[CERT-daily] Tageszusammenfassung - 13.06.2024

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 12-06-2024 18:00 − Donnerstag 13-06-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Microsoft Patchday Juni 2024 - CVE-2024-30080, CVE-2024-30078 ∗∗∗
---------------------------------------------
Im Rahmen des aktuellen Patchday hat Microsoft Patches für 58 Sicherheitslücken veröffentlicht. Aus der Liste stechen zwei Schwachstellen besonders hervor:  CVE-2024-30080, eine Remote Code Execution in Microsoft Message Queuing (MSMQ) [..] CVE-2024-30078, eine Remote Code Execution in "Windows Wi-Fi Driver".
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/6/microsoft-patchday-juni-2024-cve-2024-30080-cve-2024-30078


∗∗∗ Kundenservice österreichischer Unternehmen nicht über kunden-support.tel kontaktieren! ∗∗∗
---------------------------------------------
Sie suchen die Kontaktdaten des Kundendienstes Ihrer Bank oder Ihres Mobilfunkanbieters? Sie haben eine Frage an die Österreichische Post oder müssen die Wiener Stadtwerke erreichen? Wenn Sie im Internet nach den Kontaktdaten eines dieser oder vieler anderer Unternehmen suchen, um den Kundensupport anzurufen, könnten Sie auf die Seite kunden-support.tel stoßen. Diese Seite schaltet Werbung auf Google und gibt vor, die Kontaktdaten verschiedener österreichischer Kundendienste aufzulisten. Aber Vorsicht! Dahinter stecken Kriminelle!
---------------------------------------------
https://www.watchlist-internet.at/news/kundenservice-oesterreichischer-unternehmen-nicht-ueber-kunden-supporttel-kontaktieren/


∗∗∗ Cinterion EHS5 3G UMTS/HSPA Module Research ∗∗∗
---------------------------------------------
In the course of the modem security analysis, we found seven locally exploited vulnerabilities and one remotely exploited vulnerability. The combination of these vulnerabilities could allow an attacker to completely get control over the modem. [..] All discovered vulnerabilities have been reported to the vendor. Some of them have not been addressed by the vendor so far as the product support discontinued.
---------------------------------------------
https://ics-cert.kaspersky.com/publications/cinterion-ehs5-3g-umts-hspa-module-research/


∗∗∗ Phishing emails abuse Windows search protocol to push malicious scripts ∗∗∗
---------------------------------------------
A new phishing campaign uses HTML attachments that abuse the Windows search protocol (search-ms URI) to push batch files hosted on remote servers that deliver malware. [..] In June 2022, security researchers devised a potent attack chain that also exploited a Microsoft Office flaw to launch searches directly from Word documents. Trustwave SpiderLabs researchers now report that this technique is used in the wild by threat actors who are using HTML attachments to launch Windows searches on attackers' servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-windows-search-protocol-to-push-malicious-scripts/


∗∗∗ Fortinet: CVE 2024-21754: Passwords on a Silver Platter ∗∗∗
---------------------------------------------
Matthias Barkhausen and Hendrik Eckardt have discovered a flaw in the firmware of Fortinet firewalls. This flaw potentially reveals sensitive information to attackers, such as passwords. [..] The flaw has been responsibly disclosed to the vendor. It has been addressed in FortiOS v7.4.4, dated June 11, 2024. [..] Learn more details and read the full story on the blog of G DATA Advanced Analytics.
---------------------------------------------
https://www.gdatasoftware.com/blog/2024/01/37834-passwords-on-a-silver-platter


∗∗∗ Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware ∗∗∗
---------------------------------------------
The nascent malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader, according to findings from cybersecurity firm Intezer. [..] The attack chains typically involve the use of an MSI installer that, when launched, initiates the infection sequence. Specifically, it leads to the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software called 360 Total Security ("MenuEx.dll").
---------------------------------------------
https://thehackernews.com/2024/06/cybercriminals-employ-phantomloader-to.html


∗∗∗ New Attack Technique Sleepy Pickle Targets Machine Learning Models ∗∗∗
---------------------------------------------
The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle. [..] While pickle is a widely used serialization format by ML libraries like PyTorch, it can be used to carry out arbitrary code execution attacks simply by loading a pickle file (i.e., during deserialization).
---------------------------------------------
https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html


∗∗∗ Digitale Stellenangebote: Job gesucht, Betrug gefunden ∗∗∗
---------------------------------------------
Jahresverdienst von 90.000 Euro, Homeoffice und 30 Tage Urlaub für eine Einstiegsstelle als Junior Data Analyst – das klingt zu gut, um wahr zu sein, oder? Ist es auch: Denn oftmals entpuppen sich solche Stellenangebote als Betrug.
---------------------------------------------
https://www.welivesecurity.com/de/scams/digitale-stellenangebote-job-gesucht-betrug-gefunden/


∗∗∗ Watch Out! CISA Warns It Is Being Impersonated By Scammers ∗∗∗
---------------------------------------------
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that scammers are impersonating its employees in an attempt to commit fraud.
---------------------------------------------
https://www.tripwire.com/state-of-security/watch-out-cisa-warns-it-being-impersonated-scammers


∗∗∗ Malware-Ranking: Androxgh0st-Botnet breitet sich in Deutschland aus ∗∗∗
---------------------------------------------
Die seit April aktive Malware schafft es im Mai bereits auf Platz 2. Lockbit erholt sich von den Maßnahmen der Strafverfolger und macht weltweit wieder 33 Prozent der veröffentlichten Ransomware-Angriffe aus.
---------------------------------------------
https://www.zdnet.de/88416444/malware-ranking-androxgh0st-botnet-breitet-sich-in-deutschland-aus/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Sicherheitslücke: Der VLC Media Player ist angreifbar ∗∗∗
---------------------------------------------
Durch einen speziell gestalteten MMS-Stream lässt sich der VLC-Player zum Absturz bringen. Laut VideoLAN ist potenziell auch eine Schadcodeausführung möglich. [..] Anfällig sind alle VLC-Versionen bis einschließlich 3.0.20.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-der-vlc-media-player-ist-angreifbar-2406-186018.html


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Fedora (nginx-mod-modsecurity, php, and tomcat), Mageia (strongswan), Oracle (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, firefox, gdk-pixbuf2, idm:DL1, ipa, kernel, libreoffice, podman, rpm-ostree, and thunderbird), Red Hat (dnsmasq and nghttp2), Slackware (mozilla), SUSE (curl, firefox, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, openssl-3, and python-Pillow), and Ubuntu (libmatio, libndp, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.5, and virtuoso-opensource).
---------------------------------------------
https://lwn.net/Articles/978291/


∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CVE-2024-32896 Android Pixel Privilege Escalation Vulnerability, 
CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability, 
CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/06/13/cisa-adds-three-known-exploited-vulnerabilities-catalog


∗∗∗ Google fixed an actively exploited zero-day in the Pixel Firmware ∗∗∗
---------------------------------------------
https://securityaffairs.com/164500/security/google-fixed-pixel-firmware-zero-day.html


∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 3, 2024 to June 9, 2024) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2024/06/wordfence-intelligence-weekly-wordpress-vulnerability-report-june-3-2024-to-june-9-2024/


∗∗∗ Palo Alto: CVE-2024-5908 GlobalProtect App: Encrypted Credential Exposure via Log Files (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-5908


∗∗∗ Palo Alto: CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-5909


∗∗∗ Palo Alto: CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-5906


∗∗∗ Palo Alto: CVE-2024-5907 Cortex XDR Agent: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-5907


∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-14


∗∗∗ Rockwell Automation FactoryTalk View SE ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-18

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily