[CERT-daily] Tageszusammenfassung - 28.08.2024

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 27-08-2024 18:00 − Mittwoch 28-08-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ ISPs infiltriert: Zero Day seit Monaten ausgenutzt​ ∗∗∗
---------------------------------------------
Eine Sicherheitslücke der Netzwerksoftware Versa Director (CVE-2024-39717) wird stärker ausgenutzt als zunächst bekannt. Bei mindestens drei Internet Service Providern (ISP) in den USA und einem außerhalb des Landes haben sich Angreifer eingenistet, um Kundenlogins und Passwörter im Klartext abzufangen, bevor sie gehasht und beim ISP gespeichert werden. [..] Der Angriff schlägt fehl, wenn die Versa-Patches installiert wurden oder wenn Port 4566 von Kundenroutern aus nicht erreichbar ist. Für Letzteres empfiehlt Versa bereits seit Jahren passende Firewall-Einstellungen und Systemhärtungen.
---------------------------------------------
https://heise.de/-9849553


∗∗∗ ADAC warnt: Die meisten Keyless-Systeme weiterhin leicht zu knacken ∗∗∗
---------------------------------------------
Der ADAC hat rund 700 Fahrzeuge mit Keyless-Schließsystem getestet. Mehr als 90 Prozent davon lassen sich per Relay-Angriff aus der Ferne öffnen und starten.
---------------------------------------------
https://www.golem.de/news/adac-warnt-die-meisten-keyless-systeme-weiterhin-leicht-zu-knacken-2408-188473.html


∗∗∗ Windows Downdate: Tool zum Öffnen alter Windows-Lücken veröffentlicht ∗∗∗
---------------------------------------------
Mit Windows Downdate können Windows-Komponenten wie DLLs, Treiber oder der NT-Kernel unbemerkt auf anfällige Versionen zurückgestuft werden. Das Tool ist nun öffentlich.
---------------------------------------------
https://www.golem.de/news/windows-downdate-tool-zum-oeffnen-alter-windows-luecken-veroeffentlicht-2408-188478.html


∗∗∗ Betrügerische Abmahnung im Namen von Pornhub ∗∗∗
---------------------------------------------
„Letzte Mahnung vor Klageerhebung“ lautet der Betreff einer beunruhigenden E-Mail. Die Kanzlei Frommer Legal verschickt derzeit wahllos E-Mails, in denen behauptet wird, man habe urheberrechtlich geschützte Inhalte von Pornhub.com gestreamt.
---------------------------------------------
https://www.watchlist-internet.at/news/abmahnung-pornhub/


∗∗∗ Intels Software Guard Extensions broken? Dont panic ∗∗∗
---------------------------------------------
Today's news that Intel's Software Guard Extensions (SGX) security system is open to abuse may be overstated. [..] However, Intel has pointed out that not only would an attacker need physical access to a machine to make this work, but that string of issues would have to have been left unfixed.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/08/27/intel_root_key_xeons/


∗∗∗ New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials ∗∗∗
---------------------------------------------
Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes.
---------------------------------------------
https://thehackernews.com/2024/08/new-qr-code-phishing-campaign-exploits.html


∗∗∗ New LummaC2 Malware Variant Uses PowerShell, Obfuscation to Steal Data ∗∗∗
---------------------------------------------
Ontinue has discovered a new LummaC2 malware variant with increased activity, using PowerShell for initial infection and employing obfuscation and process injection to steal sensitive data.
---------------------------------------------
https://hackread.com/lummac2-malware-variant-powershell-obfuscation-steal-data/


∗∗∗ Old devices, new dangers: The risks of unsupported IoT tech ∗∗∗
---------------------------------------------
Outdated devices can be easy targets, so by keeping them disconnected from the internet or discontinuing their use, you can feel safe and secure from any cyber harm through them.
---------------------------------------------
https://www.welivesecurity.com/en/internet-of-things/old-devices-new-dangers-the-risks-of-unsupported-iot-tech/


∗∗∗ CVE-2024-37079: VMware vCenter Server Integer Underflow Code Execution Vulnerability ∗∗∗
---------------------------------------------
A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted DCERPC packet to the target server. Successfully exploiting this vulnerability could lead to a heap buffer overflow, which could result in the execution of arbitrary code in the context of the vulnerable service. [..] This vulnerability was patched by the vendor in June. At the time of the patch release, there was a fair amount of attention paid to this vulnerability. However, to date, there have been no attacks detected in the wild.
---------------------------------------------
https://www.thezdi.com/blog/2024/8/27/cve-2024-37079-vmware-vcenter-server-integer-underflow-code-execution-vulnerability


∗∗∗ BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks ∗∗∗
---------------------------------------------
In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft.
---------------------------------------------
https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/


∗∗∗ Deep Analysis of Snake Keylogger’s New Variant ∗∗∗
---------------------------------------------
We performed a deep analysis on the campaign and discovered that it delivers a new variant of Snake Keylogger.
---------------------------------------------
https://feeds.fortinet.com/~/903638177/0/fortinet/blogs~Deep-Analysis-of-Snake-Keylogger%e2%80%99s-New-Variant



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (calibre, dotnet8.0, dovecot, webkit2gtk4.0, and webkitgtk), Oracle (nodejs:20), Red Hat (bind, bind and bind-dyndb-ldap, postgresql:16, and squid), Slackware (kcron and plasma), SUSE (keepalived and webkit2gtk3), and Ubuntu (drupal7).
---------------------------------------------
https://lwn.net/Articles/987519/


∗∗∗ DSA-5759-1 python3.11 - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00172.html

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily