End-of-Day report
Timeframe: Mittwoch 30-10-2024 18:00 - Donnerstag 31-10-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
News
With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers
On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to take over the NPM package using a leaked automation token which was used to automate publications of NPM packages.
https://checkmarx.com/blog/with-2fa-enabled-npm-package-lottie-player-taken-over-by-attackers/
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. [..] Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including: Industrial and manufacturing plants [..] Business conferences [..] Healthcare settings [..] State and local government environments [..] Houses of worship
https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft.
https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
Discovering Hidden Vulnerabilities in Portainer with CodeQL
In this blog, we will show how we used CodeQL to find these vulnerabilities and even wrote custom queries to find a specific vulnerability.
https://www.cyberark.com/resources/threat-research-blog/discovering-hidden-vulnerabilities-in-portainer-with-codeql
Loose-lipped neural networks and lazy scammers
As large language models improve, their strengths and weaknesses, as well as the tasks they do well or poorly, are becoming better understood. Threat actors are exploring applications of this technology in a range of automation scenarios. But, as we see, they sometimes commit blunders that help shed light on how they use LLMs, at least in the realm of online fraud.
https://securelist.com/llm-phish-blunders/114367/
Mounting memory with MemProcFS for advanced memory forensics
Whilst this blog does not intend to go into any detail into some of the most popular tools available to analyse memory, nor a deep dive into analysis techniques it is intended to provide high level information about some significant enhances to memory forensics in the last few years and the difference in tooling. This also covers three memory forensic tools; many others are available.
https://www.pentestpartners.com/security-blog/mounting-memory-with-memprocfs-for-advanced-memory-forensics/
The Persistent Perimeter Threat: Strategic Insights from a Multi-Year APT Campaign Targeting Edge Devices
Discover insights from a multi-year APT campaign that exploited network perimeter vulnerabilities to target high-value entities, revealing critical gaps in edge device security.
https://www.greynoise.io/blog/the-persistent-perimeter-threat-strategic-insights-from-a-multi-year-apt-campaign-targeting-edge-devices
Auditing K3s Clusters
K3s shares a great deal with standard Kubernetes, but its lightweight implementation comes with some challenges and opportunities in the security sphere.
https://www.nccgroup.com/us/research-blog/auditing-k3s-clusters/
Vulnerabilities
LiteSpeed Cache WordPress plugin bug lets hackers get admin access
The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights. [..] The newly discovered high-severity flaw tracked as CVE-2024-50550 is caused by a weak hash check in the plugin's "role simulation" feature, designed to simulate user roles to aid the crawler in site scans from different user levels.
https://www.bleepingcomputer.com/news/security/litespeed-cache-wordpress-plugin-bug-lets-hackers-get-admin-access/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr and openssl), Fedora (firefox, libarchive, micropython, NetworkManager-libreswan, and xorg-x11-server-Xwayland), Red Hat (nano), Slackware (mozilla-firefox, mozilla-thunderbird, tigervnc, and xorg), SUSE (389-ds, Botan, go1.21-openssl, govulncheck-vulndb, java-11-openjdk, lxc, python-Werkzeug, and uwsgi), and Ubuntu (firefox, libarchive, linux-azure-fde, linux-azure-fde-5.15, python-pip, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).
https://lwn.net/Articles/996526/
Drupal: Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055
https://www.drupal.org/sa-contrib-2024-055
Bosch: DoS vulnerability on IndraDrive
https://psirt.bosch.com/security-advisories/bosch-sa-315415.html