[CERT-daily] Tageszusammenfassung - 13.05.2024

Mon May 13 18:12:40 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 10-05-2024 18:00 − Montag 13-05-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ GoTo Meeting loads Remcos RAT via Rust Shellcode Loader ∗∗∗
---------------------------------------------
Legitimate applications can unwittingly become conduits for malware execution. This is also the case for recent malware loaders which abuse GoTo Meeting, an online meeting software, to deploy Remcos RAT.
---------------------------------------------
https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos


∗∗∗ API missbraucht: Hacker teilt Details zum Cyberangriff auf Dell ∗∗∗
---------------------------------------------
Ein Cyberkrimineller hat rund 49 Millionen Kundendatensätze von Dell abgegriffen. Möglich gewesen ist ihm dies über eine unzureichend geschützte API eines Partnerportals.
---------------------------------------------
https://www.golem.de/news/api-missbraucht-hacker-teilt-details-zum-cyberangriff-auf-dell-2405-185010.html


∗∗∗ FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT ∗∗∗
---------------------------------------------
The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT.
---------------------------------------------
https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html


∗∗∗ Vorsicht vor falschen Anrufen von PayPal oder Amazon ∗∗∗
---------------------------------------------
Derzeit werden uns vermehrt Anrufe im Namen von PayPal und Amazon gemeldet. Die Kriminellen geben vor, ein Problem mit Ihrem Konto zu haben und bieten Ihnen telefonische Hilfe an.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-falschen-anrufen-von-paypal-oder-amazon/


∗∗∗ Leveraging DNS Tunneling for Tracking and Scanning ∗∗∗
---------------------------------------------
We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited.
---------------------------------------------
https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/


∗∗∗ Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS ∗∗∗
---------------------------------------------
This post explores Windows Side-by-Side (WinSxS) and DLL hijacking, deep-diving some tooling Ive written and some of the fun along the way.
---------------------------------------------
https://blog.zsec.uk/hellojackhunter-exploring-winsxs/


∗∗∗ Not all scams are easy to spot ∗∗∗
---------------------------------------------
Even the most intelligent individuals can fall victim to scams due to coincidental timing and convincing tactics, so staying skeptical, verifying communications and using anti-scam tools is key to reducing the risk.
---------------------------------------------
https://www.emsisoft.com/en/blog/45650/not-all-scams-are-easy-to-spot/


∗∗∗ Europol sperrt eigenes Forum nach erfolgreichem Einbruch ∗∗∗
---------------------------------------------
Die europäische Polizeibehörde hat ihren Dienst "Europol for Experts" vom Netz genommen. Zuvor waren unter anderem Strategiepapiere daraus angeboten worden.
---------------------------------------------
https://heise.de/-9715410


∗∗∗ Ransomware Black Basta zählt nach zwei Jahren weltweit über 500 Opfer ∗∗∗
---------------------------------------------
Das FBI teilt wichtige Fakten im Kampf gegen den Erpressungstrojaner Black Basta. Die Ransomware macht auch vor kritischen Infrastrukturen nicht halt.
---------------------------------------------
https://heise.de/-9715674


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Widely used modems in industrial IoT devices open to SMS attack ∗∗∗
---------------------------------------------
Security flaws in Telit Cinterion cellular modems, widely used in sectors including industrial, healthcare, and telecommunications, could allow remote attackers to execute arbitrary code via SMS.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/widely-used-modems-in-industrial-iot-devices-open-to-sms-attack/


∗∗∗ Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo ∗∗∗
---------------------------------------------
Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the projects logo.
---------------------------------------------
https://thehackernews.com/2024/05/malicious-python-package-hides-sliver.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (nodejs:18 and shim), Debian (atril and chromium), Fedora (chromium, glib2, gnome-shell, mediawiki, php-wikimedia-cdb, php-wikimedia-utfnormal, stb, and tcpdump), Gentoo (Kubelet, PoDoFo, Rebar3, and thunderbird), Mageia (glibc and libnbd), Oracle (kernel), Red Hat (bind and dhcp and varnish), and SUSE (chromium, cpio, freerdp, giflib, gnutls, opera, python-Pillow, python-Werkzeug, tinyproxy, and tpm2-0-tss).
---------------------------------------------
https://lwn.net/Articles/973496/


∗∗∗ Microsoft fixt DLL-Hijacking-Schwachstelle in Store-App Telemetrie-Wrapper-Installer ∗∗∗
---------------------------------------------
Microsoft hat damit vor einiger Zeit seine Store-Apps mit einem neuen Installer versehen. Dieser enthält einen ausführbaren .NET-Wrapper der Telemetrie und weiteren Code in die App integriert. In der ersten Version wies dieser .NET-Wrapper aber eine DLL-Hijacking-Schwachstelle auf [...]
---------------------------------------------
https://www.borncity.com/blog/2024/05/11/microsoft-fixt-dll-hijacking-schwachstelle-in-store-app-telemetrie-wrapper-installer/


∗∗∗ Self-Signed Zertifikate im SAP® Cloud Connector zugelassen ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/self-signed-zertifikate-im-sap-cloud-connector-zugelassen/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily