[CERT-daily] Tageszusammenfassung - 24.09.2024

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 23-09-2024 18:00 − Dienstag 24-09-2024 18:00
Handler:     Alexander Riepl
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Hackerangriff hier, Hackerangriff da? Nein. ∗∗∗
---------------------------------------------
Ein Kommentar zur aktuellen Berichterstattung rund um DDoS-Angriffe gegen die Webseiten politischer Parteien in Österreich.
---------------------------------------------
https://datenrausch.substack.com/p/hackerangriff-hier-hackerangriff


∗∗∗ New Mallox ransomware Linux variant based on leaked Kryptina code ∗∗∗
---------------------------------------------
An affiliate of the Mallox ransomware operation, also known as TargetCompany, was spotted using a slightly modified version of the Kryptina ransomware to attack Linux systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code/


∗∗∗ New Octo Android malware version impersonates NordVPN, Google Chrome ∗∗∗
---------------------------------------------
A new version of the Octo Android malware, named "Octo2," has been seen spreading across Europe under the guise of NordVPN, Google Chrome, and an app called Europe Enterprise.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-octo-android-malware-version-impersonates-nordvpn-google-chrome/


∗∗∗ Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120, (Tue, Sep 24th) ∗∗∗
---------------------------------------------
Late in July, a researcher using the alias "NETSECFISH" published a blog post revealing a vulnerability in RASIECOM gateway devices [1]. The vulnerability affects the "vpn/list_base_Config.php" endpoint and allows for unauthenticated remote code execution. According to Shodan, about 25,000 vulnerable devices are exposed to the internet. With a simple proof of concept available, it is no surprise that we aseethe vulnerability exploited.
---------------------------------------------
https://isc.sans.edu/diary/rss/31292


∗∗∗ Untersuchung von Solaris / SunOS - Persistenz mit Systemprozessen ∗∗∗
---------------------------------------------
Im Vergleich zu Windows oder sogar Linux ist das öffentliche Wissen und die Anleitung zur digitalen Forensik für Solaris / SunOS eher dünn. Während dieses Einsatzes haben wir unser Wissen über Solaris erheblich erweitert und es auf verschiedene Angreifertechniken hin untersucht. In diesem Blog-Beitrag möchten wir unsere Erfahrungen mit der Untersuchung potenzieller Persistenz durch Systemprozesse im Zusammenhang mit der MITRE ATT&CK-Technik T1543 teilen.
---------------------------------------------
https://sec-consult.com/de/blog/detail/investigating-solaris-sunos-persistence-using-system-processes/


∗∗∗ Deloitte Says No Threat to Sensitive Data After Hacker Claims Server Breach ∗∗∗
---------------------------------------------
A notorious hacker has announced the theft of data from an improperly protected server allegedly belonging to Deloitte. {..] Deloitte says no sensitive data exposed after a notorious hacker leaked what he claimed to be internal communications.
---------------------------------------------
https://www.securityweek.com/deloitte-says-no-threat-to-sensitive-data-after-hacker-claims-server-breach/


∗∗∗ Kirchenaustritt nicht über kirchenaustritt-digital-beantragen.at beantragen ∗∗∗
---------------------------------------------
Wer Informationen zum Kirchenaustritt sucht, landet schnell bei kirchenaustritt-digital-beantragen.at. Wir raten jedoch davon ab, über diesen kostenpflichtigen Dienst den Austritt zu beantragen. Beschwerden zufolge wird die Kündigung trotz Bezahlung nicht an die Kirche übermittelt. Außerdem werden sehr viele Daten und eine Ausweiskopie verlangt. Wir raten generell davon ab, Kündigungen usw. über Drittanbieter abzuwickeln.
---------------------------------------------
https://www.watchlist-internet.at/news/kirchenaustritt/


∗∗∗ Inside SnipBot: The Latest RomCom Malware Variant ∗∗∗
---------------------------------------------
We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain.
---------------------------------------------
https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/


∗∗∗ Hacker Leaks 12,000 Alleged Twilio Call Records with Audio Recordings ∗∗∗
---------------------------------------------
A hacker has leaked 12,000 alleged Twilio call records, including phone numbers and audio recordings. The breach exposes personal data, creating significant privacy risks for businesses and individuals using the service.
---------------------------------------------
https://hackread.com/hacker-leaks-twilio-call-records-audio-recordings/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Unpatched Vulnerabilities Expose Riello UPSs to Hacking: Security Firm ∗∗∗
---------------------------------------------
Hackers can take control of Riello UPS devices by exploiting vulnerabilities that likely remain unpatched, according to CyberDanube, an Austria-based firm specializing in industrial cybersecurity.
---------------------------------------------
https://www.securityweek.com/unpatched-vulnerabilities-expose-riello-upss-to-hacking-security-firm/


∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-24-268-01 OPW Fuel Management Systems SiteSentinel, 
ICSA-24-268-02 Alisonic Sibylla, 
ICSA-24-268-03 Franklin Fueling Systems TS-550 EVO, 
ICSA-24-268-04 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE, 
ICSA-24-268-05 Moxa MXview One, 
ICSA-24-268-06 OMNTEC Proteus Tank Monitoring, 
ICSA-24-156-01 Uniview NVR301-04S2-P4 (Update A), 
ICSA-19-274-01 Interpeak IPnet TCP/IP Stack (Update E)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-releases-eight-industrial-control-systems-advisories


∗∗∗ Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions ∗∗∗
---------------------------------------------
Zyxel has released patches for some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions affected by post-authentication memory corruption vulnerabilities. Users are advised to install them for optimal protection. (CVE-2024-38266 CVE-2024-38267 CVE-2024-38268 CVE-2024-38269)
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-memory-corruption-vulnerabilities-in-some-dsl-ethernet-cpe-fiber-ont-wifi-extender-and-security-router-versions-09-24-2024


∗∗∗ Critical Vulnerabilities Discovered in Automated Tank Gauge Systems ∗∗∗
---------------------------------------------
In this blogpost, we will explore the ATG systems, their inherent risk when exposed to the Internet and the several critical vulnerabilities uncovered by Bitsight TRACE. By understanding these vulnerabilities, we hope that the reader can better appreciate the urgent need for enhanced security measures and the steps that need to be taken to protect these systems from exploitation.
---------------------------------------------
https://www.bitsight.com/blog/critical-vulnerabilities-discovered-automated-tank-gauge-systems


∗∗∗ Xen Security Advisory CVE-2024-45817 / XSA-462 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-462.html


∗∗∗ Keycloak Security Update Advisory (CVE-2024-8698) ∗∗∗
---------------------------------------------
https://asec.ahnlab.com/en/83325/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily