[CERT-daily] Tageszusammenfassung - 06.11.2024

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 05-11-2024 18:00 − Mittwoch 06-11-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  n/a

=====================
=       News        =
=====================


∗∗∗ Germany drafts law to protect researchers who find security flaws ∗∗∗
---------------------------------------------
The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/germany-drafts-law-to-protect-researchers-who-find-security-flaws/


∗∗∗ Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems ∗∗∗
---------------------------------------------
SANS recently published its 2024 State of ICS.OT Cybersecurity report, highlighting the skills of cyber professionals working in critical infrastructure, budget estimates, and emerging technologies. The report ..
---------------------------------------------
https://www.darkreading.com/ics-ot-security/attackers-breach-network-provider-ot-ics-network


∗∗∗ Verbraucherschützer warnen: Smarte Fritteusen lauschen und senden Daten nach China ∗∗∗
---------------------------------------------
Verbraucherschützer haben bei verschiedenen smarten Geräten Datenschutzprobleme aufgedeckt. Ganz vorne mit dabei: Heißluftfritteusen!
---------------------------------------------
https://www.golem.de/news/verbraucherschuetzer-warnen-smarte-fritteusen-lauschen-und-senden-daten-nach-china-2411-190532.html


∗∗∗ New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency ∗∗∗
---------------------------------------------
Kaspersky experts have discovered a new SteelFox Trojan that mimics popular software like Foxit PDF Editor and JetBrains to spread a stealer-and-miner bundle.
---------------------------------------------
https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/


∗∗∗ INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime ∗∗∗
---------------------------------------------
INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation.Dubbed Operation Synergia II, the coordinated effort ran from April 1 to ..
---------------------------------------------
https://thehackernews.com/2024/11/interpols-operation-synergia-ii.html


∗∗∗ Angreifer nutzen emulierte Linux-Umgebung als Backdoor ∗∗∗
---------------------------------------------
IT-Sicherheitsforscher haben eine ungewöhnliche Angriffsart entdeckt: Die Täter haben eine emulierte Linux-Umgebung als Backdoor eingerichtet.
---------------------------------------------
https://www.heise.de/news/CRON-TRAP-Emulierte-Linux-Umgebung-als-Backdoor-nach-Phishing-Angriff-10005721.html


∗∗∗ Canadian Man Arrested in Snowflake Data Extortions ∗∗∗
---------------------------------------------
A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first ..
---------------------------------------------
https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data-extortions/


∗∗∗ You lost your iPhone, but it’s locked. That’s fine, right? ∗∗∗
---------------------------------------------
TL;DR Default iOS configuration leaves your locked device vulnerable Ensure your emergency contacts are set. Use ‘FindMy’ to track / wipe lost devices. Take regular backups. Consider turning off the ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/you-lost-your-iphone-but-its-locked-thats-fine-right/


∗∗∗ Tückische Zahlungsanweisung: Stammt diese Mail wirklich von Ihrem Chef? ∗∗∗
---------------------------------------------
Von der Buchhaltung im internationalen Großkonzern bis zur Verwaltung im Kleinbetrieb nebenan. In letzter Zeit erhalten immer mehr Mitarbeiter:innen betrügerische Mails im Namen der Geschäftsführung ..
---------------------------------------------
https://www.watchlist-internet.at/news/tueckische-zahlungsanweisung-chef/


∗∗∗ Guidance for brands to help advertising partners counter malvertising ∗∗∗
---------------------------------------------
Advice to make it harder for cyber criminals to deliver malicious advertising, and reduce the risk of cyber-facilitated fraud.
---------------------------------------------
https://www.ncsc.gov.uk/guidance/guidance-brands-advertising-partners-counter-malvertising


∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗
---------------------------------------------
The popular NPM package @lottiefiles/lottie-player enables developers to seamlessly integrate Lottie animations into websites and applications. On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to ..
---------------------------------------------
https://checkmarx.com/uncategorized/with-2fa-enabled-npm-package-lottie-player-taken-over-by-attackers/


∗∗∗ CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits ∗∗∗
---------------------------------------------
While we finalized this blog post, a technical analysis of this activity was published by fellow researchers from Cisco Talos. While it overlaps with our findings to some extent, our report provides additional extended information about the activity. Introduction Since July 2024, Check Point Research (CPR) has been tracking an extensive a..
---------------------------------------------
https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/


∗∗∗ (In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments ∗∗∗
---------------------------------------------
The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved laterally from the customer’s on-premises environment to their Microsoft Entra ID ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-permissions-entra-id-environments/


∗∗∗ Threat Campaign Spreads Winos4.0 Through Game Application ∗∗∗
---------------------------------------------
FortiGuard Labs reveals a threat actor spreads Winos4.0, infiltrating gaming apps and targeting the education sector
---------------------------------------------
https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos4-through-game-application


∗∗∗ Defending Your Directory: An Expert Guide to Combating Kerberoasting in Active Directory ∗∗∗
---------------------------------------------
16 hours or less, that’s all it takes for attackers to gain access to Microsoft Active Directory (AD) and unleash mayhem on your organization. If that attack happens on a Friday afternoon, they have all weekend to wreak havoc, escalating their privileges, deploying ransomware, exploiting your VPN, or exfiltrating your data. ..
---------------------------------------------
https://www.nccgroup.com/us/research-blog/defending-your-directory-an-expert-guide-to-combating-kerberoasting-in-active-directory/


=====================
=  Vulnerabilities  =
=====================


∗∗∗ Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit ..
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-sqli-CyPPAxrL


∗∗∗ Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) could allow an authenticated, remote attacker with low privileges to conduct a stored ..
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ccmp-sxss-qBTDBZDD


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (libtiff), Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5, libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c), ..
---------------------------------------------
https://lwn.net/Articles/997182/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily