[CERT-daily] Tageszusammenfassung - 16.05.2024

Thu May 16 18:39:45 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 15-05-2024 18:00 − Donnerstag 16-05-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ To the Moon and back(doors): Lunar landing in diplomatic missions ∗∗∗
---------------------------------------------
ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/


∗∗∗ Windows Quick Assist abused in Black Basta ransomware attacks ∗∗∗
---------------------------------------------
Microsoft has been investigating this campaign since at least mid-April 2024, and, as they observed, the threat group (tracked as Storm-1811) started their attacks by email bombing the target after subscribing their addresses to various email subscription services. Once their mailboxes flood with unsolicited messages, the threat actors call them while impersonating a Microsoft technical support or the attacked company's IT or help desk staff to help remediate the spam issues.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-in-black-basta-ransomware-attacks/


∗∗∗ Google patches third exploited Chrome zero-day in a week ∗∗∗
---------------------------------------------
Google has released a new emergency Chrome security update to address the third zero-day vulnerability exploited in attacks within a week.
---------------------------------------------
https://www.bleepingcomputer.com/news/google/google-patches-third-exploited-chrome-zero-day-in-a-week/


∗∗∗ Springtail: New Linux Backdoor Added to Toolkit ∗∗∗
---------------------------------------------
The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage


∗∗∗ Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices ∗∗∗
---------------------------------------------
This blog post aims to provide details on methods for investigating potentially compromised Palo Alto Networks firewall devices and a general approach towards edge device threat detection.
---------------------------------------------
https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/


∗∗∗ ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information ∗∗∗
---------------------------------------------
AhnLab SEcurity intelligence Center (ASEC) has recently discovered ViperSoftX attackers using Tesseract to exfiltrate users’ image files. ViperSoftX is a malware strain responsible for residing on infected systems and executing the attackers’ commands or stealing cryptocurrency-related information. The malware newly discovered this time utilizes the open-source OCR engine Tesseract.
---------------------------------------------
https://asec.ahnlab.com/en/65426/


∗∗∗ Talos releases new macOS open-source fuzzer ∗∗∗
---------------------------------------------
Cisco Talos has developed a fuzzer that enables us to test macOS software on commodity hardware. [..] Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties.
---------------------------------------------
https://blog.talosintelligence.com/talos-releases-new-macos-fuzzer/


∗∗∗ Llama Drama: Critical Vulnerability CVE-2024-34359 Threatening Your Software Supply Chain ∗∗∗
---------------------------------------------
Jinja2: This library is a popular Python tool for template rendering, primarily used for generating HTML. Its ability to execute dynamic content makes it powerful but can pose a significant security risk if not correctly configured to restrict unsafe operations. `llama_cpp_python`: This package integrates Python's ease of use with C++'s performance, making it ideal for complex AI models handling large data volumes. However, its use of Jinja2 for processing model metadata without enabling necessary security safeguards exposes it to template injection attacks. [..] The vulnerability identified has been addressed in version 0.2.72 of the llama-cpp-python package, which includes a fix enhancing sandboxing and input validation measures.
---------------------------------------------
https://checkmarx.com/blog/llama-drama-critical-vulnerability-cve-2024-34359-threatening-your-software-supply-chain/


∗∗∗ The xz apocalypse that almost was* ∗∗∗
---------------------------------------------
Given Bitsight’s pretty broad view of the Internet, I thought I could contribute to the discussion a bit and ask “how bad could this have been?” and as a corollary “how many chances would there have been to notice?” So let’s get into the “how bad could this have been?” question first.
---------------------------------------------
https://www.bitsight.com/blog/xz-apocalypse-almost-was


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 7.0, .NET 8.0, and nodejs:20), Debian (chromium, firefox-esr, ghostscript, and libreoffice), Fedora (djvulibre, mingw-glib2, mingw-python-jinja2, and mingw-python-werkzeug), Oracle (.NET 7.0, .NET 8.0, kernel, and nodejs:18), Red Hat (nodejs:20), Slackware (gdk and git), SUSE (python), and Ubuntu (linux-hwe-5.15, linux-raspi).
---------------------------------------------
https://lwn.net/Articles/973908/


∗∗∗ Sicherheitslücken in Überwachungskameras und Video-Babyphones ∗∗∗
---------------------------------------------
Schwachstellen aus der ThroughTek Kaylay-IoT-Plattform. Dringend Update-Status der IoT-Geräte prüfen.
---------------------------------------------
https://www.zdnet.de/88415973/sicherheitsluecken-in-ueberwachungskameras-und-video-babyphones/


∗∗∗ WLAN-Attacke: SSID-Verwechslungs-Angriff macht Nutzer verwundbar ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in WLAN-Protokollen führt dazu, dass Angreifer in einer Man-in-the-Middle-Position WLAN-Verkehr manipulieren können. [..] Das ohnehin nicht mehr sicher zu nutzende WEP ist anfällig, und das neuere, sonst sicherere WPA3 ebenfalls. 802.11X/EAP und Mesh-Netzwerke mit AMPE-Authentifizierung sind laut Auflistung ebenfalls für SSID-Confusion verwundbar.
---------------------------------------------
https://heise.de/-9720818


∗∗∗ Cisco: Updates schließen Sicherheitslücken in mehreren Produkten ∗∗∗
---------------------------------------------
In mehreren Cisco-Produkten klaffen Sicherheitslücken, durch die Angreifer sich etwa root-Rechte verschaffen und Geräte kompromittieren können. [..] Insgesamt warnt Cisco in drei Mitteilungen vor hochriskanten Sicherheitslücken.
---------------------------------------------
https://heise.de/-9720226


∗∗∗ Freies Admin-Panel: Codeschmuggel durch Cross-Site-Scripting in Froxlor ∗∗∗
---------------------------------------------
Dank schludriger Eingabefilterung können Angreifer ohne Anmeldung Javascript im Browser des Server-Admins ausführen. Ein Patch steht bereit.
---------------------------------------------
https://heise.de/-9721569


∗∗∗ Netzwerksicherheit: Diverse Fortinet-Produkte für verschiedene Attacken anfällig ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für unter anderem FortiSandbox, FortiPortal und FortiWebManager erschienen.
---------------------------------------------
https://heise.de/-9720252


∗∗∗ Access Points von Aruba verwundbar – keine Updates für ältere Versionen ∗∗∗
---------------------------------------------
Insgesamt haben die Entwickler sechs "kritische" Sicherheitslücken in noch unterstützten Versionen von ArubaOS und InstantOS geschlossen.
---------------------------------------------
https://heise.de/-9720385


∗∗∗ Rockwell Automation FactoryTalk View SE ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-14


∗∗∗ [R1] Nessus Agent Version 10.6.4 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-09


∗∗∗ [R1] Nessus Version 10.7.3 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-08


∗∗∗ F5: K000139637 : Expat vulnerability CVE-2024-28757 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000139637


∗∗∗ F5: K000139643 : Node.js vulnerability CVE-2024-28863 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000139643

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily