[CERT-daily] Tageszusammenfassung - 20.02.2024

Daily end-of-shift report team at cert.at
Tue Feb 20 18:26:14 CET 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 19-02-2024 18:00 − Dienstag 20-02-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Ransomware: Lockbit durch Ermittler zerschlagen - zwei Festnahmen ∗∗∗
---------------------------------------------
Operation Cronos: Je eine Verhaftung in Polen und der Ukraine, Ermittler haben Datenschatz sowie Zugriff auf Kryptogeld und Websites von Lockbit erbeutet.
---------------------------------------------
https://www.heise.de/-9633327


∗∗∗ Hackers exploit critical RCE flaw in Bricks WordPress site builder ∗∗∗
---------------------------------------------
Hackers are actively exploiting a critical remote code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce-flaw-in-bricks-wordpress-site-builder/


∗∗∗ Cactus ransomware claim to steal 1.5TB of Schneider Electric data ∗∗∗
---------------------------------------------
The Cactus ransomware gang claims they stole 1.5TB of data from Schneider Electric after breaching the companys network last month.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cactus-ransomware-claim-to-steal-15tb-of-schneider-electric-data/


∗∗∗ Over 28,500 Exchange servers vulnerable to actively exploited bug ∗∗∗
---------------------------------------------
Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-28-500-exchange-servers-vulnerable-to-actively-exploited-bug/


∗∗∗ Vorsicht vor falschen Microsoft-Sicherheitswarnungen beim Surfen im Internet ∗∗∗
---------------------------------------------
Beim Surfen im Internet taucht plötzlich eine Sicherheitswarnung von Microsoft auf. Darin heißt es, dass Ihr Gerät von einem Virus befallen sei und Sie die „Windowshilfe“ anrufen sollen. Rufen Sie diese Nummer keinesfalls an. Es handelt sich um ein betrügerisches Pop-Up-Fenster. Wenn Sie anrufen, stehlen Kriminelle Daten und Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-falschen-microsoft-sicherheitswarnungen-beim-surfen-im-internet/


∗∗∗ Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns ∗∗∗
---------------------------------------------
Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns.
---------------------------------------------
https://blog.talosintelligence.com/google-cloud-run-abuse/


∗∗∗ A technical analysis of the BackMyData ransomware used to attack hospitals in Romania ∗∗∗
---------------------------------------------
Summary According to BleepingComputer, a ransomware attack that occurred starting 0n February 11 forced 100 hospitals across Romania to take their systems offline. BackMyData ransomware, which took credit for it, belongs to the Phobos family.
---------------------------------------------
https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now ∗∗∗
---------------------------------------------
ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems. The vulnerabilities, which currently lack CVE identifiers, are listed below - Authentication bypass using an alternate path or channel (CVSS score: 10.0) -  Improper limitation of a pathname to a restricted directory aka "path traversal" (CVSS score: 8.4)
---------------------------------------------
https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html


∗∗∗ Multiple Stored Cross-Site-Scripting Vulnerabilities in OpenOLAT (Frentix GmbH) ∗∗∗
Several stored XSS vulnerabilities were identified in the open source e-learning application OpenOLAT, as well as missing security measures in the standard configurations regarding content security policy (CSP). [..] The vendor provides a patch which should be installed immediately.
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/mutiple-stored-cross-site-scripting-vulnerabilities-in-openolat-frentix-gmbh/


∗∗∗ SQL Injection Vulnerability Patched in RSS Aggregator by Feedzy WordPress Plugin ∗∗∗
---------------------------------------------
On February 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a SQL Injection vulnerability in RSS Aggregator by Feedzy, a WordPress plugin with more than 50,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to extract sensitive data from the database, such as password hashes.
---------------------------------------------
https://www.wordfence.com/blog/2024/02/sql-injection-vulnerability-patched-in-rss-aggregator-by-feedzy-wordpress-plugin/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff).
---------------------------------------------
https://lwn.net/Articles/962881/


∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and APs ∗∗∗
---------------------------------------------
Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection. CVEs: CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, CVE-2023-6764
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024


∗∗∗ Joomla: [20240205] - Core - Inadequate content filtering within the filter code ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html


∗∗∗ Joomla: [20240204] - Core - XSS in mail address outputs ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/928-20240204-core-xss-in-mail-address-outputs.html


∗∗∗ Joomla: [20240203] - Core - XSS in media selection fields ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/927-20240203-core-xss-in-media-selection-fields.html


∗∗∗ Joomla: [20240202] - Core - Open redirect in installation application ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/926-20240202-core-open-redirect-in-installation-application.html


∗∗∗ Joomla: [20240201] - Core - Insufficient session expiration in MFA management views ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/925-20240201-core-insufficient-session-expiration-in-mfa-management-views.html


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 123 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/


∗∗∗ MISP 2.4.185 released with sighting performance improvements, security and bugs fixes. ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.185


∗∗∗ Ethercat Zeek Plugin ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02


∗∗∗ Mitsubishi Electric Electrical Discharge Machines ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-03


∗∗∗ Commend WS203VICM ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list