[CERT-daily] Tageszusammenfassung - 22.04.2024

Daily end-of-shift report team at cert.at
Mon Apr 22 18:39:06 CEST 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 19-04-2024 18:00 − Montag 22-04-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Double Agents and User Agents: Navigating the Realm of Malicious Python Packages ∗∗∗
---------------------------------------------
Have you ever encountered the term double agent? Recently, weve had the opportunity to revisit this concept in Austria. Setting aside real-world affairs for prosecutors and journalists, let’s explore what this term means in the digital world as I continue my journey tracking malicious Python packages.
---------------------------------------------
https://cert.at/en/blog/2024/4/double-agents-and-user-agents-navigating-the-realm-of-malicious-python-packages


∗∗∗ Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack ∗∗∗
---------------------------------------------
Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software.
---------------------------------------------
https://thehackernews.com/2024/04/palo-alto-networks-discloses-more.html


∗∗∗ Research Shows How Attackers Can Abuse EDR Security Products ∗∗∗
---------------------------------------------
Vulnerabilities in Palo Alto Networks Cortex XDR allowed a security researcher to turn it into a malicious offensive tool.
---------------------------------------------
https://www.securityweek.com/research-shows-how-attackers-can-abuse-edr-security-products/


∗∗∗ HelloKitty ransomware rebrands, releases CD Projekt and Cisco data ∗∗∗
---------------------------------------------
The Cisco entry on the data leak site contains a list of NTLM (NT LAN Manager) hashes (encrypted account passwords) supposedly extracted during a security breach. Cisco previously admitted in 2022 that it had been hacked by the Yanluowang ransomware group, an incident allegedly limited to the theft of non-sensitive data from a single compromised account.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-rebrands-releases-cd-projekt-and-cisco-data/


∗∗∗ GitLab affected by GitHub-style CDN flaw allowing malware hosting ∗∗∗
---------------------------------------------
BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. It turns out, GitLab is also affected by this issue and could be abused in a similar fashion.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/


∗∗∗ Sicherheitslücke aufgedeckt: Forscher knackt Cisco-Appliance und zockt Doom ∗∗∗
---------------------------------------------
Mit einem eigens entwickelten Exploit-Toolkit hat er sich auf dem BMC einer Cisco ESA C195 einen Root-Zugriff verschafft. [..] Um auf der C195 Doom auszuführen, reicht CVE-2024-20356 allein allerdings nicht aus. Thacker nahm zuerst diverse Modifikationen am Bios der Cisco ESA vor und verschaffte sich erst danach mit Ciscown über das Netzwerk einen Root-Zugriff auf den BMC. [..] Eine Liste der Systeme, die in der Standardkonfiguration anfällig sind, ist im Sicherheitshinweis von Cisco zu finden – ebenso wie die jeweiligen Systemversionen, die einen Patch beinhalten.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-aufgedeckt-forscher-knackt-cisco-appliance-und-zockt-doom-2404-184390.html


∗∗∗ ToddyCat is making holes in your infrastructure ∗∗∗
---------------------------------------------
We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.
---------------------------------------------
https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/


∗∗∗ Vorsicht vor Jobangeboten per WhatsApp, SMS oder Telegram ∗∗∗
---------------------------------------------
Die Betrugsmasche beginnt direkt auf Ihrem Smartphone: Sie bekommen auf WhatsApp, Telegram oder einen anderen Messenger eine Nachricht von einer Jobvermittlung. Ihnen wird ein Nebenjob mit flexibler Zeiteinteilung angeboten. Ihre Aufgabe ist es, Hotels, Online-Shops oder andere Dienstleistungen zu bewerten oder zu testen. Angeblich kann man damit zwischen 300 und 1000 Euro pro Tag verdienen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-whatsapp-sms-oder-telegram/


∗∗∗ NATO-Cyberübung "Locked Shields": Phishing verhindern, Container verteidigen ∗∗∗
---------------------------------------------
Das Cybersicherheitszentrum der NATO bittet zur Großübung. Sie simuliert, wie kritische Infrastruktur vor digitalen Angriffen geschützt werden kann.
---------------------------------------------
https://heise.de/-9691854



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Critical Forminator plugin flaw impacts over 300k WordPress sites ∗∗∗
---------------------------------------------
On Thursday, Japan's CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-forminator-plugin-flaw-impacts-over-300k-wordpress-sites/


∗∗∗ Siemens: SSA-750274 V1.0: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW ∗∗∗
---------------------------------------------
Palo Alto Networks has published information on CVE-2024-3400 in PAN-OS. This advisory addresses Siemens Industrial products affected by this vulnerability.
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-750274.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox and java-1.8.0-openjdk), Debian (chromium, flatpak, guix, openjdk-11, openjdk-17, thunderbird, and tomcat9), Fedora (chromium, firefox, glibc, nghttp2, nodejs18, python-aiohttp, python-django3, python-pip, and uxplay), Mageia (putty & filezilla), Red Hat (Firefox, firefox, java-1.8.0-openjdk, java-21-openjdk, nodejs:18, shim, and thunderbird), Slackware (freerdp), SUSE (apache-commons-configuration2, nodejs14, perl-CryptX, putty, shim, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, lxd, percona-xtrabackup, and pillow).
---------------------------------------------
https://lwn.net/Articles/970793/


∗∗∗ Jetzt patchen! Attacken auf Dateiübertragungsserver CrushFTP beobachtet ∗∗∗
---------------------------------------------
Der Anbieter der Dateiübertragungsserversoftware CrushFTP warnt vor einer Sicherheitslücke, die Angreifer Sicherheitsforschern zufolge bereits ausnutzen. Dagegen gerüstete Versionen stehen zum Download bereit. Aus einer Sicherheitswarnung geht hervor, dass die Ausgaben 10.7.1 und 11.1.0 gegen die Angriffe gerüstet sind.
---------------------------------------------
https://heise.de/-9693009


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.10 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list