End-of-Day report
Timeframe: Montag 14-10-2024 18:00 - Dienstag 15-10-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
TrickMo malware steals Android PINs using fake lock screen
Forty new variants of the TrickMo Android banking trojan have been identified in the wild, linked to 16 droppers and 22 distinct command and control (C2) infrastructures, with new features designed to steal Android PINs.
https://www.bleepingcomputer.com/news/security/trickmo-malware-steals-android-pins-using-fake-lock-screen/
New FIDO proposal lets you securely move passkeys across platforms
The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers.
https://www.bleepingcomputer.com/news/security/new-fido-proposal-lets-you-securely-move-passkeys-across-platforms/
BEC-ware the phish (part 1). Investigating incidents in M365
This blog post is the first of three, that look at the key steps for an effective investigation, response, and remediation to email-based threats in M365. Part two covers response actions as well as short- and long-term remediations to prevent attackers getting back in. Part three considers the native detection and prevention options in M365.
https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-investigating-incidents-in-m365/
Vorsicht vor Anrufen vom -Bankbetrugssystem Österreich-
Derzeit werden uns wieder vermehrt Tonbandanrufe gemeldet. Eine computergenerierte Stimme gibt sich als Bankbetrugssystem Österreich aus und behauptet, dass eine Zahlung von 1500 Euro abgelehnt wurde und Ihr Konto möglicherweise gehackt wurde. Sie werden aufgefordert, die Taste -1- zu drücken, um mit einer echten Person verbunden zu werden. Legen Sie auf, das ist Betrug!
https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-vom-bankbetrugssystem-oesterreich/
New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users
ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers.
https://hackread.com/telekopye-scam-toolkit-hit-booking-com-airbnb-users/
CISA Adds Three Known Exploited Vulnerabilities to Catalog
CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability,
CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability,
CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability
https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-exploited-vulnerabilities-catalog
Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024
Today wed like to share a recent journey into (yet another) SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinets FortiGate devices. It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild.
https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/
Vulnerabilities
Splunk Security Advisories 2024-10-14
Splunk released 12 security advisories: 4x high, 8x medium
https://advisory.splunk.com//advisories
Kritische Schwachstellen in Industrieroutern mbNET
In industriellen Fernwartungsgateways und Industrieroutern mbNET wurden mehrere, teils schwerwiegende Sicherheitsschwachstellen identifiziert. Sie ermöglichen es, das Gerät vollständig zu kompromittieren sowie verschlüsselte Konfigurationen zu entschlüsseln.
https://www.syss.de/pentest-blog/kritische-schwachstellen-in-industrieroutern-mbnet-syss-2024-059-bis-065
Security updates for Tuesday
Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (packages and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3).
https://lwn.net/Articles/994268/
WordPress plugin Jetpack fixes nearly decade-old critical security flaw
The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites. [..] The flaw, which is not believed to have been exploited, was found in the plugin-s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve.
https://therecord.media/wordpress-jetpack-plugin-fixes-flaw
ZDI-24-1382: QEMU SCSI Use-After-Free Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-24-1382/
Zahlreiche Schwachstellen im Rittal IoT Interface & CMC III Processing Unit
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachstellen-im-rittal-iot-interface-cmc-iii-processing-unit/
GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487)
https://asec.ahnlab.com/en/83868/
Kubernetes: CVE-2024-9594
https://github.com/kubernetes/kubernetes/issues/128007
Kubernetes: CVE-2024-9486
https://github.com/kubernetes/kubernetes/issues/128006