[CERT-daily] Tageszusammenfassung - 18.11.2024

Mon Nov 18 18:20:20 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 15-11-2024 18:00 − Montag 18-11-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Honeypot: Forscher veralbert Scriptkiddies mit Fake-Ransomware ∗∗∗
---------------------------------------------
Ein Tool namens Jinn sollte Ransomware-Angriffe vereinfachen. Tatsächlich war das ein Honeypot, auf den so einige Akteure reingefallen sind.
---------------------------------------------
https://www.golem.de/news/honeypot-forscher-veralbert-scriptkiddies-mit-fake-ransomware-2411-190885.html


∗∗∗ Women In Russian-Speaking Cybercrime: Mythical Creatures or Significant Members of Underground? ∗∗∗
---------------------------------------------
A blog detailing in-depth research into women in Russian-speaking cybercrime.
---------------------------------------------
https://www.sans.org/blog/women-in-russian-speaking-cybercrime-mythical-creatures-or-significant-members-of-underground


∗∗∗ DORA-Kernthemen meistern: Ein Deep Dive in Incident Management ∗∗∗
---------------------------------------------
In diesem Blogbeitrag befassen wir uns mit den Anforderungen an DORA Incident Management.
---------------------------------------------
https://sec-consult.com/de/blog/detail/dora-kernthemen-meistern-ein-deep-dive-in-incident-management/


∗∗∗ Swiss cheesed off as postal service used to spread malware ∗∗∗
---------------------------------------------
QR codes arrive via an age-old delivery system Switzerlands National Cyber Security Centre (NCSC) has issued an alert about malware being spread via the countrys postal service.
---------------------------------------------
https://www.theregister.com/2024/11/16/swiss_malware_qr/


∗∗∗ WTF: Sicherheitsforscher finden beim Nachstellen einer Lücke drei neue ∗∗∗
---------------------------------------------
Als die Watchtowr Labs-Forscher die Lücke im FortiManager nachprüfen wollten, fanden sie weitere Fehler und unvollständige Fixes.
---------------------------------------------
https://www.heise.de/news/Sicherheitsforscher-finden-beim-Nachstellen-einer-Luecke-drei-neue-10039106.html


∗∗∗ T-Mobile von chinesischem Cyberangriff betroffen ∗∗∗
---------------------------------------------
Laut einem Bericht konnten die Hacker in mehrere Telekommunikationsunternehmen in den USA wie auch international eindringen
---------------------------------------------
https://www.derstandard.at/story/3000000245232/t-mobile-von-chinesischem-cyberangriff-betroffen


∗∗∗ Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 ∗∗∗
---------------------------------------------
We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations.
---------------------------------------------
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/


∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗
---------------------------------------------
Seit heute Früh sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse ..
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/11/ddos-angriffe-november-2024


∗∗∗ BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA ∗∗∗
---------------------------------------------
KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinets Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the ..
---------------------------------------------
https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/


∗∗∗ Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices ∗∗∗
---------------------------------------------
In this blog entry, we discuss Water Barghests exploitation of IoT devices, transforming them into profitable assets through advanced automation and monetization techniques.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/k/water-barghest.html


∗∗∗ What To Use Instead of PGP ∗∗∗
---------------------------------------------
It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing ..
---------------------------------------------
https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/


∗∗∗ TPM-Backed SSH Keys on Windows 11 ∗∗∗
---------------------------------------------
On my MacBook, I’ve been using using TPM/security key-based SSH keys for years since it’s where I do the most development and the software support is good. Secretive is a decent app I can vouch for. Before that, I was ..
---------------------------------------------
https://cedwards.xyz/tpm-backed-ssh-keys-on-windows-11/


∗∗∗ Reverse Engineering iOS 18 Inactivity Reboot ∗∗∗
---------------------------------------------
iOS 18 introduced a new inactivity reboot security feature. What does it protect from and how does it work? This blog post covers all the details down to a kernel extension and the Secure Enclave Processor.
---------------------------------------------
https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html


∗∗∗ Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction ∗∗∗
---------------------------------------------
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
---------------------------------------------
https://socket.dev/blog/malicious-npm-package-exploits-whatsapp-authentication-with-remote-kill-switch?utm_medium=feed


∗∗∗ Redis CVE-2024-31449: How to Reproduce and Mitigate the Vulnerability ∗∗∗
---------------------------------------------
On October 7, 2024, information about a serious vulnerability in Redis, identified as CVE-2024-31449, was published. This vulnerability allows an authenticated user to execute remote code using specially ..
---------------------------------------------
https://redrays.io/blog/redis-cve-2024-31449-how-to-reproduce-and-mitigate-the-vulnerability/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (binutils, libsoup, squid:4, tigervnc, and webkit2gtk3), Debian (icinga2, postgresql-13, postgresql-15, smarty3, symfony, thunderbird, and waitress), Fedora (dotnet9.0, ghostscript, microcode_ctl, php-bartlett-PHP-CompatInfo, python-waitress, and webkitgtk), Gentoo (Perl, Pillow, and X.Org X server, XWayland), ..
---------------------------------------------
https://lwn.net/Articles/998570/


∗∗∗ CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) (Severity: CRITICAL) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-0012


∗∗∗ CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-9474

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily