Tageszusammenfassung - 12.01.2024

End-of-Day report

Timeframe: Donnerstag 11-01-2024 18:00 - Freitag 12-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden-

Ein niederländischer Radiosender bekam 80 Gigabyte an Standortdaten von der Berliner Plattform Datarade in die Hände und konnte so etwa Offiziere beschatten.-

https://www.heise.de/-9596230.html


Microsoft liefert Abhilfe zur Installation von Updates in WinRE-Partition

Am Januar-Patchday schlägt die Update-Intallation unter Windows 10 oft mit Fehler 0x80070643 fehl. Ein Microsoft-Skript soll helfen.

https://www.heise.de/-9595312.html


Jetzt patchen! Kritische Sicherheitslücke in GitLab ermöglicht Accountklau

Der Fehler wird bereits aktiv von Kriminellen ausgenutzt, Administratoren sollten zügig handeln und ihre GitLab-Instanzen aktualisieren oder abschotten.

https://www.heise.de/-9595848.html


Datenleck bei Halara: Persönliche Daten von 941.910 Kunden stehen wohl im Netz

Die Daten zahlreicher Halara-Kunden sind in einem Hackerforum aufgetaucht. Abgeflossen sein sollen sie über eine Schwachstelle in der Webseiten-API.

https://www.golem.de/news/bekleidungshersteller-halara-kundendaten-in-hackerforum-aufgetaucht-2401-181118.html


New Balada Injector campaign infects 6,700 WordPress sites

A new Balada Injector campaign launched in mid-December has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder campaign.

https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign-infects-6-700-wordpress-sites/


Over 150k WordPress sites at takeover risk via vulnerable plugin

Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication.

https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at-takeover-risk-via-vulnerable-plugin/


One File, Two Payloads, (Fri, Jan 12th)

It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75[1])

https://isc.sans.edu/diary/rss/30558


Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks

Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier [...]

https://thehackernews.com/2024/01/cryptominers-targeting-misconfigured.html


Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said [...]

https://thehackernews.com/2024/01/nation-state-actors-weaponize-ivanti.html


Akira ransomware attackers are wiping NAS and tape backups

-The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,- the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations.

https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/


Joomla! vulnerability is being actively exploited

A vulnerability in the popular Joomla! CMS has been added to CISAs known exploited vulnerabilities catalog.

https://www.malwarebytes.com/blog/news/2024/01/joomla-vulnerability-is-being-actively-exploited


An Introduction to AWS Security

Cloud providers are becoming a core part of IT infrastructure. Amazon Web Services (AWS), the worlds biggest cloud provider, is used by millions of organizations worldwide and is commonly used to run sensitive and mission-critical workloads. This makes it critical for IT and security professionals to understand the basics of AWS security and take measures to protect their data and workloads.

https://www.tripwire.com/state-of-security/introduction-aws-security


Financial Fraud APK Campaign

Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users.

https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-users/


CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign

This blog delves into the Phemedrone Stealer campaigns exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malwares payload.

https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html

Vulnerabilities

Pufferüberlauf und andere Sicherheitslücken in IBM Business Automation Workflow

Angreifer können Code einschleusen, Komponenten zum Stillstand bringen und geheime Informationen abgreifen. IBM informiert Kunden über Gegenmaßnahmen.

https://www.heise.de/-9596204.html


Splunk, cacti, checkmk: Sicherheitslücken in Monitoring-Software

In drei beliebten Monitoring-Produkten gibt es Sicherheitsprobleme. Admins sollten sich um Updates kümmern.

https://www.heise.de/-9595021.html


Bluetooth-Lücke: Apple sichert Tastaturen mit neuer Firmware ab

Aufgrund eines Bugs war es möglich, Bluetooth-Datenverkehr mitzuzeichnen. Allerdings brauchte der Angreifer physischen Zugriff auf die Tastatur.

https://www.heise.de/-9595522.html


Security updates for Friday

Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c).

https://lwn.net/Articles/958124/


Security Bulletin for Trend Micro Apex Central

https://success.trendmicro.com/dcx/s/solution/000296153?language=en_US


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/