[CERT-daily] Tageszusammenfassung - 14.11.2024

Daily end-of-shift report team at cert.at
Thu Nov 14 18:43:01 CET 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 13-11-2024 18:00 − Donnerstag 14-11-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 ∗∗∗
---------------------------------------------
While the FortiJump patch does effectively neutralise the devastating RCE that is FortiJump, we’re still a little concerned about FortiManager’s overall code quality. We note that our som/export vulnerability, ‘FortiJump Higher’, is still functional, even in patched versions, allowing adversaries to elevate from one managed FortiGate appliance to the central FortiManager appliance.
---------------------------------------------
https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/


∗∗∗ New PXA Stealer targets government and education sectors for sensitive information ∗∗∗
---------------------------------------------
Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.
---------------------------------------------
https://blog.talosintelligence.com/new-pxa-stealer/


∗∗∗ Advertisers are pushing ad and pop-up blockers using old tricks ∗∗∗
---------------------------------------------
A malvertising campaign using an old school trick was found pushing to different ad blockers. [..] In the olden days, that something extra used to be video codecs or specific video players, but now we’ll be told we need a browser extension to “continue watching in safe mode.” [..] To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate’s efforts, the affiliate earns a commission.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-and-pop-up-blockers-using-old-tricks


∗∗∗ Сrimeware and financial cyberthreats in 2025 ∗∗∗
---------------------------------------------
Kasperskys GReAT looks back on the 2024 predictions about financial and crimeware threats, and explores potential cybercrime trends for 2025.
---------------------------------------------
https://securelist.com/ksb-financial-and-crimeware-predictions-2025/114565/


∗∗∗ Malware: Erkennung entgehen durch angeflanschtes ZIP ∗∗∗
---------------------------------------------
IT-Forscher haben Malware entdeckt, die der Erkennung durch Virenscanner durch Verkettung von ZIP-Dateien entgeht.
---------------------------------------------
https://www.heise.de/-10034752

∗∗∗ Gratis-Tool: Sicherheitsforscher knacken ShrinkLocker-Verschlüsselung ∗∗∗
---------------------------------------------
Der Erpressungstrojaner ShrinkLocker nutzt Microsofts Bitlocker, um Windows-Systeme zu verschlüsseln. Ein Entschlüsselungstool hilft.
---------------------------------------------
https://www.heise.de/-10034933


∗∗∗ PHP Reinfector and Backdoor Malware Target WordPress Sites ∗∗∗
---------------------------------------------
We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection was linked to the wpcode plugin, we found that several sites without this plugin were compromised as well. Upon deeper investigation, we discovered that this malware not only reinfects website files but also embeds malicious code into other plugins and database tables wp_posts and wp_options.
---------------------------------------------
https://blog.sucuri.net/2024/11/php-reinfector-and-backdoor-malware-target-wordpress-sites.html


∗∗∗ Malware Spotlight: A Deep-Dive Analysis of WezRat ∗∗∗
---------------------------------------------
Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad.
---------------------------------------------
https://research.checkpoint.com/2024/wezrat-malware-deep-dive/


∗∗∗ Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs ∗∗∗
---------------------------------------------
Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS.
---------------------------------------------
https://hackread.com/lazarus-group-macos-rustyattr-trojan-fake-job-pdfs/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ 4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin. CVE-2024-10924, CVSS Score: 9.8 (Critical)
---------------------------------------------
https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (llama-cpp, mingw-expat, python3.6, webkit2gtk4.0, and xorg-x11-server-Xwayland), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk and libarchive), Oracle (expat, gstreamer1-plugins-base, kernel, libsoup, podman, and tigervnc), SUSE (buildah, java-1_8_0-openjdk, and switchboard-plug-bluetooth), and Ubuntu (zlib).
---------------------------------------------
https://lwn.net/Articles/998143/


∗∗∗ CISA Releases Nineteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
Siemens, Rockwell, Hitachi, 2N, Elvaco, Baxter
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-releases-nineteen-industrial-control-systems-advisories


∗∗∗ GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7 ∗∗∗
---------------------------------------------
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. [..] An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. CVE-2024-9693, CVE-2024-7404, CVE-2024-8648, CVE-2024-8180, CVE-2024-10240
---------------------------------------------
https://thecyberthrone.in/2024/11/14/gitlab-fixes-high-severity-vulnerability-cve-2024-9693/


∗∗∗ Drupal: POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-060


∗∗∗ Drupal: POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-059


∗∗∗ Fortinet: Lack of capacity to filter logs by administrator access ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-267


∗∗∗ Palo Alto: CVE-2024-2551 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-2551

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list