===================== = End-of-Day report = =====================
Timeframe: Montag 02-12-2024 18:00 − Dienstag 03-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a
===================== = News = =====================
∗∗∗ Building Cyber Resilience Against Ransomware Attacks ∗∗∗ --------------------------------------------- This is the first blogpost in this series. Its aim is twofold: to enable organizations embarking on a journey to build resilience against ransomware to recognize common misconceptions hindering readiness efforts and offer a conceptual framework to guide effective resilience building. --------------------------------------------- https://blog.nviso.eu/2024/12/03/building-cyber-resilience-against-ransomwar...
∗∗∗ Unveiling RevC2 and Venom Loader ∗∗∗ --------------------------------------------- Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. These tools have been utilized by other threat groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz uncovered two significant campaigns leveraging Venom Spider's MaaS tools between August and October 2024. During our investigation, we identified two new malware families, which we named RevC2 and Venom Loader, that were deployed using Venom Spider MaaS Tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-lo...
∗∗∗ Gafgyt Malware Targeting Docker Remote API Servers ∗∗∗ --------------------------------------------- Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-dock...
∗∗∗ Secure Coding: Sichere Fehlerbehandlung in Java – CWE-778-Risiken vermeiden ∗∗∗ --------------------------------------------- Mit sicheren Java-Design-Patterns wie dem Decorator und Proxy Pattern die Kontrolle über Fehlerberichte verbessern – zum Schutz gegen CWE-778-Schwachstellen. --------------------------------------------- https://heise.de/-10084007
∗∗∗ On Almost Signing Android Builds ∗∗∗ --------------------------------------------- This blog post has two goals: to raise awareness about this issue, to introduce a script intended as a quick check to verify if an Android build was (incorrectly) signed with a known private key. When Android-based devices boot up, first the bootloader is verified to be running signed code, then the bootloader verifies the high-level operating system (HLOS). This blog post only covers the latter part. --------------------------------------------- https://www.nccgroup.com/us/research-blog/on-almost-signing-android-builds/
∗∗∗ Extracting Files Embedded Inside Word Documents, (Tue, Dec 3rd) ∗∗∗ --------------------------------------------- I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools. --------------------------------------------- https://isc.sans.edu/diary/rss/31486
===================== = Vulnerabilities = =====================
∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy). --------------------------------------------- https://lwn.net/Articles/1000591/
∗∗∗ Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and WiFi extenders ∗∗∗ --------------------------------------------- CVE-2024-8748 ... could allow an attacker to cause denial of service (DoS) conditions against the web management interface [..] CVE-2024-9197 ... could allow an authenticated attacker with administrator privileges to cause DoS conditions against the web management interface [..] CVE-2024-9200 ... could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-a...
∗∗∗ Patchday: Android 12, 13, 14 und 15 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In einer Warnmeldung hebt Google eine Sicherheitslücke (CVE-2024-43767 "hoch") im System als besonders bedrohlich hervor: Angreifer können Schadcode ausführen. Dafür seien keine zusätzlichen Ausführungsrechte nötig. Wie so ein Angriff genau ablaufen könnte, bleibt aber unklar. --------------------------------------------- https://heise.de/-10185926
∗∗∗ HPE: HPESBGN04760 rev.1 - HPE AutoPass License Server (APLS), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04760en_us&...
∗∗∗ Fuji Electric Monitouch V-SFT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-05
∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-06
∗∗∗ ICONICS and Mitsubishi Electric GENESIS64 Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04
∗∗∗ Open Automation Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-03
∗∗∗ Ruijie Reyee OS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01
∗∗∗ F5: K000148809: Qt vulnerabilities CVE-2023-38197, CVE-2023-37369, and CVE-2023-32763 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148809
∗∗∗ F5: K000148689: Qt vulnerability CVE-2023-32762 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148689
∗∗∗ Veeam: Veeam Service Provider Console Vulnerability (CVE-2024-42448 | CVE-2024-42449) ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4679
∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3 ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4693
∗∗∗ ZDI-24-1640: XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1640/