[CERT-daily] Tageszusammenfassung - 27.05.2024
Daily end-of-shift report
team at cert.at
Mon May 27 18:27:56 CEST 2024
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 24-05-2024 18:00 − Montag 27-05-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Google-Security-Manager: Phishing-Tests bringen nichts und nerven Mitarbeiter ∗∗∗
---------------------------------------------
Mitarbeiter fühlten sich durch Phishing-Simulationen oftmals hintergangen, erklärt ein Security-Experte. Dadurch werde das Vertrauen in die Sicherheitsteams untergraben.
---------------------------------------------
https://www.golem.de/news/google-security-manager-phishing-tests-bringen-nichts-und-nerven-mitarbeiter-2405-185435.html
∗∗∗ Speichersicherheit: Fast 20 Prozent aller Rust-Pakete sind potenziell unsicher ∗∗∗
---------------------------------------------
Nach Angaben der Rust Foundation verwendet etwa jedes fünfte Rust-Paket das Unsafe-Keyword. Meistens werden dadurch Code oder Bibliotheken von Drittanbietern aufgerufen.
---------------------------------------------
https://www.golem.de/news/speichersicherheit-fast-20-prozent-aller-rust-pakete-sind-potenziell-unsicher-2405-185452.html
∗∗∗ Kommentar: Schluss mit falschen Pentests! ∗∗∗
---------------------------------------------
Wir wollen einen Pentest machen. So begannen für einige Zeit viele meiner Kundengespräche – manchmal mit der Variation "müssen" statt "wollen". Doch warum pentesten wir überhaupt?
---------------------------------------------
https://heise.de/-9718811
∗∗∗ Checkpoint: Important Security Update – Enhance your VPN Security Posture! ∗∗∗
---------------------------------------------
Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises. [..] By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method. [..] Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure. Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts.
---------------------------------------------
https://blog.checkpoint.com/security/enhance-your-vpn-security-posture/
∗∗∗ Hackers phish finance orgs using trojanized Minesweeper clone ∗∗∗
---------------------------------------------
Hackers are utilizing code from a Python clone of Microsoft's venerable Minesweeper game to hide malicious scripts in attacks on European and US financial organizations. Ukraine's CSIRT-NBU and CERT-UA attribute the attacks to a threat actor tracked as 'UAC-0188,' who is using the legitimate code to hide Python scripts that download and install the SuperOps RMM. Superops RMM is a legitimate remote management software that gives remote actors direct access to the compromised systems. [..] The attack begins with an email sent from the address "support at patient-docs-mail.com," impersonating a medical center with the subject "Personal Web Archive of Medical Documents.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-phish-finance-orgs-using-trojanized-minesweeper-clone/
∗∗∗ Message board scams ∗∗∗
---------------------------------------------
Here’s how scams target buyers and sellers on online message boards, and how the gangs behind them operate. [..] The gang under study also operates in Canada, Austria, France, and Norway.
---------------------------------------------
https://securelist.com/message-board-scam/112691/
∗∗∗ New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI ∗∗∗
---------------------------------------------
Cybersecurity researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail.
---------------------------------------------
https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html
∗∗∗ Technical Analysis of Anatsa Campaigns: An Android Banking Malware Active in the Google Play Store ∗∗∗
---------------------------------------------
At Zscaler ThreatLabz, we regularly monitor the Google Play store for malicious applications. [..] These malware-infected applications have collectively garnered over 5.5 million installs. [..] In this blog, we provide a technical analysis of Anatsa attack campaigns that leveraged themes like PDF readers and QR code readers to distribute malware in the Google Play store.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google
∗∗∗ Linguistic Lumberjack: Understanding CVE-2024-4323 in Fluent Bit ∗∗∗
---------------------------------------------
This vulnerability was discovered by the Tenable research team who described in their blog, that the flaw is due to improper validation of input names in requests, which can be exploited to cause memory corruption. This can result in denial-of-service attacks or information exposure, with remote code execution being possible under certain conditions. [..] This proof-of-concept script demonstrates how a denial of service is used CVE-2024-4323 is a memory corruption vulnerability in Fluent Bit versions 2.0.7 through 3.0.3.
---------------------------------------------
https://blog.aquasec.com/linguistic-lumberjack-understanding-cve-2024-4323-in-fluent-bit
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2, bluez, chromium, fossil, libreoffice, python-pymysql, redmine, and ruby-rack), Fedora (buildah, crosswords, dotnet7.0, glycin-loaders, gnome-tour, helix, helvum, libipuz, loupe, maturin, mingw-libxml2, ntpd-rs, perl-Email-MIME, and a huge list of Rust-based packages due to a ""mini-mass-rebuild"" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (chromium-browser-stable, mariadb, and roundcubemail), Oracle (kernel, libreoffice, nodejs, and tomcat), and SUSE (cJSON, libfastjson, opera, postgresql15, python3, and qt6-networkauth).
---------------------------------------------
https://lwn.net/Articles/975399/
∗∗∗ Multiple vulnerabilities in HAWKI ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-hawki/
∗∗∗ Synology-SA-24:07 Synology Camera ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_07
∗∗∗ F5: K000139764: Apache HTTPD vulnerability CVE-2023-38709 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000139764
∗∗∗ F5: K000139525: Libexpat vulnerability CVE-2022-43680 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000139525
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list