain areas, some industry watchers believe we may be reaching the point of oversupply for generalists. --------------------------------------------- https://www.theregister.com/2025/03/03/cybersecurity_jobs_market/
∗∗∗ Massive Sicherheitslücken bei Gebäude-Zugangssystemen entdeckt ∗∗∗ --------------------------------------------- Cyberkriminelle können leicht auf Zugangssysteme von Gebäuden weltweit zugreifen. Eine Studie nennt das Ausmaß und die Ursachen. --------------------------------------------- https://www.heise.de/news/Massive-Sicherheitsluecken-bei-Gebaeude-Zugangssys...
∗∗∗ Angreifer bringen verwundbaren Paragon-Treiber mit und missbrauchen ihn ∗∗∗ --------------------------------------------- Angreifer missbrauchen ein Leck in einem Treiber von Paragon Partition Manager. Besonders gefährlich: den können sie selbst mitbringen. --------------------------------------------- https://www.heise.de/news/Sicherheitsleck-in-Treiber-von-Paragon-Partition-M...
∗∗∗ Thule-Radanhänger: Pedalritter im Visier von Fake-Shops ∗∗∗ --------------------------------------------- Die Fahrradanhänger des Traditionsunternehmens Thule genießen zurecht einen hervorragenden Ruf. Diesen machen sich Kriminelle aber immer wieder zu Nutze. Sie bauen den Thule-Onlinestore nach und locken ihre Opfer dort mit vermeintlichen Top-Schnäppchen in die Falle. In diesem Artikel erfahren Sie, wie Sie die Fake-Shops erkennen können und welche Optionen Sie im Fall einer getätigten Zahlung noch haben. --------------------------------------------- https://www.watchlist-internet.at/news/thule-radanhaenger-fake-shops/
∗∗∗ Uncovering .NET Malware Obfuscated by Encryption and Virtualization ∗∗∗ --------------------------------------------- Malware authors use AES encryption and code virtualization to evade sandbox static analysis. We explore how this facilitates spread of Agent Tesla, XWorm and more. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/
∗∗∗ Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal ∗∗∗ --------------------------------------------- In this blog entry, we discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware...
∗∗∗ Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions ∗∗∗ --------------------------------------------- Rosetta 2 is Apples translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems.Rosetta 2 translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts.Mandiant has observed sophisticated threat actors leveraging x86-64 compiled macOS malware, likely due to broader .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/rosetta2-artifacts-...
∗∗∗ how to gain code execution on millions of people and hundreds of popular apps ∗∗∗ --------------------------------------------- .. and of course, firebase was (partially) the cause --------------------------------------------- https://kibty.town/blog/todesktop/
===================== = Vulnerabilities = =====================
∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, kernel, linux-6.1, mariadb-10.5, proftpd-dfsg, and xorg-server), Fedora (chromium, cutter-re, iniparser, nodejs22, rizin, webkitgtk, wireshark, xen, and xorg-x11-server), Mageia (binutils and ffmpeg), Oracle (emacs and kernel), Red Hat (emacs and webkit2gtk3), SUSE (azure-cli, bsdtar, gnutls, govulncheck-vulndb, .. --------------------------------------------- https://lwn.net/Articles/1012760/
∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-expl...
∗∗∗ DSA-5872-1 xorg-server - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00034.html