[CERT-daily] Tageszusammenfassung - 22.07.2024

Mon Jul 22 18:08:48 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 19-07-2024 18:00 − Montag 22-07-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Attackers Abuse Swap File to Steal Credit Cards ∗∗∗
---------------------------------------------
Bad actors exploited the humble swap file to maintain a persistent credit card skimmer on a Magento e-commerce site. This clever tactic allowed the malware to survive multiple cleanup attempts.
---------------------------------------------
https://blog.sucuri.net/2024/07/attackers-abuse-swap-file-to-steal-credit-cards.html


∗∗∗ Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware ∗∗∗
---------------------------------------------
Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix.
---------------------------------------------
https://thehackernews.com/2024/07/cybercriminals-exploit-crowdstrike.html


∗∗∗ SocGholish Malware Exploits BOINC Project for Covert Cyberattacks ∗∗∗
---------------------------------------------
The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC.
---------------------------------------------
https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html


∗∗∗ PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing ∗∗∗
---------------------------------------------
A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes.
---------------------------------------------
https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html


∗∗∗ From RA Group to RA World: Evolution of a Ransomware Group ∗∗∗
---------------------------------------------
Ransomware gang RA World rebranded from RA Group. We discuss their updated tactics from leak site changes to an analysis of their operational tools.
---------------------------------------------
https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/


∗∗∗ Addressing CrowdStrike on Cloud VMs in AWS with Automated Remediation ∗∗∗
---------------------------------------------
Published guidance instructs administrators to reboot the machine in Safe Mode, delete a specific file, and reboot back to normal mode. Obviously, this isn’t a viable resolution on virtual machines hosted in the public cloud as there is no way to get to Safe Mode.
---------------------------------------------
https://orca.security/resources/blog/crowdstrike-cloud-vm-automated-remediation/


∗∗∗ Crowdstrike-Ausfälle: Microsoft veröffentlicht Wiederherstellungstool ∗∗∗
---------------------------------------------
Microsoft hat ein Image für USB-Sticks veröffentlicht, mit dem sich betroffene Systeme wiederherstellen lassen. Vorausgesetzt, man hat den BitLocker-Key.
---------------------------------------------
https://heise.de/-9808481


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Telegram zero-day allowed sending malicious Android APKs as videos ∗∗∗
---------------------------------------------
A Telegram for Android zero-day vulnerability dubbed EvilVideo allowed attackers to send malicious Android APK payloads disguised as video files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-sending-malicious-android-apks-as-videos/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (botan2, chromium, ffmpeg, fluent-bit, gtk3, httpd, suricata, tcpreplay, and thunderbird), Mageia (apache, chromium-browser-stable, libfm & libfm-qt, and thunderbird), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libndp, qt5-qtbase, ruby, skopeo, thunderbird, and virt:ol and virt-devel:rhel), Red Hat (containernetworking-plugins, firefox, libndp, qt5-qtbase, and thunderbird), SUSE (caddy,[...]
---------------------------------------------
https://lwn.net/Articles/982845/


∗∗∗ Sicherheitsupdates: Angreifer können Sonicwall-Firewalls lahmlegen ∗∗∗
---------------------------------------------
Einige Firewalls von Sonicwall sind verwundbar. Attacken könnten bevorstehen.
---------------------------------------------
https://heise.de/-9808904


∗∗∗ BIOS-Sicherheitslücke gefährdet unzählige HP-PCs ∗∗∗
---------------------------------------------
Angreifer können viele Desktopcomputer von HP mit Schadcode attackieren.
---------------------------------------------
https://heise.de/-9809134


∗∗∗ SSA-071402 V1.0: Multiple Vulnerabilities in SICAM Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-071402.html

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily