Tageszusammenfassung - 21.10.2024

End-of-Day report

Timeframe: Freitag 18-10-2024 18:00 - Montag 21-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer

News

New macOS vulnerability, -HM Surf-, could lead to unauthorized data access

Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system-s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user-s protected data. The vulnerability, which we refer to as -HM Surf-, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user-s data, including browsed pages, the device-s camera, microphone, and location, without the user-s consent. [..] Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC.

https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/


Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails

Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). [..] In this blog, we will showcase the different spam techniques used in these phishing emails.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hooked-by-the-call-a-deep-dive-into-the-tricks-used-in-callback-phishing-emails/


Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. [..] The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser.

https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html


Severe flaws in E2EE cloud storage platforms used by millions

Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. [..] The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. [..] BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements.

https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-storage-platforms-used-by-millions/


Open source LLM tool primed to sniff out Python zero-days

The static analyzer uses Claude AI to identify vulns and suggest exploit code Researchers with Seattle-based Protect AI plan to release a free, open source tool that can find zero-day vulnerabilities in Python codebases with the help of Anthropics Claude AI model.

https://go.theregister.com/feed/www.theregister.com/2024/10/20/python_zero_day_tool/


Hunting for Remote Management Tools: Detecting RMMs

Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we-ll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe.

https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detecting-rmms/


Cisco bestätigt Attacke auf DevHub-Portal und nimmt es offline

Cisco hat aktuell laufende Untersuchungen zu einem IT-Sicherheitsvorfall vorangetrieben und nun eine Attacke bestätigt. Dabei sollen Angreifer Zugriff auf nicht für die Öffentlichkeit bestimmte Daten gehabt haben.

https://heise.de/-9987412

Vulnerabilities

Security updates for Monday

Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode).

https://lwn.net/Articles/994941/


Angreifer können PCs mit Virenschutz von Bitdefender und Trend Micro attackieren

Sicherheitslücken in Virenschutz-Software von Bitdefender und Trend Micro gefährden Systeme. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren, um Attacken vorzubeugen. [..] Im Supportbereich der Bitdefender-Website geben die Entwickler an, in diesem Kontext insgesamt fünf Sicherheitslücken (CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, CVE-2023-6057) mit dem Bedrohungsgrad "hoch" geschlossen zu haben. Damit so eine Attacke klappt, können Angreifer etwa über Hashkollsionen (MD5 und SHA1) Zertifikate erzeugen, die als legitim durchgewunken werden. Die Sicherheitsprobleme sollen in der sich automatisch installierenden Total-Security-Version 27.0.25.11 gelöst sein.

https://heise.de/-9987394