End-of-Day report
Timeframe: Donnerstag 11-01-2024 18:00 - Freitag 12-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden-
Ein niederländischer Radiosender bekam 80 Gigabyte an Standortdaten von der Berliner Plattform Datarade in die Hände und konnte so etwa Offiziere beschatten.-
https://www.heise.de/-9596230.html
Microsoft liefert Abhilfe zur Installation von Updates in WinRE-Partition
Am Januar-Patchday schlägt die Update-Intallation unter Windows 10 oft mit Fehler 0x80070643 fehl. Ein Microsoft-Skript soll helfen.
https://www.heise.de/-9595312.html
Jetzt patchen! Kritische Sicherheitslücke in GitLab ermöglicht Accountklau
Der Fehler wird bereits aktiv von Kriminellen ausgenutzt, Administratoren sollten zügig handeln und ihre GitLab-Instanzen aktualisieren oder abschotten.
https://www.heise.de/-9595848.html
Datenleck bei Halara: Persönliche Daten von 941.910 Kunden stehen wohl im Netz
Die Daten zahlreicher Halara-Kunden sind in einem Hackerforum aufgetaucht. Abgeflossen sein sollen sie über eine Schwachstelle in der Webseiten-API.
https://www.golem.de/news/bekleidungshersteller-halara-kundendaten-in-hackerforum-aufgetaucht-2401-181118.html
New Balada Injector campaign infects 6,700 WordPress sites
A new Balada Injector campaign launched in mid-December has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder campaign.
https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign-infects-6-700-wordpress-sites/
Over 150k WordPress sites at takeover risk via vulnerable plugin
Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication.
https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at-takeover-risk-via-vulnerable-plugin/
One File, Two Payloads, (Fri, Jan 12th)
It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75[1])
https://isc.sans.edu/diary/rss/30558
Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks
Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier [...]
https://thehackernews.com/2024/01/cryptominers-targeting-misconfigured.html
Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said [...]
https://thehackernews.com/2024/01/nation-state-actors-weaponize-ivanti.html
Akira ransomware attackers are wiping NAS and tape backups
-The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,- the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations.
https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/
Joomla! vulnerability is being actively exploited
A vulnerability in the popular Joomla! CMS has been added to CISAs known exploited vulnerabilities catalog.
https://www.malwarebytes.com/blog/news/2024/01/joomla-vulnerability-is-being-actively-exploited
An Introduction to AWS Security
Cloud providers are becoming a core part of IT infrastructure. Amazon Web Services (AWS), the worlds biggest cloud provider, is used by millions of organizations worldwide and is commonly used to run sensitive and mission-critical workloads. This makes it critical for IT and security professionals to understand the basics of AWS security and take measures to protect their data and workloads.
https://www.tripwire.com/state-of-security/introduction-aws-security
Financial Fraud APK Campaign
Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users.
https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-users/
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
This blog delves into the Phemedrone Stealer campaigns exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malwares payload.
https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html
Vulnerabilities
Pufferüberlauf und andere Sicherheitslücken in IBM Business Automation Workflow
Angreifer können Code einschleusen, Komponenten zum Stillstand bringen und geheime Informationen abgreifen. IBM informiert Kunden über Gegenmaßnahmen.
https://www.heise.de/-9596204.html
Splunk, cacti, checkmk: Sicherheitslücken in Monitoring-Software
In drei beliebten Monitoring-Produkten gibt es Sicherheitsprobleme. Admins sollten sich um Updates kümmern.
https://www.heise.de/-9595021.html
Bluetooth-Lücke: Apple sichert Tastaturen mit neuer Firmware ab
Aufgrund eines Bugs war es möglich, Bluetooth-Datenverkehr mitzuzeichnen. Allerdings brauchte der Angreifer physischen Zugriff auf die Tastatur.
https://www.heise.de/-9595522.html
Security updates for Friday
Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c).
https://lwn.net/Articles/958124/
Security Bulletin for Trend Micro Apex Central
https://success.trendmicro.com/dcx/s/solution/000296153?language=en_US
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/