[CERT-daily] Tageszusammenfassung - 11.10.2024
Daily end-of-shift report
team at cert.at
Fri Oct 11 18:11:01 CEST 2024
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 10-10-2024 18:00 − Freitag 11-10-2024 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Akira and Fog ransomware now exploit critical Veeam RCE flaw ∗∗∗
---------------------------------------------
Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/
∗∗∗ Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen ∗∗∗
---------------------------------------------
Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien.
---------------------------------------------
https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-und-teamcity-exploits-nutzen-2410-189728.html
∗∗∗ Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation ∗∗∗
---------------------------------------------
The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said.
---------------------------------------------
https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html
∗∗∗ Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks ∗∗∗
---------------------------------------------
If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.” This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account.
---------------------------------------------
https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-kms-xks-dea668633802
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024) ∗∗∗
---------------------------------------------
Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database
---------------------------------------------
https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-september-30-2024-to-october-6-2024/
∗∗∗ Lynx Ransomware: A Rebranding of INC Ransomware ∗∗∗
---------------------------------------------
Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.
---------------------------------------------
https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/
∗∗∗ Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices ∗∗∗
---------------------------------------------
Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome.
---------------------------------------------
https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/
∗∗∗ Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies ∗∗∗
---------------------------------------------
CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies
∗∗∗ EU-Rat bringt Cyber Resilience Act auf den Weg ∗∗∗
---------------------------------------------
Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren.
---------------------------------------------
https://heise.de/-9977103
=====================
= Vulnerabilities =
=====================
∗∗∗ New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution ∗∗∗
---------------------------------------------
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches.
---------------------------------------------
https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.html
∗∗∗ Priviledged admin able to view device summary for device in different [FortiManager] ADOM ∗∗∗
---------------------------------------------
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-472
∗∗∗ Aw, Sugar. Critical Vulnerabilities in SugarWOD ∗∗∗
---------------------------------------------
It is possible to:
* Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses
* Extract all Gyms join passwords
[..]
* Bypass user-chosen privacy settings
---------------------------------------------
https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8).
---------------------------------------------
https://lwn.net/Articles/993778/
∗∗∗ Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 ∗∗∗
---------------------------------------------
* CVE-2024-9680: Use-after-free in Animation timeline
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/
∗∗∗ Livewire Security Update Advisory (CVE-2024-47823) ∗∗∗
---------------------------------------------
The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a “.php” file with a valid MIME type.
---------------------------------------------
https://asec.ahnlab.com/en/83775/
∗∗∗ Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561) ∗∗∗
---------------------------------------------
* CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows)
* CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded)
---------------------------------------------
https://asec.ahnlab.com/en/83776/
∗∗∗ Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke ∗∗∗
---------------------------------------------
Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher.
---------------------------------------------
https://heise.de/-9977905
∗∗∗ baserCMS plugin "BurgerEditor" vulnerable to directory listing ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN54676967/
∗∗∗ ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list