[CERT-daily] Tageszusammenfassung - 21.05.2024

Daily end-of-shift report team at cert.at
Tue May 21 18:08:33 CEST 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 17-05-2024 18:00 − Dienstag 21-05-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Alexander Riepl

=====================
=       News        =
=====================

∗∗∗ Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising ∗∗∗
---------------------------------------------
A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP. 
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-windows-admins-via-putty-winscp-malvertising/


∗∗∗ Banking malware Grandoreiro returns after police disruption ∗∗∗
---------------------------------------------
The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-returns-after-police-disruption/


∗∗∗ CISA warns of hackers exploiting Chrome, EoL D-Link bugs ∗∗∗
---------------------------------------------
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its Known Exploited Vulnerabilities catalog, one impacting Google Chrome and two affecting some D-Link routers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-chrome-eol-d-link-bugs/


∗∗∗ New BiBi Wiper version also destroys the disk partition table ∗∗∗
---------------------------------------------
A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-bibi-wiper-version-also-destroys-the-disk-partition-table/


∗∗∗ GitHub warns of SAML auth bypass flaw in Enterprise Server ∗∗∗
---------------------------------------------
GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-bypass-flaw-in-enterprise-server/


∗∗∗ Ungeschützte API: Sicherheitslücke macht Studenten zu Wäsche-Millionären ∗∗∗
---------------------------------------------
In vielen Hochschulen und Wohnheimen stehen Wäscheautomaten von CSC Serviceworks. Zwei Studenten haben darin eine Sicherheitslücke entdeckt - mit erheblichem Missbrauchspotenzial.
---------------------------------------------
https://www.golem.de/news/ungeschuetzte-api-sicherheitsluecke-macht-studenten-zu-waesche-millionaeren-2405-185242.html


∗∗∗ Fluent Bit: Kritische Schwachstelle betrifft alle gängigen Cloudanbieter ∗∗∗
---------------------------------------------
Mit der Schwachstelle lassen sich nicht nur Ausfälle provozieren und Daten abgreifen. Auch eine Schadcodeausführung aus der Ferne ist unter gewissen Umständen möglich.
---------------------------------------------
https://www.golem.de/news/fluent-bit-kritische-schwachstelle-betrifft-alle-gaengigen-cloudanbieter-2405-185277.html


∗∗∗ Analyzing MSG Files, (Mon, May 20th) ∗∗∗
---------------------------------------------
.msg email files are ole files and can be analyzed with my tool oledump.py.
---------------------------------------------
https://isc.sans.edu/diary/Analyzing+MSG+Files/30940


∗∗∗ Latrodectus Malware Loader Emerges as IcedIDs Successor in Phishing Campaigns ∗∗∗
---------------------------------------------
Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware."These campaigns typically involve a ..
---------------------------------------------
https://thehackernews.com/2024/05/latrodectus-malware-loader-emerges-as.html


∗∗∗ Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail ∗∗∗
---------------------------------------------
A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible ..
---------------------------------------------
https://thehackernews.com/2024/05/cyber-criminals-exploit-github-and.html


∗∗∗ SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure ∗∗∗
---------------------------------------------
The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from ..
---------------------------------------------
https://thehackernews.com/2024/05/solarmarker-malware-evolves-to-resist.html


∗∗∗ Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users ∗∗∗
---------------------------------------------
A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads."The VBScript and PowerShell scripts in the ..
---------------------------------------------
https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html


∗∗∗ Vorsicht vor Telegram-Gruppe „Scammerpayback“ ∗∗∗
---------------------------------------------
Kriminelle verbreiten in Foren, auf Facebook-Seiten oder Gruppen, in denen Betrugsopfer Unterstützung oder Informationen suchen, falsche Hilfsangebote. Mit gefälschten oder gekaperten Profilen kommentieren sie Facebook-Beiträge der Watchlist Internet und locken in eine Telegram-Gruppe, in der Opfer angeblich ihr Geld zurückbekommen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-telegram-gruppe-scammerpayback/


∗∗∗ Sicherheitsupdate: DoS-Lücken in Netzwerkanalysetool Wireshark geschlossen ∗∗∗
---------------------------------------------
In der aktuellen Version von Wireshark haben die Entwickler drei Sicherheitslücken geschlossen und mehrere Bugs gefixt.
---------------------------------------------
https://heise.de/-9725317

=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, chromium, and thunderbird), Fedora (buildah, chromium, firefox, mingw-python-werkzeug, and suricata), Mageia (golang), Oracle (firefox and nodejs:20), Red Hat (firefox, httpd:2.4, nodejs, and thunderbird), and SUSE (firefox, git-cliff, and ucode-intel).
---------------------------------------------
https://lwn.net/Articles/974339/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox, nodejs, and thunderbird), Fedora (uriparser), Oracle (firefox and thunderbird), Slackware (mariadb), SUSE (cairo, gdk-pixbuf, krb5, libosinfo, postgresql14, and python310), and Ubuntu (firefox, linux-aws, linux-aws-5.15, and linux-azure).
---------------------------------------------
https://lwn.net/Articles/974450/


∗∗∗ WAGO: Vulnerability in WAGO Navigator ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-021/


∗∗∗ WAGO: Multiple Vulnerabilities in e!Cockpit and e!Runtime / CODESYS Runtime ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-068/


∗∗∗ Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerabilities-in-some-5g-nr-4g-lte-cpe-dsl-ethernet-cpe-fiber-ont-wifi-extender-and-home-router-devices-05-21-2024


∗∗∗ Security updates 1.6.7 and 1.5.7 released ∗∗∗
---------------------------------------------
https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list