[CERT-daily] Tageszusammenfassung - 19.03.2024
Daily end-of-shift report
team at cert.at
Tue Mar 19 18:24:42 CET 2024
=====================
= End-of-Day report =
=====================
Timeframe: Montag 18-03-2024 18:00 − Dienstag 19-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New AcidPour data wiper targets Linux x86 network devices ∗∗∗
---------------------------------------------
A new destructive malware named AcidPour was spotted in the wild, featuring data-wiper functionality and targeting Linux x86 IoT and networking devices. [..] AcidPour shares many similarities with AcidRain, such as targeting specific directories and device paths common in embedded Linux distributions, but their codebase overlaps by an estimated 30%.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targets-linux-x86-network-devices/
∗∗∗ Turnier verschoben: Mögliche RCE-Schwachstelle bedroht Apex-Legends-Spieler ∗∗∗
---------------------------------------------
Der weitverbreitete Free-to-play-Shooter Apex Legends steht derzeit im Verdacht, unter einer Sicherheitslücke zu leiden, die es Angreifern ermöglicht, aus der Ferne die Kontrolle über die Computer der Spieler zu übernehmen. Ob die Schwachstelle das Spiel selbst oder dessen Anti-Cheat-Software betrifft, ist wohl noch unklar.
---------------------------------------------
https://www.golem.de/news/turnier-verschoben-moegliche-rce-schwachstelle-bedroht-apex-legends-spieler-2403-183303.html
∗∗∗ ARM MTE: Androids Hardwareschutz gegen Speicherlücken umgehbar ∗∗∗
---------------------------------------------
Mit dem Memory-Tagging moderner ARM-CPUs soll das Potenzial bestimmter Sicherheitslücken verkleinert werden. Die Idee hat deutliche Grenzen. Das Security-Forschungsteam des Code-Hosters Github hat die Ausnutzung einer Speicherlücke beschrieben, bei der der dafür eigentlich vorgesehene Schutz, das Memory-Tagging, offenbar gar keine Rolle spielt. Den Beteiligten ist es demnach gelungen, eine Sicherheitslücke in ARMs GPU-Treiber, die vollen Kernelzugriff und das Erlangen von Root-Rechten ermöglicht, auch auf einem aktuellen Pixel 8 auszunutzen, auf dem die sogenannten Memory Tagging Extension (MTE) aktiviert ist.
---------------------------------------------
https://www.golem.de/news/arm-mte-androids-hardwareschutz-gegen-speicherluecken-umgehbar-2403-183334.html
∗∗∗ Threat landscape for industrial automation systems. H2 2023 ∗∗∗
---------------------------------------------
Kaspersky ICS CERT shares industrial threat statistics for H2 2023: most commonly detected malicious objects, threat sources, threat landscape by industry and region.
---------------------------------------------
https://securelist.com/threat-landscape-for-industrial-automation-systems-h2-2023/112153/
∗∗∗ Attacker Hunting Firewalls, (Tue, Mar 19th) ∗∗∗
---------------------------------------------
The competition for freshly deployed vulnerable devices, or devices not patched for the latest greatest vulnerability, is immense. Your success in the ransomware or access broker ecosystem depends on having a consistently updated list of potential victims. As a result, certain IP addresses routinely scan the internet for specific types of vulnerabilities. One such example is 77.90.185.152. This IP address has been scanning for a different vulnerability each day.
---------------------------------------------
https://isc.sans.edu/diary/rss/30758
∗∗∗ New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics ∗∗∗
---------------------------------------------
A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. [..] A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. [..] The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk").
---------------------------------------------
https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html
∗∗∗ Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor ∗∗∗
---------------------------------------------
This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006.
---------------------------------------------
https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/
∗∗∗ Claroty-Report: Zahlreiche Schwachstellen in medizinischen Netzwerken und Geräten ∗∗∗
---------------------------------------------
Sicherheitsanbieter Claroty hat sein Team82, eine Forschungseinheit von Claroty, auf das Thema Sicherheit im Medizinbereich, bezogen auf Geräte und Netzwerke, angesetzt, um die Auswirkungen der zunehmenden Vernetzung medizinischer Geräte zu untersuchen. Ziel des Berichts ist es, die umfassende Konnektivität kritischer medizinischer Geräte – von bildgebenden Systemen bis hin zu Infusionspumpen – aufzuzeigen und die damit verbundenen Risiken zu beleuchten. [..] Das erschreckende Ergebnis: Im Rahmen der Untersuchungen von Team82 tauchen häufig Schwachstellen und Implementierungsfehler auf.
---------------------------------------------
https://www.borncity.com/blog/2024/03/19/claroty-report-zahlreiche-schwachstellen-in-medizinischen-netzwerken-und-gerten/
∗∗∗ Jenkins Args4j CVE-2024-23897: Files Exposed, Code at Risk ∗∗∗
---------------------------------------------
Jenkins, a popular open-source automation server, was discovered to be affected by a file read vulnerability, CVE-2024-23897. [..] Given its high severity we would like to emphasize the need for swift measures to secure Jenkins installations. [..] Jenkins patched CVE-2024-23897 in versions 2.442 and LTS 2.426.3 by disabling the problematic command parser feature.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/c/cve-2024-23897.html
=====================
= Vulnerabilities =
=====================
∗∗∗ CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster ∗∗∗
---------------------------------------------
LoadMaster is a load balancer and application delivery controller. Exploiting this vulnerability enables command execution on the LoadMaster if you have access to the administrator web user interface. Once command execution is obtained, it is possible to escalate privileges to root from the default admin “bal” user by abusing sudo entries, granting full control of the device. A proof of concept exploit is available in our CVE GitHub repository.
---------------------------------------------
https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).
---------------------------------------------
https://lwn.net/Articles/965958/
∗∗∗ RaspberryMatic: Kritische Lücke erlaubt Codeschmuggel ∗∗∗
---------------------------------------------
Im freien HomeMatic-Server RaspberryMatic klafft eine Codeschmuggel-Lücke. Sie gilt als kritisch. Ein Update steht bereit.
---------------------------------------------
https://heise.de/-9658709
∗∗∗ Sicherheitsupdates für Firefox und Thunderbird ∗∗∗
---------------------------------------------
Mozilla dichtet zahlreiche Sicherheitslücken im Webbrowser Firefox und Mailer Thunderbird ab.
---------------------------------------------
https://heise.de/-9659433
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Franklin Fueling System EVO 550/5000 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-079-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list