[CERT-daily] Tageszusammenfassung - 01.07.2024

Mon Jul 1 18:29:01 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 28-06-2024 18:00 − Montag 01-07-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Roles in Cybersecurity: CSIRTs / LE / others ∗∗∗
---------------------------------------------
Back in January 2024, I was asked by the Belgian EU Presidency to moderate a panel during their high-level conference on cyber security in Brussels. The topic was the relationship between cyber security and law enforcement: how do CSIRTs and the police / public prosecutors cooperate, what works here and where are the fault lines in this collaboration. As the moderator, I wasn’t in the position to really present my own view on some of the issues, so I’m using this blogpost to document my thinking regarding the CSIRT/LE division of labour. From that starting point, this text kind of turned into a rant on what’s wrong with IT Security.
---------------------------------------------
https://www.cert.at/en/blog/2024/7/csirt-le-military


∗∗∗ NIS2 - Implementing Acts ∗∗∗
---------------------------------------------
Es liegen endlich Entwürfe für die Implementing Acts zur NIS 2 Richtline vor, die Umsetzungsdetails regeln werden. Genauer gesagt: es geht um Kriterien, wann ein Vorfall meldepflichtig wird und Maßnahmen zum Risikomanagement. Seitens der EU gibt es ein öffentliches Konsultationsverfahren dazu, das bis zum 25. Juli offen ist. Die Entwürfe sind auch über diese Webseite abrufbar.
---------------------------------------------
https://www.cert.at/de/blog/2024/6/nis2-implementing-acts


∗∗∗ Vorsicht vor gefälschten Gewinnspielen zur UEFA EURO 2024 ∗∗∗
---------------------------------------------
Kriminelle verbreiten per E-Mail gefälschte Gewinnspiele zur UEFA EURO 2024. In der E-Mail heißt es, dass man eine UEFA EURO 2024 Mystery Box gewinnen kann, wenn man auf den Link klickt und an einer kurzen Umfrage teilnimmt. Vorsicht: Kriminelle stehlen Ihre Daten und Sie tappen in eine Abo-Falle!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-gewinnspielen-zur-uefa-euro-2024/


∗∗∗ Hackers exploit critical D-Link DIR-859 router flaw to steal passwords ∗∗∗
---------------------------------------------
Hackers are exploiting a critical vulnerability that affects all D-Link DIR-859 WiFi routers to collect account information from the device, including passwords. The security issue was disclosed in January and is currently tracked as CVE-2024-0769 (9.8 severity score) - a path traversal flaw that leads to information disclosure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-d-link-dir-859-router-flaw-to-steal-passwords/


∗∗∗ Dev rejects CVE severity, makes his GitHub repo read-only ∗∗∗
---------------------------------------------
The popular open source project, ip had its GitHub repository archived, or made "read-only" by its developer as a result of a dubious CVE report filed for his project. Unfortunately, open-source developers have recently been met with an uptick in debatable or outright bogus CVEs filed for their projects.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/


∗∗∗ Fake IT support sites push malicious PowerShell scripts as Windows fixes ∗∗∗
---------------------------------------------
Fake IT support sites promote malicious PowerShell "fixes" for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-malicious-powershell-scripts-as-windows-fixes/


∗∗∗ Router makers support portal responds with MetaMask phishing ∗∗∗
---------------------------------------------
BleepingComputer has verified that the helpdesk portal of a router manufacturer is currently sending MetaMask phishing emails in response to newly filed support tickets, in what appears to be a compromise.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/router-makers-support-portal-responds-with-metamask-phishing/


∗∗∗ Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data ∗∗∗
---------------------------------------------
[..] threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension thats designed to steal sensitive information as part of an ongoing intelligence collection effort.
---------------------------------------------
https://thehackernews.com/2024/06/kimsuky-using-translatext-chrome.html


∗∗∗ CapraRAT Spyware Disguised as Popular Apps Threatens Android Users ∗∗∗
---------------------------------------------
The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. [..] The list of new malicious APK files identified by SentinelOne is as follows - Crazy Game, Sexy Videos, TikToks, Weapons
---------------------------------------------
https://thehackernews.com/2024/07/caprarat-spyware-disguised-as-popular.html


∗∗∗ Unveiling Qilin/Agenda Ransomware - A Deep Dive into Modern Cyber Threats ∗∗∗
---------------------------------------------
Agenda ransomware, also known as 'Qilin,' first emerged in July 2022. Written in Golang, Agenda supports multiple encryption modes, all controlled by its operators. The Agenda ransomware actors use double extortion tactics, demanding payment for both a decryptor and the non-release of stolen data. This ransomware primarily targets large enterprises and high-value organizations, focusing particularly on the healthcare and education sectors in Africa and Asia.
---------------------------------------------
https://sec-consult.com/blog/detail/unveiling-qilin-agenda-ransomware-a-deep-dive-into-modern-cyber-threats/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dcmtk, edk2, emacs, glibc, gunicorn, libmojolicious-perl, openssh, org-mode, pdns-recursor, tryton-client, and tryton-server), Fedora (freeipa, kitty, libreswan, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-poppler, and mingw-python-urllib3), Gentoo (cpio, cryptography, GNU Emacs, Org Mode, GStreamer, GStreamer Plugins, Liferea, Pixman, SDL_ttf, SSSD, and Zsh), Oracle (pki-core), Red Hat (httpd:2.4, libreswan, and pki-core), SUSE (glib2 and kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t), and Ubuntu (espeak-ng, libcdio, and openssh).
---------------------------------------------
https://lwn.net/Articles/980252/


∗∗∗ regreSSHion: Remote Unauthenticated Code Execution Vulnerability (CVE-2024-6387) in OpenSSH server ∗∗∗
---------------------------------------------
Eine kritische Schwachstelle (CVE-2024-6387) wurde im OpenSSH Server (sshd) auf glibc-basierten Linux-Systemen getestet. Diese Sicherheitslücke ermöglicht es einem nicht authentifizierten Angreifer potentiell, über eine Race-Condition im Signalhandler beliebigen Code als root auf dem betroffenen System auszuführen. OpenBSD-basierte Systeme sind nicht betroffen. Obwohl die Schwachstelle als Remote Code Execution (RCE) eingestuft wird, ist ihre Ausnutzung äußerst komplex. [..] Betroffen sind OpenSSH-Versionen früher als 4.4p1, es sei denn, sie wurden gegen die Schwachstellen CVE-2006-5051 und CVE-2008-4109 gepatcht, sowie OpenSSH-Versionen von 8.5p1 bis einschließlich 9.8p1.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/7/regresshion-remote-unauthenticated-code-execution-vulnerability-cve-2024-6387-in-openssh-server


∗∗∗ IP-Telefonie: Avaya IP Office stopft kritische Sicherheitslecks ∗∗∗
---------------------------------------------
Updates für Avaya IP Office dichten Sicherheitslecks in der Software ab. Angreifer können dadurch Schadcode einschleusen.
---------------------------------------------
https://heise.de/-9784229


∗∗∗ ABB: 2024-07-01: Cyber Security Advisory -ASPECT system operating with default credentials while exposed to the Internet ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&LanguageCode=en&DocumentPartId=&Action=Launch


∗∗∗ Kubernetes: Invalid entry in vulnerability feed ∗∗∗
---------------------------------------------
https://github.com/kubernetes/website/issues/47003

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily