===================== = End-of-Day report = =====================

Timeframe: Freitag 17-01-2025 18:00 − Montag 20-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

===================== = News = =====================

∗∗∗ Malicious PyPi package steals Discord auth tokens from devs ∗∗∗ --------------------------------------------- A malicious package named pycord-self on the Python package index (PyPI) targets Discord developers to steal authentication tokens and plant a backdoor for remote control over the system. [..] The package mimics the highly popular 'discord.py-self,' which has nearly 28 million downloads, and even offers the functionality of the legitimate project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-steals...

∗∗∗ Forscher deckt auf: ChatGPT lässt sich für DDoS-Angriffe missbrauchen ∗∗∗ --------------------------------------------- Eine ChatGPT-API scheint bereitwillig eine lange Liste von Links zur gleichen Webseite anzunehmen - und diese anschließend ungebremst abzufragen. [..] Ausführen lässt sich der DDoS-Angriff laut Flesch durch eine HTTP-Anfrage an eine ChatGPT-API, konkret durch einen POST-Request an die URL "https://chatgpt.com/backend-api/attributions". Die API erwarte eine Liste von Hyperlinks, schreibt der Forscher. Jedoch werde nicht geprüft, ob ein Hyperlink zur gleichen Ressource mehrfach genannt wird. --------------------------------------------- https://www.golem.de/news/forscher-deckt-auf-chatgpt-laesst-sich-fuer-ddos-a...

∗∗∗ Partial ZIP File Downloads, (Mon, Jan 20th) ∗∗∗ --------------------------------------------- Say you want a file that is inside a huge online ZIP file (several gigabytes large). Downloading the complete ZIP file would take too long. --------------------------------------------- https://isc.sans.edu/diary/rss/31608

∗∗∗ Private Keys in the Fortigate Leak ∗∗∗ --------------------------------------------- A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. [..] It was first reported by heise, a post by Kevin Beaumont contains further info. What has not been widely recognized is that this leak also contains TLS and SSH private keys. --------------------------------------------- https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.h...

∗∗∗ Looking at the Attack Surfaces of the Pioneer DMH-WT7600NEX IVI ∗∗∗ --------------------------------------------- For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. [..] This blog post aims to detail some of the attack surfaces of the DMH-WT7600NEX unit as well as provide information on how to extract the software running on this unit for further vulnerability research. --------------------------------------------- https://www.thezdi.com/blog/2025/1/16/looking-at-the-attack-surfaces-of-the-...

∗∗∗ Die meisten Cyberkriminellen hacken nicht, sondern loggen sich ein ∗∗∗ --------------------------------------------- Bei 57 Prozent der erfolgreichen Cyberangriffe ist kein großer Hack über Sicherheitslücken erforderlich. Die Cyberkriminellen nutzten einfach ein kompromittiertes Nutzerkonto, um Zugang auf die Systeme zu erhalten, so die Analyse von Varonis zu solchen Vorfällen --------------------------------------------- https://www.borncity.com/blog/2025/01/19/die-meisten-cyberkriminellen-hacken...

∗∗∗ Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale ∗∗∗ --------------------------------------------- Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and PII, now available for sale online. --------------------------------------------- https://hackread.com/hackers-claim-hewlett-packard-data-breach-sale/

∗∗∗ Secure Coding: Apache Maven gegen Cache-Poisoning-Attacken rüsten ∗∗∗ --------------------------------------------- Dependency-Management-Systeme wie Maven sind immer wieder Ziel von Cache-Poisoning-Angriffen, gegen die nur konsequent umgesetzte Sicherheitspraktiken helfen. --------------------------------------------- https://heise.de/-10244779

∗∗∗ Hilton, Hyatt, Marriott: 437.000 Datensätze aus Verwaltungsplattform bei HIBP ∗∗∗ --------------------------------------------- Kriminelle haben Daten bei der Verwaltungsplattform Otelier geklaut. Rund 437.000 Datensätze etwa von Hilton, Hyatt oder Marriott sind nun bei HIBP. --------------------------------------------- https://heise.de/-10248339

∗∗∗ Investigating an "evil" RJ45 dongle ∗∗∗ --------------------------------------------- Earlier this week, a young entrepreneur caused stir on social media by suggesting that an Ethernet-to-USB they purchased from China was preloaded with malware that “evaded virtual machines”, “captured keystrokes”, and “used Russian-language elements”. [..] To get to that point, we didn’t need a hardware lab; a bit of patience and Google-fu was enough. --------------------------------------------- https://lcamtuf.substack.com/p/investigating-an-evil-rj45-dongle

===================== = Vulnerabilities = =====================

∗∗∗ VU#199397: Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) ∗∗∗ --------------------------------------------- Researchers at the DistriNet-KU Leuven research group have discovered millions of vulnerable Internet systems that accept unauthenticated IPIP, GRE, 4in6, or 6in4 traffic. This can be considered a generalization of the vulnerability in VU#636397 : IP-in-IP protocol routes arbitrary traffic by default (CVE-2020-10136). The exposed systems can be abused as one-way proxies, enable an adversary to spoof the source address of packets (CWE-290 Authentication Bypass by Spoofing), or permit access to an organization's private network. --------------------------------------------- https://kb.cert.org/vuls/id/199397

∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, ipa, and NetworkManager), Debian (389-ds-base, busybox, libreoffice, rsync, ruby2.7, tomcat10, and tryton-server), Fedora (chromium and stb), Mageia (openafs and vim), Oracle (.NET 8.0 and .NET 9.0), SUSE (amazon-ssm-agent, chromedriver, git, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, hplip, pam_u2f, perl-Compress-Raw-Zlib, perl-IO-Compress, redis, redis7, rsync, and velociraptor), and Ubuntu (libpodofo and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/1005638/

∗∗∗ Nvidia: Datenabfluss durch Sicherheitsleck in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia hat Sicherheitslücken in seinen Grafikkartentreibern entdeckt. Angreifer können dadurch Informationen abgreifen. Updates stehen bereit. --------------------------------------------- https://heise.de/-10248258

∗∗∗ Sicherheitspatch: Unbefugte Zugriffe auf bestimmte Switches von Moxa möglich ∗∗∗ --------------------------------------------- Angreifer können bei Moxa-Switches der EDS-508A-Serie die Authentifizierung umgehen. Die Sicherheitslücke gilt als kritisch. Um Angriffe vorzubeugen, sollten Netzwerkadmins die Firmware ihrer Ethernet-Switches der Serie EDS-508A von Moxa auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-10249285

∗∗∗ Yubico Warns of 2FA Security Flaw in pam-u2f for Linux and macOS Users ∗∗∗ --------------------------------------------- https://thecyberexpress.com/yubico-2fa-bypass-vulnerability-advisory/