[CERT-daily] Tageszusammenfassung - 04.07.2024
Daily end-of-shift report
team at cert.at
Thu Jul 4 18:13:28 CEST 2024
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-07-2024 18:00 − Donnerstag 04-07-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ MikroTik Router als DDoS Quellen: Zahlen für Österreich ∗∗∗
---------------------------------------------
OVH beschreibt ausführlich in einem Blogbeitrag, dass sie es in letzter Zeit öfters mit DDoS-Angriffen zu tun hatten, die sie auf kompromittierte MikroTik Router zurückführen. Es geht hier um ernsthafte Bandbreiten und Packets/Sekunde: kein Wunder, wenn es die Angreifer geschafft haben, gute angebundene Router für ihre Zwecke einzuspannen. [..] Ich habe das als Anlass genommen, mal in unserer Datenbasis (basierend auf Scans von Shadowserver) nachzuschauen, wie es um diese Geräte in Österreich bestellt ist: MikroTik Router, die per SNMP ihre Modellnummern verraten.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/7/mikrotik-snmp
∗∗∗ Authy: Hacker greifen Millionen von Telefonnummern über eine ungesicherte API ab ∗∗∗
---------------------------------------------
Nachdem Kriminelle eine CSV-Datei mit Telefonnummern von angeblich 33 Millionen Authy-Nutzern geleakt haben, drohen unter anderem SMS-Phishing-Attacken.
---------------------------------------------
https://heise.de/-9789229
∗∗∗ Backup-Fiasko in Indonesien: Hacker verschenken Schlüssel und entschuldigen sich ∗∗∗
---------------------------------------------
Ein Ransomwareangriff bereitet Indonesien enorme Probleme. Die Lage ist sogar derart prekär, dass die Angreifer den Behörden nun die Hand reichen.
---------------------------------------------
https://www.golem.de/news/backup-fiasko-in-indonesien-hacker-verschenken-schluessel-und-entschuldigen-sich-2407-186707.html
∗∗∗ Neues zum Hack des Qualys-Blogs ∗∗∗
---------------------------------------------
Qualys hat nun (auf meinen Bericht) zum Hack des Unternehmensblogs reagiert und geantwortet. Keine Kunden- und Unternehmensdaten gefährdet, nur a bisserl Spam im Blog, der bei einem Drittanbieter lief.
---------------------------------------------
https://www.borncity.com/blog/2024/07/04/neues-zum-hack-des-qualys-blogs/
∗∗∗ Attack Cases Against HTTP File Server (HFS) (CVE-2024-23692) ∗∗∗
---------------------------------------------
HTTP File Server (HFS) is a program that provides a simple type of web service. [..] Recently, the remote code execution vulnerability CVE-2024-23692 in the HFS program that provides web services was announced. Attack cases against vulnerable versions of HFS continue to be detected ever since. Because HFS is exposed to the public in order to enable users to connect to the HFS web server and download files, it can be a target for external attacks if it has a vulnerability.
---------------------------------------------
https://asec.ahnlab.com/en/67650/
∗∗∗ WordPress User Enumeration: Risks & Mitigation Steps ∗∗∗
---------------------------------------------
In this post, we’re diving deep into WordPress user enumeration. We’ll break down what it is, why it’s a problem, and most importantly — how to prevent a compromise.
---------------------------------------------
https://blog.sucuri.net/2024/07/wordpress-user-enumeration.html
∗∗∗ The Not-So-Secret Network Access Broker x999xx ∗∗∗
---------------------------------------------
Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is "x999xx," the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups.
---------------------------------------------
https://krebsonsecurity.com/2024/07/the-not-so-secret-network-access-broker-x999xx/
∗∗∗ Dissecting GootLoader With Node.js ∗∗∗
---------------------------------------------
We demonstrate effective methods to circumvent anti-analysis evasion techniques from GootLoader, a backdoor and loader malware distributed through fake forum posts.
---------------------------------------------
https://unit42.paloaltonetworks.com/javascript-malware-gootloader/
∗∗∗ No room for error: Don’t get stung by these common Booking.com scams ∗∗∗
---------------------------------------------
>From sending phishing emails to posting fake listings, here’s how fraudsters hunt for victims while you’re booking your well-earned vacation.
---------------------------------------------
https://www.welivesecurity.com/en/scams/common-bookingcom-scams/
∗∗∗ Senate leader demands answers from CISA on Ivanti-enabled hack of sensitive systems ∗∗∗
---------------------------------------------
Sen. Charles Grassley (R-IA) on Wednesday sent Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly a stern letter seeking documentation and answers relating to a January hack of the agency’s Chemical Security Assessment Tool (CSAT) along with the breach of a second sensitive system. Grassley noted that the cyberattack led to “malicious activity” potentially compromising some of the country’s most sensitive industrial and critical infrastructure information.
---------------------------------------------
https://therecord.media/senator-grassley-cisa-letter-hack
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (389-ds, c-ares, container-tools, cups, fontforge, go-toolset, iperf3, less, libreoffice, libuv, nghttp2, openldap, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, qemu-kvm, and xmlrpc-c), Debian (znc), Fedora (firmitas and libnbd), Mageia (dcmtk, krb5, libcdio, and openssh), Oracle (golang, openssh, pki-core, and qemu-kvm), Red Hat (openssh), SUSE (apache2-mod_auth_openidc, emacs, go1.21, go1.22, krb5, openCryptoki, and openssh), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-nvidia-6.5, linux-raspi, linux, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-xilinx-zynqmp, linux, linux-ibm, linux-lowlatency, linux-nvidia, linux-raspi, linux-aws, linux-aws-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure, linux-azure-6.5, linux-bluefield, linux-iot, linux-gcp, linux-intel, linux-hwe-5.15, and php7.0 and php7.2).
---------------------------------------------
https://lwn.net/Articles/980755/
∗∗∗ Citrix: Cloud Software Group Security Advisory for CVE-2024-6387 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX678072/cloud-software-group-security-advisory-for-cve20246387
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list