End-of-Day report
Timeframe: Donnerstag 18-01-2024 18:00 - Freitag 19-01-2024 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
News
TeamViewer abused to breach networks in new ransomware attacks
Ransomware actors are again using TeamViewer to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder.
https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-networks-in-new-ransomware-attacks/
macOS Python Script Replacing Wallet Applications with Rogue Apps, (Fri, Jan 19th)
Still today, many people think that Apple and its macOS are less targeted by malware. But the landscape is changing and threats are emerging in this ecosystem too.
https://isc.sans.edu/diary/rss/30572
Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software
Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.
https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html
Taking over WhatsApp accounts by reading voicemails
The investigation is centered on a vulnerability related to the Personal Identification Number (PIN) required for authenticating WhatsApp-s account backup feature. I describe how this PIN could be compromised through a voice call backup delivery method, forcing the call to go voicemail, and spoofing the victims phone number to read their voicemail.
https://medium.com/@rramgattie/taking-over-whatsapp-accounts-by-reading-voicemails-68ad70dc2499
Recovery Scam: Kriminelle geben sich als blockchain.com aus und informieren über angeblich ruhende Bitcoin-Wallet
Opfer einer betrügerischen Trading-Plattform erleiden mitunter erhebliche finanzielle Verluste. Entsprechend groß ist die Verzweiflung und der Wunsch, das Geld zurückzubekommen. Kriminelle nutzen dies aus und kontaktieren die Opfer nach einiger Zeit erneut.
https://www.watchlist-internet.at/news/recovery-scam-kriminelle-geben-sich-als-blockchaincom-aus-und-informieren-ueber-angeblich-ruhende-bitcoin-wallet/
Virtual kidnapping: How to see through this terrifying scam
Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims.
https://www.welivesecurity.com/en/scams/virtual-kidnapping-see-through-scam/
Ivanti Connect Secure VPN Exploitation: New Observations
Volexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh Ivanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may partially account for why there has been an increase in compromised systems in subsequent scans.
https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/
Vulnerabilities
VMware confirms critical vCenter flaw now exploited in attacks
VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation.
https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vcenter-flaw-now-exploited-in-attacks/
Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package
A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines.
https://thehackernews.com/2024/01/npm-trojan-bypasses-uac-installs.html
Smartphones und mehr: Auch Umgebungslichtsensoren können spionieren
Nicht nur Smartphone-Kameras können Personen ausspionieren, sondern auch Umgebungslichtsensoren. Das geht aus einer in "Science" veröffentlichen Studie hervor.
https://heise.de/-9601724
Angreifer attackieren Ivanti EPMM und MobileIron Core
Angreifer nutzen derzeit eine kritische Sicherheitslücke in Ivanti EPMM und MobileIron Core aus.
https://www.heise.de/news/Angreifer-attackieren-Ivanti-EPMM-und-MobileIron-Core-9602207.html
Security updates for Thursday
Security updates have been issued by CentOS (ImageMagick), Debian (chromium), Fedora (golang-x-crypto, golang-x-mod, golang-x-net, golang-x-text, gtkwave, redis, and zbar), Mageia (tinyxml), Oracle (.NET 7.0, .NET 8.0, java-1.8.0-openjdk, java-11-openjdk, python3, and sqlite), Red Hat (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), SUSE (kernel, libqt5-qtbase, libssh, pam, rear23a, and rear27a), and Ubuntu (pam and zookeeper).
https://lwn.net/Articles/958676/
Security updates for Friday
Security updates have been issued by Fedora (chromium, golang-github-facebook-time, podman, and xorg-x11-server-Xwayland), Oracle (.NET 6.0, java-1.8.0-openjdk, java-11-openjdk, and python3.11-cryptography), Red Hat (java-11-openjdk, python-requests, and python-urllib3), SUSE (chromium, kernel, libcryptopp, libuev, perl-Spreadsheet-ParseExcel, suse-module-tools, and xwayland), and Ubuntu (filezilla and xerces-c).
https://lwn.net/Articles/958760/
Important Progress OpenEdge Critical Alert for Progress Application Server in OpenEdge (PASOE) - Arbitrary File Upload Vulnerability in WEB Transport
https://community.progress.com/s/article/Important-Progress-OpenEdge-Critical-Alert-for-Progress-Application-Server-in-OpenEdge-PASOE-Arbitrary-File-Upload-Vulnerability-in-WEB-Transport
ZDI Security Advisories
https://www.zerodayinitiative.com/advisories/published/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/