[CERT-daily] Tageszusammenfassung - 31.05.2024

Fri May 31 18:30:32 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 29-05-2024 18:00 − Freitag 31-05-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Operation Endgame: Großer Schlag gegen weltweite Cyberkriminalität ∗∗∗
---------------------------------------------
Die "Operation Endgame" richtete sich hauptsächlich gegen die Gruppierungen hinter den Botnetzen der sechs Schadsoftware-Familien IcedID, SystemBC, Bumblebee, Smokeloader, Pikabot und Trickbot. [..] Zehn internationale Haftbefehle wurden erlassen, vier Personen vorläufig festgenommen. [..] An der Aktion waren demnach unter der Leitung des BKA Strafverfolger aus den Niederlanden, Frankreich, Dänemark, Großbritannien, Österreich sowie den USA beteiligt.
---------------------------------------------
https://heise.de/-9741012


∗∗∗ Cybercriminals pose as "helpful" Stack Overflow users to push malware ∗∗∗
---------------------------------------------
Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware—answering users questions by promoting a malicious PyPi package that installs Windows information-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-helpful-stack-overflow-users-to-push-malware/


∗∗∗ Over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours ∗∗∗
---------------------------------------------
The Chalubo trojan destroyed over 600,000 SOHO routers from a single ISP, researchers from Lumen Technologies reported. [..] Black Lotus did not name the impacted ISP, however, Bleeping Computer speculates the attack is linked to the Windstream outage that occurred during the same timeframe.
---------------------------------------------
https://securityaffairs.com/163939/malware/chalubo-destroyed-600000-soho-routers.html


∗∗∗ Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities ∗∗∗
---------------------------------------------
Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation.
---------------------------------------------
https://thehackernews.com/2024/05/researchers-uncover-active-exploitation.html


∗∗∗ Microsoft Warns of Surge in Cyber Attacks Targeting Internet-Exposed OT Devices ∗∗∗
---------------------------------------------
Microsoft has emphasized the need for securing internet-exposed operational technology (OT) devices following a spate of cyber attacks targeting such environments since late 2023. "These repeated attacks against OT devices emphasize the crucial need to improve the security posture of OT devices and prevent critical systems from becoming easy targets," the Microsoft Threat Intelligence team said.
---------------------------------------------
https://thehackernews.com/2024/05/microsoft-warns-of-surge-in-cyber.html


∗∗∗ CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud ∗∗∗
---------------------------------------------
Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them. So why am I writing a blog post about an XXE?
---------------------------------------------
https://www.thezdi.com/blog/2024/5/29/cve-2024-30043-abusing-url-parsing-confusion-to-exploit-xxe-on-sharepoint-server-and-cloud


∗∗∗ LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader ∗∗∗
---------------------------------------------
Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.” Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups.
---------------------------------------------
https://blog.talosintelligence.com/lilacsquid/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 7.0, .NET 8.0, 389-ds:1.4, ansible-core bug fix, enhancement, and, bind and dhcp, container-tools:rhel8, edk2, exempi, fence-agents, freeglut, frr, gdk-pixbuf2, ghostscript, git-lfs, glibc, gmp, go-toolset:rhel8, grafana, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd:2.4, Image builder components bug fix, enhancement and, kernel, kernel-rt, krb5, less, LibRaw, libsndfile, libssh, libXpm, linux-firmware, motif, mutt, nghttp2, openssh, pam, pcp, pcs, perl-Convert-ASN1, perl-CPAN, perl:5.32, pki-core:10.6 and pki-deps:10.6, pmix, poppler, python-dns, python-jinja2, python-pillow, python27:2.7, python3, python3.11, python3.11-cryptography, python3.11-urllib3, python39:3.9 and python39-devel:3.9, qt5-qtbase, resource-agents, squashfs-tools, sssd, systemd, tigervnc, traceroute, vorbis-tools, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), Debian (gst-plugins-base1.0), Fedora (cacti, cacti-spine, roundcubemail, and wireshark), Oracle (.NET 7.0, .NET 8.0, bind and dhcp, gdk-pixbuf2, git-lfs, glibc, grafana, krb5, pcp, python-dns, python3, sssd, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (edk2, less, nghttp2, and ruby:3.0), SUSE (gstreamer-plugins-base, Java, kernel, and python-requests), and Ubuntu (ffmpeg, node-browserify-sign, postgresql-14, postgresql-15, postgresql-16, and python-pymysql).
---------------------------------------------
https://lwn.net/Articles/976209/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-pymysql), Fedora (chromium, mingw-python-requests, and thunderbird), Mageia (perl-Email-MIME and qtnetworkauth5 & qtnetworkauth6), Red Hat (gdisk and python39:3.9 and python39-devel:3.9 modules), SUSE (freerdp, gdk-pixbuf, gifsicle, glib2, java-1_8_0-ibm, kernel, libfastjson, libredwg, nodejs16, python, python3, python36, rpm, warewulf4, and xdg-desktop-portal), and Ubuntu (gst-plugins-base1.0, python-werkzeug, and tpm2-tss). 
---------------------------------------------
https://lwn.net/Articles/976006/


∗∗∗ IT-Monitoring: Checkmk schließt Lücke, die Änderung von Dateien ermöglicht ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in der Monitoring-Software Checkmk ermöglicht Angreifern, unbefugt lokale Dateien auf dem Checkmk-Server zu lesen und zu schreiben.
---------------------------------------------
https://heise.de/-9741274


∗∗∗ Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-022

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily