[CERT-daily] Tageszusammenfassung - 04.03.2024

Daily end-of-shift report team at cert.at
Mon Mar 4 18:31:46 CET 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 01-03-2024 18:00 − Montag 04-03-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Gemini, ChatGPT und LLaVA: Neuer Wurm verbreitet sich in KI-Ökosystemen selbst ∗∗∗
---------------------------------------------
Forscher haben einen KI-Wurm entwickelt. Dieser kann nicht nur sensible Daten abgreifen, sondern sich auch selbst in einem GenAI-Ökosystem ausbreiten.
---------------------------------------------
https://www.golem.de/news/gemini-chatgpt-und-llava-neuer-wurm-verbreitet-sich-in-ki-oekosystemen-selbst-2403-182790.html


∗∗∗ Hunting For Integer Overflows In Web Servers ∗∗∗
---------------------------------------------
In order to overflow something (e.g. an integer overflow) we clearly need some way to be able to do that (think pouring water from a kettle into a cup), and that’s the source (us using the kettle) to overflow the cup. Cup of tea aside, what things can be accessed remotely and take user input (those sources)? Web servers! This blog post title does not lie!
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hunting-for-integer-overflows-in-web-servers/


∗∗∗ New Wave of SocGholish Infections Impersonates WordPress Plugins ∗∗∗
---------------------------------------------
SocGholish malware, otherwise known as “fake browser updates”, is one of the most common types of malware infections that we see on hacked websites. This long-standing malware campaign leverages a JavaScript malware framework that has been in use since at least 2017. The malware attempts to trick unsuspecting users into downloading what is actually a Remote Access Trojan (RAT) onto their computers, which is often the first stage in a ransomware infection. Late last week our incident response team identified a fresh wave of SocGholish (fake browser update) infections targeting WordPress websites.
---------------------------------------------
https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html


∗∗∗ Rise in Deceptive PDF: The Gateway to Malicious Payloads ∗∗∗
---------------------------------------------
McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-the-gateway-to-malicious-payloads/


∗∗∗ Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers ∗∗∗
---------------------------------------------
A team of researchers has developed malware designed to target modern programmable logic controllers (PLCs) in an effort to demonstrate that remote Stuxnet-style attacks can be launched against such industrial control systems (ICS).
---------------------------------------------
https://www.securityweek.com/remote-stuxnet-style-attack-possible-with-web-based-plc-malware-researchers/


∗∗∗ Vorsicht vor falschen Paketbenachrichtigungen ∗∗∗
---------------------------------------------
Sie erwarten ein Paket? Prüfen Sie Benachrichtigungen über den Sendungsstatus sehr genau! Derzeit sind gefälschte Paketbenachrichtigungen im Namen aller gängigen Zustelldiensten im Umlauf. Klicken Sie niemals voreilig auf Links in E-Mails und SMS und geben Sie keine Kreditkartendaten preis!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-falschen-paketbenachrichtigungen/


∗∗∗ Threat Brief: WordPress Exploit Leads to Godzilla Web Shell, Discovery & New CVE ∗∗∗
---------------------------------------------
Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 50 detailed Threat Briefs, which follow a format similar to the below. Typically, these reports include specific dates and times to provide comprehensive insights; however, please note that such information has been redacted in this public version. IOCs are available to customers within Event 27236 (uuid – fe12e833-6f0c-45c9-97d6-83337ea6c5d3).
---------------------------------------------
https://thedfirreport.com/2024/03/04/threat-brief-wordpress-exploit-leads-to-godzilla-web-shell-discovery-new-cve/


∗∗∗ Microsoft schließt ausgenutzte Windows 0-day Schwachstelle CVE-2024-21338 sechs Monate nach Meldung ∗∗∗
---------------------------------------------
Im Februar 2024 hat Microsoft die Schwachstelle CVE-2024-21338 im Kernel von Windows 10/11 und diversen Windows Server-Versionen geschlossen. Super! Der Fehler an der Geschichte: Die Schwachstelle wurde von AVAST im August 2023 gemeldet, und die Schwachstelle wurde zu dieser Zeit als 0-day ausgenutzt.
---------------------------------------------
https://www.borncity.com/blog/2024/03/03/microsoft-schliet-ausgenutzte-windows-0-day-schwachstelle-cve-2024-21338-sechs-monate-nach-meldung/


∗∗∗ Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO ∗∗∗
---------------------------------------------
The RA World (previously the RA Group)  ransomware has managed to successfully breach organizations around the world since its first appearance in April 2023. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomware.html


∗∗∗ GitHub als Malware-Schleuder ∗∗∗
---------------------------------------------
Eine Sicherheitsfirma berichtet über eine neue Masche, wie Schadcode im großen Stil verteilt wird: über kompromittierte Klon-Repositories auf GitHub.
---------------------------------------------
https://heise.de/-9644525



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) ∗∗∗
---------------------------------------------
JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately.
---------------------------------------------
https://www.helpnetsecurity.com/2024/03/04/cve-2024-27198-cve-2024-27199/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (dotnet6.0, dotnet8.0, and mod_auth_openidc), Gentoo (Blender, Tox, and UltraJSON), Oracle (kernel), Red Hat (edk2), SUSE (sendmail and zabbix), and Ubuntu (nodejs and thunderbird).
---------------------------------------------
https://lwn.net/Articles/964376/


∗∗∗ Hikvision Patches High-Severity Vulnerability in Security Management System ∗∗∗
---------------------------------------------
Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional. The most important of these flaws is CVE-2024-25063, a high-severity bug that could lead to unauthorized access to certain URLs.
---------------------------------------------
https://www.securityweek.com/hikvision-patches-high-severity-vulnerability-in-security-management-system/


∗∗∗ Aruba: Codeschmuggel durch Sicherheitslücken im Clearpass Manager möglich ∗∗∗
---------------------------------------------
Im Aruba Clearpass Manager von HPE klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. [..] Eine Lücke betrifft den mitgelieferten Apache Struts-Server und erlaubt das Einschleusen von Befehlen (CVE-2023-50164, CVSS 9.8, Risiko "kritisch"). 
---------------------------------------------
https://heise.de/-9644607


∗∗∗ Solarwinds: Schadcode-Lücke in Security Event Manager ∗∗∗
---------------------------------------------
Sicherheitslücken in Solarwinds Secure Event Manager können Angreifer zum Einschleusen von Schadcode missbrauchen. Updates stopfen die Lecks.
---------------------------------------------
https://heise.de/-9644643


∗∗∗ Angreifer können Systeme mit Dell-Software kompromittieren ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitspatches für Dell Data Protection Advisor, iDRAC8 und Secure Connect Gateway erschienen.
---------------------------------------------
https://heise.de/-9644978


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ F5: K000138726 : Linux kernel vulnerability CVE-2023-3611 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138726

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list