Tageszusammenfassung - 11.10.2024

End-of-Day report

Timeframe: Donnerstag 10-10-2024 18:00 - Freitag 11-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a

News

Akira and Fog ransomware now exploit critical Veeam RCE flaw

Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers.

https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/


Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen

Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien.

https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-und-teamcity-exploits-nutzen-2410-189728.html


Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation

The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said.

https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html


Perfecting Ransomware on AWS - Using keys to the kingdom to change the locks

If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) - I would have answered -dump the data and hope that no-one notices you before you finish it up.- This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account.

https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-kms-xks-dea668633802


Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024)

Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database

https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-september-30-2024-to-october-6-2024/


Lynx Ransomware: A Rebranding of INC Ransomware

Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.

https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/


Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome.

https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/


Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies

CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies.

https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies


EU-Rat bringt Cyber Resilience Act auf den Weg

Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren.

https://heise.de/-9977103

Vulnerabilities

New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution

GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches.

https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.html


Priviledged admin able to view device summary for device in different [FortiManager] ADOM

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests.

https://fortiguard.fortinet.com/psirt/FG-IR-23-472


Aw, Sugar. Critical Vulnerabilities in SugarWOD

It is possible to: * Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses * Extract all Gyms join passwords [..] * Bypass user-chosen privacy settings

https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/


Security updates for Friday

Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8).

https://lwn.net/Articles/993778/


Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0

* CVE-2024-9680: Use-after-free in Animation timeline

https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/


Livewire Security Update Advisory (CVE-2024-47823)

The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a -.php- file with a valid MIME type.

https://asec.ahnlab.com/en/83775/


Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561)

* CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows) * CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded)

https://asec.ahnlab.com/en/83776/


Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke

Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher.

https://heise.de/-9977905


baserCMS plugin "BurgerEditor" vulnerable to directory listing

https://jvn.jp/en/jp/JVN54676967/


ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php