End-of-Day report
Timeframe: Freitag 08-11-2024 18:00 - Montag 11-11-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
News
Palo Alto untersucht mögliche Sicherheitslücke in PAN-OS-Webinterface
Palo Alto untersucht eine angebliche Codeschmuggel-Lücke in der Verwaltungsoberfläche von PAN-OS. Ein Teil betroffener Kunden wird informiert. [..] Palo Alto empfiehlt Kunden dringend, sicherzustellen, dass der Zugang zur Verwaltungsoberfläche korrekt und im Einklang mit den empfohlenen Best-Practices-Richtlinien erfolgt. Dafür stellt das Unternehmen auch eine Anleitung bereit.
https://www.heise.de/-10013896.html
Zugangsdaten aus 2023 für Zugriff ausgenutzt - "Helldown Leaks"-Ransomware kompromittiert Unternehmen über Zyxel-Firewalls
Seit etwa Anfang August 2024 werden international Unternehmen durch die Ransomware-Gruppe "Helldown Leaks" verschlüsselt. Als initialer Angriffsvektor können durchgängig Zyxel-Firewalls ausgemacht werden, selbst wenn diese auf dem letzten Software-Stand sind.
https://www.cert.at/de/aktuelles/2024/11/zugangsdaten-aus-2023-fur-zugriff-ausgenutzt-helldown-leaks-ransomware-kompromittiert-unternehmen-uber-zyxel-firewalls
Testing the Koord2ool
As part of the EU-funded project -AWAKE-, we built the Koord2ool, which is a tool that allowed us to track the state of an incident across our constituency over time. We implemented this application as an extension to LimeSurvey (an Open Source survey tool) which generates a dashboard to visualize the state of the answers over time.
https://www.cert.at/en/blog/2024/11/testing-the-koord2ool
Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware
Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT. [..] The malicious Excel document is designed to exploit a known remote code execution flaw in Office (CVE-2017-0199, CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.exe.
https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html
#StopRansomware: Black Basta
Updates to this advisory, originally published May 10, 2024 [..] The advisory was updated to reflect new TTPs employed by Black Basta affiliates, as well as provide current IOCs/remove outdated IOCs for effective threat hunting.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
Cyberattack causes credit card readers to malfunction in Israel
As reported by the Jerusalem Post, the cause was a distributed denial-of-service attack (DDoS) that targeted the payment gateway company Hyp-s CreditGuard product. The attack disrupted communications between the card terminals and the wider payment system, but was not capable of stealing information or payments.
https://therecord.media/cyberattack-causes-credit-card-readers-in-israel-to-malfunction
Malware Steals Account Credentials
It-s common for malware to target e-commerce sites, and these attackers are usually seeking to steal credit card details. In most cases, they will insert scripts that extract data from the checkout forms to siphon fields like the cardholder name, card number and expiration date. [..] However, every now and then we encounter a case where in addition to that they are also looking to steal details for accounts that customers have created on these sites along with admin account credentials. We-ll explore one such case.
https://blog.sucuri.net/2024/11/malware-steals-account-credentials.html
Known Attacks On Elliptic Curve Cryptography
In recent years the Elliptic Curve Cryptography approach has become popular due to its high efficiency and strong security. The purpose of this article is to present this topic in a relatively clearer way than it exists today on the internet.
https://github.com/elikaski/ECC_Attacks
Pishi: Coverage guided macOS KEXT fuzzing
In this blog post I will try to explain everything as clearly as possible so that even those who are not familiar with fuzzing can enjoy and understand it. I-ll break down the concepts, provide relatable examples, and resources, My goal is to make fuzzing approachable and interesting.
https://r00tkitsmm.github.io/fuzzing/2024/11/08/Pishi.html
Vulnerabilities
Veeam Backup Enterprise Manager: Unbefugte Zugriffe durch Angreifer möglich
Setzen Angreifer erfolgreich an der Schwachstelle (CVE-2024-40715 "hoch") an, können sie die Authentifizierung umgehen und Verbindungen als Man-in-the-Middle belauschen. Wie das im Detail ablaufen könnte, ist bislang nicht bekannt. [..] Ein Sicherheitspatch steht zum Download bereit.
https://www.heise.de/-10018234.html
Security updates for Monday
Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu).
https://lwn.net/Articles/997774/