[CERT-daily] Tageszusammenfassung - 28.03.2024
Daily end-of-shift report
team at cert.at
Thu Mar 28 18:48:01 CET 2024
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-03-2024 18:00 − Donnerstag 28-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New Darcula phishing service targets iPhone users via iMessage ∗∗∗
---------------------------------------------
A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service-targets-iphone-users-via-imessage/
∗∗∗ Cisco warns of password-spraying attacks targeting VPN services ∗∗∗
---------------------------------------------
Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spraying-attacks-targeting-vpn-services/
∗∗∗ DinodasRAT Linux implant targeting entities worldwide ∗∗∗
---------------------------------------------
In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022.
---------------------------------------------
https://securelist.com/dinodasrat-linux-implant/112284/
∗∗∗ From JavaScript to AsyncRAT, (Thu, Mar 28th) ∗∗∗
---------------------------------------------
It has been a while since I found an interesting piece of JavaScript. This one was pretty well obfuscated. It was called “_Rechnung_01941085434_PDF.js” (Invoice in German) with a low VT score.
---------------------------------------------
https://isc.sans.edu/diary/rss/30788
∗∗∗ Android Malware Vultur Expands Its Wingspan ∗∗∗
---------------------------------------------
The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. [..] In this blog we provide a comprehensive analysis of Vultur, beginning with an overview of its infection chain.
---------------------------------------------
https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/
∗∗∗ Netz-digitalisierung.com eröffnet Konten in Ihrem Namen! ∗∗∗
---------------------------------------------
Verlockende Nebenjob-Angebote als App-Tester:in oder Studienteilnehmer:in über die Seite netz-digitalisierung.com führen zu Identitätsdiebstahl! Die Kriminellen eröffnen Konten in Ihrem Namen und verwenden diese möglicherweise für kriminelle Zwecke.
---------------------------------------------
https://www.watchlist-internet.at/news/jobbetrug-netz-digitalisierungcom/
∗∗∗ Pre-Ransomware Aktivität: Schadakteure nutzen CitrixBleed (CVE-2023-4966) noch immer und verstärkt für Initialzugriff ∗∗∗
---------------------------------------------
Aktuell sind uns einige Ransomware-Vorfälle in Österreich bekannt, bei denen mit sehr hoher Wahrscheinlichkeit CitrixBleed (CVE-2023-4966) als primärer Angriffsvektor für den initialen Zugriff auf die Organisationsnetzwerke benutzt wurde. Ein Patch steht seit geraumer Zeit zur Verfügung.
---------------------------------------------
https://cert.at/de/aktuelles/2024/3/pre-ransomware-aktivitat-schadakteure-nutzen-citrixbleed-cve-2023-4966-noch-immer-und-verstarkt-fur-initialzugriff
∗∗∗ Schon wieder zu viel Schadcode: Keine neuen Projekte für Python-Registry PyPI ∗∗∗
---------------------------------------------
Ein Ansturm von Paketen mit Schadcode hat die Betreiber des Python Package Index dazu veranlasst, die Aufnahme neuer Projekte und User zu stoppen.
---------------------------------------------
https://heise.de/-9670240
=====================
= Vulnerabilities =
=====================
∗∗∗ Nvidias newborn ChatRTX bot patched for security bugs ∗∗∗
---------------------------------------------
ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. [..] CVE‑2024‑0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE).
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/03/28/nvidia_chatrtx_security_flaws/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).
---------------------------------------------
https://lwn.net/Articles/966961/
∗∗∗ Splunk Patches Vulnerabilities in Enterprise Product ∗∗∗
---------------------------------------------
Splunk patches high-severity vulnerabilities in Enterprise, including an authentication token exposure issue.
---------------------------------------------
https://www.securityweek.com/splunk-patches-vulnerabilities-in-enterprise-product/
∗∗∗ Neue SugarCRM-Versionen schließen kritische Lücken ∗∗∗
---------------------------------------------
Insgesamt 18, teils kritische Lücken schließen die neuen Versionen SugarCRM 13.03. und 12.05.
---------------------------------------------
https://heise.de/-9670436
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-18-2024-to-march-24-2024/
∗∗∗ Synology-SA-24:05 Synology Surveillance Station Client ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_05
∗∗∗ Synology-SA-24:04 Surveillance Station ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_04
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list