===================== = End-of-Day report = =====================
Timeframe: Montag 25-03-2024 18:00 − Dienstag 26-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer
===================== = News = =====================
∗∗∗ Free VPN apps on Google Play turned Android phones into proxies ∗∗∗ --------------------------------------------- Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-vpn-apps-on-google-play-...
∗∗∗ New tool: linux-pkgs.sh, (Sun, Mar 24th) ∗∗∗ --------------------------------------------- During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do? --------------------------------------------- https://isc.sans.edu/diary/rss/30774
∗∗∗ Agent Teslas New Ride: The Rise of a Novel Loader ∗∗∗ --------------------------------------------- This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas...
∗∗∗ The Darkside of TheMoon ∗∗∗ --------------------------------------------- The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. [..] While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours. --------------------------------------------- https://blog.lumen.com/the-darkside-of-themoon/
∗∗∗ Recent ‘MFA Bombing’ Attacks Targeting Apple Users ∗∗∗ --------------------------------------------- Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apples password reset feature. In this scenario, a targets Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Dont Allow" to each prompt. [..] But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line). --------------------------------------------- https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-app...
∗∗∗ Suspicious NuGet Package Harvesting Information From Industrial Systems ∗∗∗ --------------------------------------------- A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon. --------------------------------------------- https://www.securityweek.com/suspicious-nuget-package-harvesting-information...
∗∗∗ Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script ∗∗∗ --------------------------------------------- This blog entry discusses the Agenda ransomware groups use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-...
===================== = Vulnerabilities = =====================
∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/966678/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23252, CVE-2024-23254,CVE-2024-23263, CVE-2024-23280,CVE-2024-23284, CVE-2023-42950,CVE-2023-42956, CVE-2023-42843. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0002.html
∗∗∗ macOS 14.4.1 mit jeder Menge Bugfixes – Sicherheitshintergründe zu iOS 17.4.1 ∗∗∗ --------------------------------------------- Apple hat am Montagabend ein weiteres Update für macOS 14 veröffentlicht. Es behebt diverse Fehler. Parallel gibt es Infos zu iOS 17.4.1 und dessen Fixes. --------------------------------------------- https://heise.de/-9666170
∗∗∗ Loadbalancer: Sicherheitslücken in Loadmaster von Progress/Kemp ∗∗∗ --------------------------------------------- In der Loadbalancer-Software Loadmaster von Progress/Kemp klaffen Sicherheitslücken, durch die Angreifer etwa Befehle einschleusen können. --------------------------------------------- https://heise.de/-9666253
∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/
∗∗∗ Siemens: SSB-201698 V1.0: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-201698.html
∗∗∗ Rockwell Automation FactoryTalk View ME ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04
∗∗∗ Rockwell Automation PowerFlex 527 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02
∗∗∗ Rockwell Automation Arena Simulation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03
∗∗∗ Automation-Direct C-MORE EA9 HMI ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01