[CERT-daily] Tageszusammenfassung - 03.04.2024

Wed Apr 3 18:25:48 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 02-04-2024 18:00 − Mittwoch 03-04-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ NIS2-Begutachtungsverfahren gestartet ∗∗∗
---------------------------------------------
Die Regierung hat am 3. April 2024 das Cybersicherheitsgesetz zur europäischen NIS2-Verordnung in Begutachtung geschickt.
---------------------------------------------
https://www.bmi.gv.at/news.aspx?id=7567384169746C75366D413D


∗∗∗ Kritik nach Cyberangriff: Microsoft hat seine Kronjuwelen nicht im Griff ∗∗∗
---------------------------------------------
Ein im Sommer 2023 festgestellter Cyberangriff auf Microsofts Server hatte für einige Kunden verheerende Folgen. Eine US-Kommission erhebt nun schwere Vorwürfe gegen den Konzern.
---------------------------------------------
https://www.golem.de/news/us-kommission-aeussert-kritik-hackerangriff-auf-microsoft-waere-vermeidbar-gewesen-2404-183792.html


∗∗∗ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind ∗∗∗
---------------------------------------------
As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. [..] The Jia Tan persona has vanished since the backdoor was discovered [..] In fact, the only real footprints Jia Tan appears to have left behind were their contributions to the open source development community, where they were a prolific contributor: Disturbingly, Jia Tan’s first code change was to the “libarchive” compression library, another very widely used open source component. [..] In total, Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024 [..] Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked.
---------------------------------------------
https://www.wired.com/story/jia-tan-xz-backdoor/


∗∗∗ XZ Utils Backdoor Attack Brings Another Similar Incident to Light ∗∗∗
---------------------------------------------
In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident.
---------------------------------------------
https://www.securityweek.com/xz-utils-backdoor-attack-brings-another-similar-incident-to-light/


∗∗∗ Distinctive Campaign Evolution of Pikabot Malware ∗∗∗
---------------------------------------------
PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. [..] During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/


∗∗∗ Hohe Handyrechnung durch ungewolltes Abo? ∗∗∗
---------------------------------------------
Per E-Mail oder SMS werden Sie plötzlich von Ihrem Mobilfunkanbieter darüber informiert, dass Sie ein Abo abgeschlossen haben. Sie sind sich aber sicher, dass Sie keinem Vertrag zugestimmt haben und wissen auch nicht, wie es dazu gekommen ist? Wir zeigen Ihnen, was Sie gegen unseriöse Abbuchungen von Ihrer Handyrechnung tun können und wie Sie sich vor Abofallen schützen.
---------------------------------------------
https://www.watchlist-internet.at/news/hohe-handyrechnung-durch-ungewolltes-abo/


∗∗∗ Another Path to Exploiting CVE-2024-1212 in Progress Kemp LoadMaster ∗∗∗
---------------------------------------------
Rhino Labs discovered a pre-authentication command injection vulnerability in the Progress Kemp LoadMaster. [..] This was a really cool find by Rhino Labs. Here I add one additional exploitation path and some additional ways to test for this vulnerability.
---------------------------------------------
https://medium.com/tenable-techblog/another-path-to-exploiting-cve-2024-1212-in-progress-kemp-loadmaster-a6b06cd0b9f8


∗∗∗ Unveiling the Fallout: Operation Cronos Impact on LockBit Following Landmark Disruption ∗∗∗
---------------------------------------------
Our new article provides key highlights and takeaways from Operation Cronos disruption of LockBits operations, as well as telemetry details on how LockBit actors operated post-disruption.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).
---------------------------------------------
https://lwn.net/Articles/968218/


∗∗∗ Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites ∗∗∗
---------------------------------------------
A critical SQL injection vulnerability in the LayerSlider WordPress plugin allows attackers to extract sensitive information.
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-found-in-layerslider-plugin-installed-on-a-million-wordpress-sites/


∗∗∗ CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED) ∗∗∗
---------------------------------------------
Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-armor-privilege-escalation-fixed/


∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗
---------------------------------------------
Neben Google haben auch Samsung und weitere Hersteller wichtige Sicherheitsupdates für Androidgeräte veröffentlicht.
---------------------------------------------
https://heise.de/-9673480


∗∗∗ Codeschmuggellücke in VMware SD-WAN Edge und Orchestrator ∗∗∗
---------------------------------------------
Drei Sicherheitslücken in VMwares SD-WAN Edge und Orchestrator ermöglichen Angreifern unter anderem, Schadcode einzuschleusen.
---------------------------------------------
https://heise.de/-9673416


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 124 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-17/


∗∗∗ Unify: Credentials disclosure vulnerability in Unify OpenScape Desk Phones CP ∗∗∗
---------------------------------------------
https://networks.unify.com/security/advisories/OBSO-2404-01.pdf

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily