[CERT-daily] Tageszusammenfassung - 24.06.2024

Daily end-of-shift report team at cert.at
Mon Jun 24 18:42:45 CEST 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 21-06-2024 18:00 − Montag 24-06-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Ratel RAT targets outdated Android phones in ransomware attacks ∗∗∗
---------------------------------------------
An open-source Android malware named Ratel RAT is widely deployed by multiple cybercriminals to attack outdated devices, some aiming to lock them down with a ransomware module that demands payment on Telegram. [..] As for the targets, Check Point mentions successful targeting of high-profile organizations, including in government and the military sector, with most victims being from the United States, China, and Indonesia.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ratel-rat-targets-outdated-android-phones-in-ransomware-attacks/


∗∗∗ Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins ∗∗∗
---------------------------------------------
On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team. [..] We then reached out to the WordPress plugins team to alert them about the four additional plugins but have not yet received a response, though it appears the plugins have been delisted.  [..] At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server.
---------------------------------------------
https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org-plugins-leads-to-5-maliciously-compromised-wordpress-plugins/


∗∗∗ Facebook PrestaShop module exploited to steal credit cards ∗∗∗
---------------------------------------------
Hackers are exploiting a flaw in a premium Facebook module for PrestaShop named pkfacebook to deploy a card skimmer on vulnerable e-commerce sites and steal peoples payment credit card details. [..] Analysts at TouchWeb discovered the flaw on March 30, 2024, but Promokit.eu said the flaw was fixed "a long time ago," without providing any proof.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/facebook-prestashop-module-exploited-to-steal-credit-cards/


∗∗∗ XZ backdoor: Hook analysis ∗∗∗
---------------------------------------------
In our first article on the XZ backdoor, we analyzed its code from initial infection to the function hooking it performs. As we mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation. In this article, we will focus on the backdoor’s behavior inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time.
---------------------------------------------
https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/


∗∗∗ Sysinternals Process Monitor Version 4 Released, (Sat, Jun 22nd) ∗∗∗
---------------------------------------------
These releases bring improvements to performance and the user interface.
---------------------------------------------
https://isc.sans.edu/diary/rss/31026


∗∗∗ Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud security firm Wiz.
---------------------------------------------
https://thehackernews.com/2024/06/critical-rce-vulnerability-discovered.html


∗∗∗ Deye Wechselrichter: Cloud Account zeigt fremde Anlagen-/Kundendaten an ∗∗∗
---------------------------------------------
In deutschen Objekten dürften einige Balkonkraftwerke und auch fest installierte Solaranlagen arbeiten, bei denen Wechselrichter des chinesischen Herstellers Deye verwendet werden. [..] Ein Leser hat mich bereits im Mai 2024 mit einem anderen Problem konfrontiert. Er konnte die Anlagendaten einer ihm komplett unbekannten Person einsehen. [..] Der Leser hat die deutsche Dependance kontaktiert [..] Die Reaktion hat den Leser erstaunt, denn als er den Hersteller auf den Bug hinwies, habe dieser das bezweifelt. [..] Generöser Weise bot Deye dem Betroffenen an, zu helfen, die zweite Anlage aus dem Benutzerkonto auszutragen.
---------------------------------------------
https://www.borncity.com/blog/2024/06/24/deye-wechselrichter-cloud-account-zeigt-fremde-anlagen-kundendaten-an/


∗∗∗ Horror auf dem Vision Pro: Exploit schleust Spinnen und Fledermäuse in den Raum ∗∗∗
---------------------------------------------
Damit der Angriff gelingt, muss der Vision-Pro-Nutzer lediglich eine präparierte Webseite aufrufen. Der Raum füllt sich daraufhin mit gruseligen Tierchen, inklusive Sound.
---------------------------------------------
https://www.golem.de/news/horror-auf-der-vision-pro-exploit-schleust-spinnen-und-fledermaeuse-in-den-raum-2406-186345.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) ∗∗∗
---------------------------------------------
The product WINSelect from Faronics is used to restrict the possible actions of users on a system and can even be used to implement a Kiosk mode. Due to hardcoded credentials and an unfitting application architecture an attacker could decrypt the configuration file and retrieve the password which is used to configure the software. Thus, an attacker could completely disable the software. [..] The vendor provides a patched version 8.30.xx.903 since May 2024 [..] Since the hardcoded password for the encryption is not fixed, we ask if this will be addressed as well. Vendor responds that this will be addressed in a future release.
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-allowing-complete-bypass-in-faronics-winselect-standard-enterprise/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (ipa and libreswan), Debian (netty), Fedora (python-PyMySQL, tomcat, and webkitgtk), Gentoo (Flatpak, GLib, JHead, LZ4, and RDoc), Mageia (thunderbird), Oracle (nghttp2 and thunderbird), Red Hat (dnsmasq, libreswan, pki-core, and python3.11), Slackware (emacs), SUSE (gnome-settings-daemon, libarchive, qpdf, vte, and wget), and Ubuntu (libhibernate3-java).
---------------------------------------------
https://lwn.net/Articles/979520/


∗∗∗ CosmicSting: Schwachstelle CVE-2024-34102 gefährdet Adobe Commerce- und Magento-Shops ∗∗∗
---------------------------------------------
Seit Mitte des Monats ist bekannt, dass in Adobe Commerce- und Magento-Online-Shops die Schwachstelle CVE-2024-34102 existiert. Zusammen mit einer Linux-Schwachstelle lassen sich Tausende Shops durch Angreifer übernehmen. Es gibt seit einigen Tagen einen Fix, aber ein Großteil der Online-Shops läuft noch mit ungepatchten Versionen.
---------------------------------------------
https://www.borncity.com/blog/2024/06/24/cosmicsting-schwachstelle-cve-2024-34102-gefhrdet-adobe-commerce-und-magento-shops/


∗∗∗ Vulnerability Summary for the Week of June 17, 2024 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/bulletins/sb24-176

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list