[CERT-daily] Tageszusammenfassung - 28.10.2024

Mon Oct 28 18:43:57 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 25-10-2024 18:00 − Montag 28-10-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Alexander Riepl

=====================
=       News        =
=====================


∗∗∗ Amazon seizes domains used in rogue Remote Desktop campaign to steal data ∗∗∗
---------------------------------------------
Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data using malicious Remote Desktop Protocol connection files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-in-rogue-remote-desktop-campaign-to-steal-data/


∗∗∗ Redline, Meta infostealer malware operations seized by police ∗∗∗
---------------------------------------------
The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement.
---------------------------------------------
https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/


∗∗∗ 70 Zero-Day-Lücken ausgenutzt: Pwn2Own-Hacker knacken Samsung Galaxy S24 und mehr ∗∗∗
---------------------------------------------
Bei dem Wettbewerb wurden auch diverse Kameras, Drucker und NAS-Systeme attackiert. An ein Pixel 8 oder iPhone 15 hat sich aber niemand rangetraut.
---------------------------------------------
https://www.golem.de/news/70-zero-day-luecken-ausgenutzt-pwn2own-hacker-knacken-samsung-galaxy-s24-und-mehr-2410-190238.html


∗∗∗ The Windows Registry Adventure #4: Hives and the registry layout ∗∗∗
---------------------------------------------
To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system. But as one tries to dig deeper and understand how the registry ..
---------------------------------------------
https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventure-4-hives.html


∗∗∗ Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining ∗∗∗
---------------------------------------------
The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties."The group is currently ..
---------------------------------------------
https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.html


∗∗∗ Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China ∗∗∗
---------------------------------------------
A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers.
---------------------------------------------
https://www.wired.com/story/cybercriminals-disruptive-hacking-us-elections-dhs-report/


∗∗∗ Vulnerabilities of Realtek SD card reader driver, part 1 ∗∗∗
---------------------------------------------
These vulnerabilities enable non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device. The vulnerabilities have remained undisclosed for years, affecting many OEMs, including Dell, ..
---------------------------------------------
https://zwclose.github.io/2024/10/14/rtsper1.html


∗∗∗ Inside the Open Directory of the “You Dun” Threat Group ∗∗∗
---------------------------------------------
The DFIR Report’s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves “You Dun” ..
---------------------------------------------
https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-dun-threat-group/


∗∗∗ Die NSA empfiehlt wöchentliches Smartphone-Reboot ∗∗∗
---------------------------------------------
Interessante Information, die mir die Woche untergekommen ist. Die US-Sicherheitsbehörde NSA (National Security Agency, Inlandsgeheimdienst) empfiehlt einmal wöchentlich sein Smartphone neu zu starten. Das ganze hat einen sicherheitstechnischen Hintergrund. Durch den Neustart soll Malware, die nicht persistent ..
---------------------------------------------
https://www.borncity.com/blog/2024/10/27/die-nsa-empfiehlt-woechentliches-smartphone-reboot/


∗∗∗ Anatomy of an LLM RCE ∗∗∗
---------------------------------------------
As large language models (LLMs) become more advanced and are granted additional capabilities by developers, security risks increase dramatically. Manipulated LLMs are no longer just a ..
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-rce


∗∗∗ Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives ∗∗∗
---------------------------------------------
In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives/


∗∗∗ Secure Coding: Unbefugten Zugriff durch Path Traversal (CWE-22) verhindern ∗∗∗
---------------------------------------------
CWE-22 beschreibt die unsachgemäße Veränderung eines Pfadnamens auf ein eingeschränktes Verzeichnis. Wie lässt sich die Schwachstelle in den Griff bekommen?
---------------------------------------------
https://heise.de/-9982270


∗∗∗ Black Basta-Gruppe nutzt Microsoft Teams-Chatfunktion ∗∗∗
---------------------------------------------
Die als "Black Basta" bekannte Ransomware-Gruppe hat einen neuen Mechanismus entwickelt, der die Chatfunktion von Microsoft Teams zur Kontaktaufnahme ausnutzt.
---------------------------------------------
https://heise.de/-9995322


∗∗∗ Nvidia: Rechteausweitung durch Sicherheitslücken in Grafiktreiber möglich ∗∗∗
---------------------------------------------
Nvidia warnt vor mehreren Sicherheitslücken in den Grafiktreibern, die etwa das Ausweiten der Rechte ermöglichen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-9995842


∗∗∗ Lagebericht 2024: Fast 8 Millionen Mal installierte Malware in Google Play ∗∗∗
---------------------------------------------
IT-Forscher haben die mobile-Malware-Situation der vergangenen 12 Monate untersucht. Mehr als 200 App-Fälschungen lauerten in Google Play.
---------------------------------------------
https://heise.de/-9996456


∗∗∗ VMware Tanzu Spring Security: Umgehung von Autorisierungsregeln möglich ∗∗∗
---------------------------------------------
In VMware Tanzu Spring Security klafft eine kritische Sicherheitslücke, die Angreifern die Umgehung von Autorisierungsregeln ermöglicht.
---------------------------------------------
https://heise.de/-9996582


=====================
=  Vulnerabilities  =
=====================


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, ..
---------------------------------------------
https://lwn.net/Articles/996085/


∗∗∗ Chatwork Desktop Application (Windows) uses a potentially dangerous function ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN78335885/


∗∗∗ K000148252: Python tarfile vulnerability CVE-2024-6232 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148252


∗∗∗ K000148256: libarchive vulnerability CVE-2018-1000880 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148256

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily