[CERT-daily] Tageszusammenfassung - 22.10.2024

Tue Oct 22 18:11:36 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 21-10-2024 18:00 − Dienstag 22-10-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab ∗∗∗
---------------------------------------------
Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken.
---------------------------------------------
https://heise.de/-9990393


∗∗∗ Auch ein .rdp File kann gefährlich sein ∗∗∗
---------------------------------------------
Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein


∗∗∗ Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers ∗∗∗
---------------------------------------------
Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes.
---------------------------------------------
https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html


∗∗∗ Pixel perfect Ghostpulse malware loader hides inside PNG image files ∗∗∗
---------------------------------------------
The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_malware_loader_png/


∗∗∗ OpenSSL 3.4.0 released ∗∗∗
---------------------------------------------
Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details.
---------------------------------------------
https://lwn.net/Articles/995098/


∗∗∗ Akira ransomware continues to evolve ∗∗∗
---------------------------------------------
As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs.
---------------------------------------------
https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/


∗∗∗ Threat actor abuses Gophish to deliver new PowerRAT and DCRAT ∗∗∗
---------------------------------------------
Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT.
---------------------------------------------
https://blog.talosintelligence.com/gophish-powerrat-dcrat/


∗∗∗ Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach ∗∗∗
---------------------------------------------
In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-cryptominer-deployment.html


∗∗∗ Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery ∗∗∗
---------------------------------------------
This is a continuation of the series on web application security where we dive into cookie dynamics.
---------------------------------------------
https://www.bitsight.com/blog/web-application-security-devops-site-and-origin-dynamics-and-cross-site-request-forgery


=====================
=  Vulnerabilities  =
=====================

∗∗∗ VMware fixes bad patch for critical vCenter Server RCE flaw ∗∗∗
---------------------------------------------
VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-critical-vcenter-server-rce-flaw/


∗∗∗ Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls ∗∗∗
---------------------------------------------
The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficiently-protected-credentials-vulnerability-in-firewalls-10-22-2024


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke).
---------------------------------------------
https://lwn.net/Articles/995095/


∗∗∗ Dell Product Security Update Advisory (CVE-2024-45766) ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/83995/


∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-45711) ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/84002/


∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily