End-of-Day report
Timeframe: Donnerstag 10-10-2024 18:00 - Freitag 11-10-2024 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Akira and Fog ransomware now exploit critical Veeam RCE flaw
Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers.
https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/
Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen
Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien.
https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-und-teamcity-exploits-nutzen-2410-189728.html
Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation
The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said.
https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html
Perfecting Ransomware on AWS - Using keys to the kingdom to change the locks
If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) - I would have answered -dump the data and hope that no-one notices you before you finish it up.- This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account.
https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-kms-xks-dea668633802
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024)
Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database
https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-september-30-2024-to-october-6-2024/
Lynx Ransomware: A Rebranding of INC Ransomware
Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.
https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/
Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices
Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome.
https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/
Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies
CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies.
https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies
EU-Rat bringt Cyber Resilience Act auf den Weg
Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren.
https://heise.de/-9977103
Vulnerabilities
New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches.
https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.html
Priviledged admin able to view device summary for device in different [FortiManager] ADOM
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests.
https://fortiguard.fortinet.com/psirt/FG-IR-23-472
Aw, Sugar. Critical Vulnerabilities in SugarWOD
It is possible to:
* Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses
* Extract all Gyms join passwords
[..]
* Bypass user-chosen privacy settings
https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/
Security updates for Friday
Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8).
https://lwn.net/Articles/993778/
Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0
* CVE-2024-9680: Use-after-free in Animation timeline
https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/
Livewire Security Update Advisory (CVE-2024-47823)
The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a -.php- file with a valid MIME type.
https://asec.ahnlab.com/en/83775/
Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561)
* CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows)
* CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded)
https://asec.ahnlab.com/en/83776/
Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke
Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher.
https://heise.de/-9977905
baserCMS plugin "BurgerEditor" vulnerable to directory listing
https://jvn.jp/en/jp/JVN54676967/
ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php