[CERT-daily] Tageszusammenfassung - 16.04.2024

Tue Apr 16 18:37:40 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 15-04-2024 18:00 − Dienstag 16-04-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) ∗∗∗
---------------------------------------------
At watchTowr, we no longer publish Proof of Concepts. Why prove something is vulnerable when we can just believe its so? Iinstead, weve decided to do something better - thats right! Were proud to release another detection artefact generator tool, this time in the form of an HTTP request:
---------------------------------------------
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/


∗∗∗ Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th) ∗∗∗
---------------------------------------------
One of our readers, Mark, observed attacks attempting to exploit the vulnerability from two IP addresses: 173.255.223.159: An Akamai/Linode IP address. We do not have any reports from this IP address. Shodan suggests that the system may have recently hosted a WordPress site. 146.70.192.174: A system in Singapore that has been actively scanning various ports in March and April.
---------------------------------------------
https://isc.sans.edu/diary/rss/30838


∗∗∗ New SteganoAmor attacks use steganography to target 320 orgs globally ∗∗∗
---------------------------------------------
A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [..] The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-steganography-to-target-320-orgs-globally/


∗∗∗ AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs ∗∗∗
---------------------------------------------
New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. [..] Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager.
---------------------------------------------
https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html


∗∗∗ Vorsicht vor falschen Bankanrufen ∗∗∗
---------------------------------------------
Sie erhalten einen Anruf – angeblich von einer Bank. Die Person am Telefon behauptet, Sie hätten einen Kreditantrag eingereicht. Wenn Sie widersprechen, erklärt die Person am Telefon, dass dann wohl Kriminelle in Ihrem Namen den Kreditantrag gestellt hätten. Legen Sie auf! Es handelt sich um eine Betrugsmasche!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-falschen-bankanrufen/


∗∗∗ Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials ∗∗∗
---------------------------------------------
Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. [..] We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here.
---------------------------------------------
https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/


∗∗∗ Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen ∗∗∗
---------------------------------------------
Die Privileged-Access-Management-Lösung (PAM) Secret Server von Delinea ist verwundbar. Ein Sicherheitsupdate ist verfügbar.
---------------------------------------------
https://heise.de/-9686457


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Schwere Sicherheitslücke in PuTTY - CVE-2024-31497 ∗∗∗
---------------------------------------------
Sicherheitsforscher:innen haben in PuTTY, einer verbreiteten quelloffenen Software zur Herstellung von Verbindungen über Secure Shell (SSH), eine schwere Sicherheitslücke gefunden. Die Ausnutzung von CVE-2024-31497 erlaubt es Angreifer:innen unter bestimmten Umständen, den privaten Schlüssel eines kryptographischen Schlüsselpaares wiederherzustellen.
---------------------------------------------
https://cert.at/de/aktuelles/2024/4/schwere-sicherheitslucke-in-putty-cve-2024-31497


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/970036/


∗∗∗ Proscend Communications M330-W and M330-W5 vulnerable to OS command injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN23835228/


∗∗∗ B&R: 2024-04-15: Cyber Security Advisory - Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products ∗∗∗
---------------------------------------------
https://www.br-automation.com/fileadmin/SA24P002_xPCs_vulnerable_to_LogoFail-bf1f2ea5.pdf


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.10 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/


∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 125 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/


∗∗∗ Libreswan: IKEv1 default AH/ESP responder can crash and restart ∗∗∗
---------------------------------------------
https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt


∗∗∗ Measuresoft ScadaPro ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-01


∗∗∗ Electrolink FM/DAB/TV Transmitter ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02


∗∗∗ Rockwell Automation ControlLogix and GuardLogix ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-03


∗∗∗ RoboDK RoboDK ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-04

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily