[CERT-daily] Tageszusammenfassung - 09.09.2024

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 06-09-2024 18:00 − Montag 09-09-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  n/a

=====================
=       News        =
=====================


∗∗∗ Transport for London staff faces systems disruptions after cyberattack ∗∗∗
---------------------------------------------
​Transport for London, the citys public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/transport-for-london-staff-faces-systems-disruptions-after-cyberattack/


∗∗∗ Softwarefehler bei Landtagswahl: CCC kritisiert Intransparenz bei Wahlsoftware ∗∗∗
---------------------------------------------
Eine "stümperhafte Implementierung" könnte zu dem Berechnungsfehler bei der Landtagswahl in Sachsen geführt haben. Der CCC fordert mehr Transparenz.
---------------------------------------------
https://www.golem.de/news/softwarefehler-bei-landtagswahl-ccc-kritisiert-intransparenz-bei-wahlsoftware-2409-188781.html


∗∗∗ Angriff auf Air-Gapped-Systeme: Malware exfiltriert Daten drahtlos durch den RAM ∗∗∗
---------------------------------------------
Die Angriffstechnik liefert zwar keine hohe Datenrate, für ein Keylogging in Echtzeit sowie das Ausleiten von Passwörtern und RSA-Keys reicht sie aber aus.
---------------------------------------------
https://www.golem.de/news/angriff-auf-air-gapped-systeme-malware-exfiltriert-daten-drahtlos-durch-den-ram-2409-188805.html


∗∗∗ North Korean threat actor Citrine Sleet exploiting Chromium zero-day ∗∗∗
---------------------------------------------
Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet, a North Korean threat actor that commonly targets the cryptocurrency ..
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/


∗∗∗ The Underground World of Black-Market AI Chatbots is Thriving ∗∗∗
---------------------------------------------
An anonymous reader shares a report: ChatGPTs 200 million weekly active users have helped propel OpenAI, the company behind the chatbot, to a $100 billion valuation. But outside the mainstream theres still plenty of money to be made -- especially if youre catering to the underworld. Illicit large language models (LLMs) can make up to $28,000 in two months ..
---------------------------------------------
https://slashdot.org/story/24/09/06/1648218/the-underground-world-of-black-market-ai-chatbots-is-thriving


∗∗∗ Hypervisor Development in Rust for Security Researchers (Part 1) ∗∗∗
---------------------------------------------
In the ever-evolving field of information security, curiosity and continuous learning drive innovation.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hypervisor-development-in-rust-for-security-researchers-part-1/


∗∗∗ Exploring an Experimental Windows Kernel Rootkit in Rust ∗∗∗
---------------------------------------------
Around two years ago, memN0ps took the initiative to create one of the first publicly available rootkit proof of concepts (PoCs) in Rust as an experimental project, while learning a new programming language. It still lacks many features, which are relatively easy to add once the concept is understood, but it was developed within a month, at a part-time capacity.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploring-an-experimental-windows-kernel-rootkit-in-rust/


∗∗∗ Predator Spyware Resurfaces With Fresh Infrastructure ∗∗∗
---------------------------------------------
Recorded Future observes renewed Predator spyware activity on fresh infrastructure after a drop caused by US sanctions.
---------------------------------------------
https://www.securityweek.com/predator-spyware-resurfaces-with-fresh-infrastructure/


∗∗∗ Chinese APT Abuses VSCode to Target Government in Asia ∗∗∗
---------------------------------------------
A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims environments for Southeast Asian espionage.
---------------------------------------------
https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/


∗∗∗ Sextortion-Betrugsversuch I: Aufzeichnung des Porno-Konsums; und "Rechnungszahlung" ∗∗∗
---------------------------------------------
Aktuell laufen wieder sogenannte Sextortion-Kampagnen, bei der Opfer per E-Mail mit angeblich kompromittierendem Material erpresst werden sollen. Ich fasse daher einige Informationen der letzten Tage über laufende Sextortion-Kampagnen in ..
---------------------------------------------
https://www.borncity.com/blog/2024/09/09/sextortion-betrugsversuch-i-aufzeichnung-des-porno-konsums-und-rechnungszahlung/


∗∗∗ AI Firm’s Misconfigured Server Exposed 5.3 TB of Mental Health Records ∗∗∗
---------------------------------------------
A misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health…
---------------------------------------------
https://hackread.com/ai-firm-misconfigured-server-exposed-mental-health-data/


∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/09/09/cisa-adds-three-known-exploited-vulnerabilities-catalog


∗∗∗ Eigene Identität im Blick: Google Dark Web Report warnt vor Datenlecks​ ∗∗∗
---------------------------------------------
Mit dem Dark Web Report von Google lässt sich die eigene Identität auf Datenpannen überwachen. Der Dienst ist nun kostenlos und nicht mehr Abo-Bestandteil.
---------------------------------------------
https://heise.de/-9860797


∗∗∗ Polen zerschlägt Ring von Cybersaboteuren ∗∗∗
---------------------------------------------
Das EU- und Nato-Land Polen ist zunehmend Ziel von Cyberattacken. Warschau vermutet dahinter die Tätigkeit russischer und belarussischer Geheimdienste.
---------------------------------------------
https://heise.de/-9862555


=====================
=  Vulnerabilities  =
=====================


∗∗∗ ZDI-24-1196: Adobe Acrobat Reader DC Doc Object Use-After-Free Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-45107.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1196/


∗∗∗ DSA-5767-1 thunderbird - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00180.html


∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.13 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily