[CERT-daily] Tageszusammenfassung - 30.07.2024

Tue Jul 30 18:25:53 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 29-07-2024 18:00 − Dienstag 30-07-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ New Specula tool uses Outlook for remote code execution in Windows ∗∗∗
---------------------------------------------
Microsoft Outlook can be turned into a C2 beacon to remotely execute code, as demonstrated by a new red team post-exploitation framework named "Specula," released today by cybersecurity firm TrustedSec.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outlook-for-remote-code-execution-in-windows/


∗∗∗ DigiCert mass-revoking TLS certificates due to domain validation bug ∗∗∗
---------------------------------------------
DigiCert is warning that it will be mass-revoking SSL/TLS certificates due to a bug in how the company verified if a customer owned or operated a domain and requires impacted customers to reissue certificates within 24 hours.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/digicert-mass-revoking-tls-certificates-due-to-domain-validation-bug/


∗∗∗ Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools ∗∗∗
---------------------------------------------
Microsoft has vowed to reduce cybersecurity vendors' reliance on kernel-mode code, which was at the heart of the CrowdStrike super-snafu this month.
---------------------------------------------
https://www.theregister.com/2024/07/29/microsoft_crowdstrike_kernel_mode/


∗∗∗ Vorsicht vor plötzlichen Erbschaften ∗∗∗
---------------------------------------------
Eine unbekannte Person kontaktiert Sie per E-Mail oder über Soziale Netzwerke. Sie stellt sich beispielsweise als „Gouverneur der Bank von Thailand“ vor und behauptet, dass Sie eine große Summe Geld erben werden. Um glaubwürdig zu wirken, schickt die Person als Beweis Ausweiskopien, Zertifikate und KI-generierte Videobotschaften. Ignorieren Sie solche Nachrichten, es handelt sich um Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-ploetzlichen-erbschaften/


∗∗∗ Deep Sea Phishing Pt. 2 ∗∗∗
---------------------------------------------
I wanted to write this blog about several good techniques for endpoint detection and response (EDR) evasion; however, as I was writing about how to evade EDRs, I was hit with an epiphany: “EDR evasion is all about looking like legitimate software” — ph3eds, 2024
---------------------------------------------
https://posts.specterops.io/deep-sea-phishing-pt-2-29c48f1e214e?source=rss----f05f8696e3cc---4


∗∗∗ Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1 ∗∗∗
---------------------------------------------
In this blog series, we will discuss two additional techniques that take advantage of legacy functionality within Windows and provide various examples through the over 20 vulnerabilities that we found. We will also address some failures despite efforts and explanations from our side with various vendors.
---------------------------------------------
https://www.thezdi.com/blog/2024/7/29/breaking-barriers-and-assumptions-techniques-for-privilege-escalation-on-windows-part-1


∗∗∗ Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List ∗∗∗
---------------------------------------------
USDoD hacker scrapes and leaks a 100,000-line Indicator of Compromise (IoC) list from CrowdStrike, revealing detailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu malware and SAMBASPIDER threat actor.
---------------------------------------------
https://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/


∗∗∗ Dont RegreSSH An Anti-Pavlovian Approach to Celebrity Vulns ∗∗∗
---------------------------------------------
Before Crowdstrike caused the world to melt down for a few days, the talk of the security town was a recent OpenSSH vulnerability. Lets revisit CVE-2024-6387.
---------------------------------------------
https://www.bitsight.com/blog/dont-regressh-anti-pavlovian-approach-celebrity-vulns


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Kritische Sicherheitslücke in VMware ESXi - aktiv ausgenutzt - Update verfügbar ∗∗∗
---------------------------------------------
Sicherheitsforscher:innen von Microsoft haben eine kritische Sicherheitslücke in VMware ESXi entdeckt, deren Ausnutzung es Angreifer:innen ermöglicht die vollständige Kontrolle über einen von der Schwachstelle betroffenen Hypervisor zu übernehmen. Die Lücke wird bereits aktiv für Ransomware-Angriffe missbraucht. CVE-Nummer(n): CVE-2024-37085
---------------------------------------------
https://www.cert.at/de/warnungen/2024/7/kritische-sicherheitslucke-in-vmware-esxi-aktiv-ausgenutzt-update-verfugbar


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (curl), Mageia (virtualbox), Oracle (squid), Red Hat (kernel), SUSE (apache2, bind, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, devscripts, espeak-ng, freerdp, ghostscript, gnome-shell, gtk2, gtk3, java-11-openjdk, java-17-openjdk, kubevirt, libgit2, openssl-3, orc, p7zip, python-dnspython, and shadow), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-oem-6.8, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-aws, linux-aws-5.4, linux-aws-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-gcp-5.15, and linux-lowlatency).
---------------------------------------------
https://lwn.net/Articles/983935/


∗∗∗ WordPress Vulnerability & Patch Roundup July 2024 ∗∗∗
---------------------------------------------
https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-2024.html


∗∗∗ ManageEngine (Exchange Reporter Plus, Exchange Reporter Plus) Family July 2024 Security Update Advisory ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/80826/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily