End-of-Day report
Timeframe: Donnerstag 04-01-2024 18:00 - Freitag 05-01-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Kritische Schadcode-Lücke gefährdet Ivanti Endpoint Manager
Unter bestimmten Voraussetzungen können Angreifer Schadcode auf Ivanti-EPM-Servern ausführen.
https://www.heise.de/-9587991.html
Ransomware: Nach der Erpressung folgt umgehend die nächste Erpressung
Online-Kriminelle werden immer dreister und schlachten Opfer von Erpressungstrojanern gleich mehrfach aus.
https://www.heise.de/-9588424.html
Fitness-App -Mad Muscles-: Kostenfalle statt Unterstützung bei Neujahrsvorsätzen
Der unseriöse Anbieter -Mad Muscles- schaltet derzeit massiv Werbung auf Facebook und Instagram. Die Botschaft? -Building muscle isnt as hard as it sounds!- (-Muskelaufbau ist nicht so schwer, wie es klingt!-) - gerade zum Jahreswechsel sind solche Botschaften beliebt, sollen die Angebote doch dabei helfen, Neujahrsvorsätze einzuhalten. Was die Werbung verschweigt: Die Betreiber:innen von madmuscles.com und der dazugehörigen -Mad Muscle App- machen Informationen zum Unternehmen genauso wenig transparent wie die Gesamtkosten. Hinzu kommt: Kündigungen werden laut Erfahrungsberichten erschwert.
https://www.watchlist-internet.at/news/fitness-app-mad-muscles-kostenfalle-statt-unterstuetzung-bei-neujahrsvorsaetzen/
The source code of Zeppelin Ransomware sold on a hacking forum
Researchers from cybersecurity firm KELA reported that a threat actor announced on a cybercrime forum the sale of the source code and a cracked version of the Zeppelin ransomware builder for $500.
https://securityaffairs.com/156974/cyber-crime/zeppelin-ransomware-source-code.html
New Bandook RAT Variant Resurfaces, Targeting Windows Machines
A new variant of remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware. Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.-
https://thehackernews.com/2024/01/new-bandook-rat-variant-resurfaces.html
SpectralBlur: New macOS Backdoor Threat from North Korean Hackers
Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. -SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [...]
https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.html
Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer
Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples.
https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/
Vulnerabilities
Inductive Automation Trust Center Updates
Inductive Automation offers a special thanks to the following security researchers from Trend Micro Zero Day Initiative, Star Labs, Incite Team, and Claroty Research Team82 for their hard work in finding and responsibly disclosing security vulnerabilities described in this tech advisory. All reported issues have been resolved as of Ignition 8.1.35. Inductive Automation recommends upgrading Ignition to the current version to address known vulnerabilities.
https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b
QNAP Security Advisories
- Vulnerability in QcalAgent
- Multiple Vulnerabilities in QTS and QuTS hero
- Multiple Vulnerabilities in QuMagie
- Multiple Vulnerabilities in Video Station
- Vulnerability in Netatalk
https://www.qnap.com/en-us/security-advisories
Security updates for Friday
Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg).
https://lwn.net/Articles/957005/
Security Update for Ivanti EPM
[...] We are reporting this vulnerability as CVE-2023-39366. We have no indication that customers have been impacted by this vulnerability.
This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5.
If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication.
https://www.ivanti.com/blog/security-update-for-ivanti-epm
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/