[CERT-daily] Tageszusammenfassung - 22.02.2024
Daily end-of-shift report
team at cert.at
Thu Feb 22 18:07:19 CET 2024
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 21-02-2024 18:00 − Donnerstag 22-02-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New SSH-Snake malware steals SSH keys to spread across the network ∗∗∗
---------------------------------------------
A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals-ssh-keys-to-spread-across-the-network/
∗∗∗ Google Play Store: Banking-Trojaner nimmt europäische Nutzer ins Visier ∗∗∗
---------------------------------------------
Im Google Play Store tauchen Varianten des Anatsa-Banking-Trojaners auf. Sie kommen auf über 100.000 Installationen.
---------------------------------------------
https://www.heise.de/news/Google-Play-Store-Banking-Trojaner-nimmt-europaeische-Nutzer-ins-Visier-9635463.html
∗∗∗ Why ransomware gangs love using RMM tools—and how to stop them ∗∗∗
---------------------------------------------
More and more ransomware gangs are using RMM tools in their attacks.
---------------------------------------------
https://www.malwarebytes.com/blog/business/2024/02/why-ransomware-gangs-love-using-rmm-tools-and-how-to-stop-them
∗∗∗ Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures ∗∗∗
---------------------------------------------
In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally.
---------------------------------------------
https://research.nccgroup.com/2024/02/22/unmasking-lorenz-ransomware-a-dive-into-recent-tactics-techniques-and-procedures/
∗∗∗ Angriffe gegen ConnectWise ScreenConnect ∗∗∗
---------------------------------------------
Die Remote Desktop und Access Software ConnectWise ScreenConnect ist aktuell Ziel von Cyberangriffen. Der Hersteller der Software hatte kürzlich ein Security Advisory bezüglich Authentication Bypass und Path Traversal Vulnerabilities veröffentlicht und dieses inzwischen um Hinweise auf bereits laufende Angriff und Indikatoren für eine bereits stattgefundene Kompromittierung erweitert.
---------------------------------------------
https://cert.at/de/aktuelles/2024/2/angriffe-gegen-connectwise-screenconnect
∗∗∗ TinyTurla-NG in-depth tooling and command and control analysis ∗∗∗
---------------------------------------------
Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.
---------------------------------------------
https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/
∗∗∗ LockBit Attempts to Stay Afloat With a New Version ∗∗∗
---------------------------------------------
This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html
∗∗∗ Decrypted: HomuWitch Ransomware ∗∗∗
---------------------------------------------
HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users - individuals - rather than institutions and companies.
---------------------------------------------
https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/
∗∗∗ “To live is to fight, to fight is to live! - IBM ODM Remote Code Execution ∗∗∗
---------------------------------------------
In today’s match-up, we’re looking at various versions(both old and new!) of IBM’s “Operational Decision Manager” (ODM).
---------------------------------------------
https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/
=====================
= Vulnerabilities =
=====================
∗∗∗ Codeschmuggel-Lücke in diversen HP Laser-Druckern ∗∗∗
---------------------------------------------
HP warnt mit gleich zwei Sicherheitsmeldungen vor Lücken in diversen Laserjet-Druckern. Firmwareupdates sollen sie schließen.
---------------------------------------------
https://www.heise.de/news/Codeschmuggel-Luecke-in-diversen-HP-Laser-Druckern-9635826.html
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), [...]
---------------------------------------------
https://lwn.net/Articles/963205/
∗∗∗ Progress Kemp LoadMaster (Load-Balancer) Schwachstelle CVE-2024-1212 ∗∗∗
---------------------------------------------
Zum 8. Februar 2024 gab es den Hinweis für Administratoren, die den Load-Balancer LoadMaster von Progress Kemp verwenden, dessen Firmware zu aktualisieren.
---------------------------------------------
https://www.borncity.com/blog/2024/02/22/progress-kemp-loadmaster-load-balancer-schwachstelle-cve-2024-1212/
∗∗∗ 2024-02-22: Cyber Security Advisory - B&R Automation Studio & Technology Guarding products use insufficient communication encryption ∗∗∗
---------------------------------------------
https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ WAGO: Multiple products affected by Terrapin ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-014/
∗∗∗ [R1] Tenable Identity Exposure Secure Relay Version 3.59.4 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-03
∗∗∗ [R1] Tenable Identity Exposure Version 3.59.4 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-04
∗∗∗ Delta Electronics CNCSoft-B DOPSoft ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-053-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list