[CERT-daily] Tageszusammenfassung - 18.06.2024

Tue Jun 18 18:08:49 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 17-06-2024 18:02 − Dienstag 18-06-2024 18:02
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Hackers use F5 BIG-IP malware to stealthily steal data for years ∗∗∗
---------------------------------------------
A group of suspected Chinese cyberespionage actors named Velvet Ant are deploying custom malware on F5 BIG-IP appliances to gain a persistent connection to the internal network and steal data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malware-to-stealthily-steal-data-for-years/


∗∗∗ Analysis of user password strength ∗∗∗
---------------------------------------------
Kaspersky experts conducted a study of password resistance to attacks that use brute force and smart guessing techniques.
---------------------------------------------
https://securelist.com/passworde-brute-force-time/112984/


∗∗∗ New Malware Targets Exposed Docker APIs for Cryptocurrency Mining ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads.
---------------------------------------------
https://thehackernews.com/2024/06/new-malware-targets-exposed-docker-apis.html


∗∗∗ From Clipboard to Compromise: A PowerShell Self-Pwn ∗∗∗
---------------------------------------------
Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware.
---------------------------------------------
https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn


∗∗∗ Exfiltrate sensitive user data from apps on Android 12 and 13 using CVE-2024-0044 vulnerability ∗∗∗
---------------------------------------------
With physical access to Android device with enabled ADB debugging running Android 12 or 13 before receiving March 2024 security patch, it is possible to access internal data of any user installed app by misusing CVE-2024-0044 vulnerability.
---------------------------------------------
https://www.mobile-hacker.com/2024/06/17/exfiltrate-sensitive-user-data-from-apps-on-android-12-and-13-using-cve-2024-0044-vulnerability/


∗∗∗ Achtung Fake: doouglasparfum.com ∗∗∗
---------------------------------------------
In professionell wirkenden Online-Shops von Douglas werden aktuell Markenparfüms um mehr als 50 Prozent billiger angeboten. Sogar die Internetadressen doouglasparfum.com oder dougllas.com erscheinen zunächst plausibel. Wer in diesen Fake-Shops einkauft verliert aber Geld und erhält keine Ware.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-doouglasparfumcom/


∗∗∗ Attack Paths Into VMs in the Cloud ∗∗∗
---------------------------------------------
Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths.
---------------------------------------------
https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/


∗∗∗ Private Microsoft Outlook-Mailkonten sollen besser abgesichert werden ∗∗∗
---------------------------------------------
Microsoft hat vor einigen Tagen eine Ankündigung gemacht, dass man "Outlook für private Nutzer" in Zukunft besser absichern will.
---------------------------------------------
https://www.borncity.com/blog/2024/06/18/private-microsoft-outlook-mailkonten-sollen-besser-abgesichert-werden/


∗∗∗ How are attackers trying to bypass MFA? ∗∗∗
---------------------------------------------
Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their push-spray MFA attacks
---------------------------------------------
https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/


∗∗∗ Malvertising Campaign Leads to Execution of Oyster Backdoor ∗∗∗
---------------------------------------------
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/


∗∗∗ Cloaked and Covert: Uncovering UNC3886 Espionage Operations ∗∗∗
---------------------------------------------
Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/


∗∗∗ CISA and Partners Release Guidance for Modern Approaches to Network Access Security ∗∗∗
---------------------------------------------
Today, CISA, in partnership with the Federal Bureau of Investigation (FBI), released guidance, Modern Approaches to Network Access Security.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/06/18/cisa-and-partners-release-guidance-modern-approaches-network-access-security


∗∗∗ New Diamorphine rootkit variant seen undetected in the wild ∗∗∗
---------------------------------------------
Diamorphine is a well-known Linux kernel rootkit that supports different Linux kernel versions (2.6.x, 3.x, 4.x, 5.x and 6.x) and processor architectures (x86, x86_64 and ARM64). Briefly stated, when loaded, the module becomes invisible and hides all the files and folders starting with the magic prefix chosen by the attacker at compilation time.
---------------------------------------------
https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd).
---------------------------------------------
https://lwn.net/Articles/978804/


∗∗∗ Sicherheitsupdates: Root-Lücke bedroht VMware vCenter Server ∗∗∗
---------------------------------------------
Unter anderem zwei kritische Schwachstelle bedrohen vCenter Server und Cloud Foundation von VMware.
---------------------------------------------
https://heise.de/-9767493


∗∗∗ Python-based exploit in Autodesk Maya software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0011


∗∗∗ Kritische Schwachstelle CVE-2024-38428 in wget ∗∗∗
---------------------------------------------
https://www.borncity.com/blog/2024/06/18/kritische-schwachstelle-cve-2024-38428-in-wget-dringend-handeln/


∗∗∗ RAD Data Communications SecFlow-2 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-170-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily