[CERT-daily] Tageszusammenfassung - 30.10.2024

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 29-10-2024 18:00 − Mittwoch 30-10-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Hackers steal 15,000 cloud credentials from exposed Git config files ∗∗∗
---------------------------------------------
A global large-scale dubbed "EmeraldWhale" exploited misconfigured Git configuration files to steal over 15,000 cloud account credentials from thousands of private repositories.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-credentials-from-exposed-git-config-files/


∗∗∗ Jumpy Pisces Engages in Play Ransomware ∗∗∗
---------------------------------------------
Jumpy Pisces, also known as Andariel and Onyx Sleet, was historically involved in cyberespionage, financial crime and ransomware attacks. [..] We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.
---------------------------------------------
https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/


∗∗∗ Writing a BugSleep C2 server and detecting its traffic with Snort ∗∗∗
---------------------------------------------
In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). [..] This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort.
---------------------------------------------
https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/


∗∗∗ Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack ∗∗∗
---------------------------------------------
Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets.
---------------------------------------------
https://checkmarx.com/blog/cryptocurrency-enthusiasts-targeted-in-multi-vector-supply-chain-attack/


∗∗∗ New “Scary” FakeCall Malware Captures Photos and OTPs on Android ∗∗∗
---------------------------------------------
A new, more sophisticated variant of the FakeCall malware is targeting Android devices. [..] The FakeCall malware typically infiltrates a device through a malicious app downloaded from a compromised website or a phishing email. The app requests permission to become the default call handler. If granted, the malware gains extensive privileges. 
---------------------------------------------
https://hackread.com/scary-fakecall-malware-captures-photos-otps-android/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Nach Pwn2Own: QNAP und Synology patchen ausgenutzte NAS-Lücken ∗∗∗
---------------------------------------------
Für auf der Pwn2Own ausgenutzte TrueNAS-Lücken scheint es derweil noch keine Patches zu geben – dafür aber Hinweise, wie Nutzer ihre Systeme vor möglichen Angriffen schützen können. [..] Erste Patches gibt es beispielsweise von Synology. Das Unternehmen hat schon am 25. Oktober Updates für Beephotos für Beestation OS 1.0 und 1.1 sowie Synology Photos 1.7 und 1.6 für DSM 7.2 bereitgestellt.  Diese schließen jeweils eine kritische Sicherheitslücke, die es Angreifern erlaubt, aus der Ferne Schadcode auszuführen.
---------------------------------------------
https://www.golem.de/news/nach-pwn2own-qnap-und-synology-patchen-ausgenutzte-nas-luecken-2410-190316.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (buildah), Debian (python-git, texlive-bin, and xorg-server), Mageia (chromium-browser-stable), Red Hat (kernel), SUSE (Botan, go1.22-openssl, go1.23-openssl, grafana, libgsf, pcp, pgadmin4, python310-pytest-html, python313, xorg-x11-server, and xwayland), and Ubuntu (nano, python-urllib3, and xorg-server, xwayland).
---------------------------------------------
https://lwn.net/Articles/996310/


∗∗∗ QNAP: Vulnerability in SMB Service (PWN2OWN 2024) ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-24-42


∗∗∗ SPLUNK: SVD-2024-1015: Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1015


∗∗∗ SPLUNK: SVD-2024-1014: Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1014


∗∗∗ Ping Identity PingIDM: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/query-filter-injection-in-ping-identity-pingidm-formerly-known-as-forgerock-identity-management/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily