Tageszusammenfassung - 28.10.2024

End-of-Day report

Timeframe: Freitag 25-10-2024 18:00 - Montag 28-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl

News

Amazon seizes domains used in rogue Remote Desktop campaign to steal data

Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data using malicious Remote Desktop Protocol connection files.

https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-in-rogue-remote-desktop-campaign-to-steal-data/

Redline, Meta infostealer malware operations seized by police

The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement.

https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/

70 Zero-Day-Lücken ausgenutzt: Pwn2Own-Hacker knacken Samsung Galaxy S24 und mehr

Bei dem Wettbewerb wurden auch diverse Kameras, Drucker und NAS-Systeme attackiert. An ein Pixel 8 oder iPhone 15 hat sich aber niemand rangetraut.

https://www.golem.de/news/70-zero-day-luecken-ausgenutzt-pwn2own-hacker-knacken-samsung-galaxy-s24-und-mehr-2410-190238.html

The Windows Registry Adventure #4: Hives and the registry layout

To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system. But as one tries to dig deeper and understand how the registry ..

https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventure-4-hives.html

Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties."The group is currently ..

https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.html

Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China

A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers.

https://www.wired.com/story/cybercriminals-disruptive-hacking-us-elections-dhs-report/

Vulnerabilities of Realtek SD card reader driver, part 1

These vulnerabilities enable non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device. The vulnerabilities have remained undisclosed for years, affecting many OEMs, including Dell, ..

https://zwclose.github.io/2024/10/14/rtsper1.html

Inside the Open Directory of the -You Dun- Threat Group

The DFIR Report-s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves -You Dun- ..

https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-dun-threat-group/

Die NSA empfiehlt wöchentliches Smartphone-Reboot

Interessante Information, die mir die Woche untergekommen ist. Die US-Sicherheitsbehörde NSA (National Security Agency, Inlandsgeheimdienst) empfiehlt einmal wöchentlich sein Smartphone neu zu starten. Das ganze hat einen sicherheitstechnischen Hintergrund. Durch den Neustart soll Malware, die nicht persistent ..

https://www.borncity.com/blog/2024/10/27/die-nsa-empfiehlt-woechentliches-smartphone-reboot/

Anatomy of an LLM RCE

As large language models (LLMs) become more advanced and are granted additional capabilities by developers, security risks increase dramatically. Manipulated LLMs are no longer just a ..

https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-rce

Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives

In September 2024, Google Threat Intelligence Group (consisting of Google-s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free ..

https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives/

Secure Coding: Unbefugten Zugriff durch Path Traversal (CWE-22) verhindern

CWE-22 beschreibt die unsachgemäße Veränderung eines Pfadnamens auf ein eingeschränktes Verzeichnis. Wie lässt sich die Schwachstelle in den Griff bekommen?

https://heise.de/-9982270

Black Basta-Gruppe nutzt Microsoft Teams-Chatfunktion

Die als "Black Basta" bekannte Ransomware-Gruppe hat einen neuen Mechanismus entwickelt, der die Chatfunktion von Microsoft Teams zur Kontaktaufnahme ausnutzt.

https://heise.de/-9995322

Nvidia: Rechteausweitung durch Sicherheitslücken in Grafiktreiber möglich

Nvidia warnt vor mehreren Sicherheitslücken in den Grafiktreibern, die etwa das Ausweiten der Rechte ermöglichen. Updates stehen bereit.

https://heise.de/-9995842

Lagebericht 2024: Fast 8 Millionen Mal installierte Malware in Google Play

IT-Forscher haben die mobile-Malware-Situation der vergangenen 12 Monate untersucht. Mehr als 200 App-Fälschungen lauerten in Google Play.

https://heise.de/-9996456

VMware Tanzu Spring Security: Umgehung von Autorisierungsregeln möglich

In VMware Tanzu Spring Security klafft eine kritische Sicherheitslücke, die Angreifern die Umgehung von Autorisierungsregeln ermöglicht.

https://heise.de/-9996582

Vulnerabilities

Security updates for Monday

Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, ..

https://lwn.net/Articles/996085/