[CERT-daily] Tageszusammenfassung - 08.04.2024

Daily end-of-shift report team at cert.at
Mon Apr 8 18:35:47 CEST 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 05-04-2024 18:00 − Montag 08-04-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Jetzt patchen! Rund 16.500 VPN-Instanzen von Ivanti potenziell angreifbar ∗∗∗
---------------------------------------------
Scans zeigen, dass weltweit tausende VPN-Instanzen von Ivanti des Typs Connect Secure und Policy Secure Gateway verwundbar sind. [..] Eigenen Angaben zufolge sind Sicherheitsforscher von Shadowserver weltweit auf rund 16.500 VPN-Instanzen gestoßen, die mit hoher Wahrscheinlichkeit für Attacken empfänglich sind (CVE-2024-21894 „hoch“, CVE-2024-22053 „hoch“). Sind Angriffe erfolgreich, kann Schadcode auf Appliances gelangen. Im Anschluss gelten Systeme in der Regel als vollständig kompromittiert.
---------------------------------------------
https://heise.de/-9677551


∗∗∗ Over 92,000 exposed D-Link NAS devices have a backdoor account ∗∗∗
---------------------------------------------
A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/


∗∗∗ Fake Facebook MidJourney AI page promoted malware to 1.2 million people ∗∗∗
---------------------------------------------
Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAIs SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-page-promoted-malware-to-12-million-people/


∗∗∗ Tastatursteuerung: Amazon untersucht Sicherheitslücke in Fire-TV-Funktion ∗∗∗
---------------------------------------------
Amazon hat eine Komfort-Funktion für Fire-TV-Geräte aufgrund möglicher Sicherheitsbedenken von Green Line Analytics vorübergehend zurückgezogen.
---------------------------------------------
https://www.golem.de/news/tastatursteuerung-amazon-untersucht-sicherheitsluecke-in-fire-tv-funktion-2404-183893.html


∗∗∗ Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites ∗∗∗
---------------------------------------------
Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites. The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way for arbitrary code execution. It was addressed by the company as part of security updates released on February 13, 2024.
---------------------------------------------
https://thehackernews.com/2024/04/hackers-exploit-magento-bug-to-steal.html


∗∗∗ Automating Pikabot’s String Deobfuscation ∗∗∗
---------------------------------------------
Pikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string-deobfuscation


∗∗∗ Confidential VMs Hacked via New Ahoi Attacks ∗∗∗
---------------------------------------------
New Ahoi attacks Heckler and WeSee target AMD SEV-SNP and Intel TDX with malicious interrupts to hack confidential VMs.
---------------------------------------------
https://www.securityweek.com/confidential-vms-hacked-via-new-ahoi-attacks/


∗∗∗ Vorsicht vor kostenlosen Diensten zur Anpassung und Veränderung von Dateien ∗∗∗
---------------------------------------------
Sie möchten Dateien konvertieren, verkleinern oder Dokumente zusammenfügen? Im Internet gibt es dafür zahlreiche vermeintlich kostenlose Dienste. Wir raten davon ab, denn hinter vielen Angeboten steckt eine Abofalle. Zudem ist oft unklar, was mit Ihren Dokumenten geschieht.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-kostenlosen-diensten-zur-anpassung-und-veraenderung-von-dateien/


∗∗∗ IBIS-Hotel: Check-In-Terminal gibt Zugangsdaten fremder Zimmer aus ∗∗∗
---------------------------------------------
Nächster Sicherheitsunfall bei Hotels: Bei den Check-In-Terminals der IBIS-Hotels war es durch Eingabe einer speziellen nicht alphanumerischen Buchungsnummer möglich, die Tastencodes von fast die Hälfte der Zimmer abzurufen. Dritte hätten in die Zimmer eindringen und Wertsachen stehlen können.
---------------------------------------------
https://www.borncity.com/blog/2024/04/06/ibis-hotel-check-in-terminal-gibt-zugangsdaten-fremder-zimmer-aus/


∗∗∗ ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins ∗∗∗
---------------------------------------------
FortiGuard Labs uncovered a threat actor using ScrubCrypt to spread VenomRAT along with multiple RATs.
---------------------------------------------
https://feeds.fortinet.com/~/875486669/0/fortinet/blogs~ScrubCrypt-Deploys-VenomRAT-with-an-Arsenal-of-Plugins



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen).
---------------------------------------------
https://lwn.net/Articles/968999/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list