End-of-Day report
Timeframe: Mittwoch 13-11-2024 18:00 - Donnerstag 14-11-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
News
Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575
While the FortiJump patch does effectively neutralise the devastating RCE that is FortiJump, we-re still a little concerned about FortiManager-s overall code quality. We note that our som/export vulnerability, -FortiJump Higher-, is still functional, even in patched versions, allowing adversaries to elevate from one managed FortiGate appliance to the central FortiManager appliance.
https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/
New PXA Stealer targets government and education sectors for sensitive information
Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.
https://blog.talosintelligence.com/new-pxa-stealer/
Advertisers are pushing ad and pop-up blockers using old tricks
A malvertising campaign using an old school trick was found pushing to different ad blockers. [..] In the olden days, that something extra used to be video codecs or specific video players, but now we-ll be told we need a browser extension to -continue watching in safe mode.- [..] To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate-s efforts, the affiliate earns a commission.
https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-and-pop-up-blockers-using-old-tricks
-rimeware and financial cyberthreats in 2025
Kasperskys GReAT looks back on the 2024 predictions about financial and crimeware threats, and explores potential cybercrime trends for 2025.
https://securelist.com/ksb-financial-and-crimeware-predictions-2025/114565/
Malware: Erkennung entgehen durch angeflanschtes ZIP
IT-Forscher haben Malware entdeckt, die der Erkennung durch Virenscanner durch Verkettung von ZIP-Dateien entgeht.
https://www.heise.de/-10034752
Gratis-Tool: Sicherheitsforscher knacken ShrinkLocker-Verschlüsselung
Der Erpressungstrojaner ShrinkLocker nutzt Microsofts Bitlocker, um Windows-Systeme zu verschlüsseln. Ein Entschlüsselungstool hilft.
https://www.heise.de/-10034933
PHP Reinfector and Backdoor Malware Target WordPress Sites
We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection was linked to the wpcode plugin, we found that several sites without this plugin were compromised as well. Upon deeper investigation, we discovered that this malware not only reinfects website files but also embeds malicious code into other plugins and database tables wp_posts and wp_options.
https://blog.sucuri.net/2024/11/php-reinfector-and-backdoor-malware-target-wordpress-sites.html
Malware Spotlight: A Deep-Dive Analysis of WezRat
Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad.
https://research.checkpoint.com/2024/wezrat-malware-deep-dive/
Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs
Group-IB has uncovered Lazarus group-s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS.
https://hackread.com/lazarus-group-macos-rustyattr-trojan-fake-job-pdfs/
Vulnerabilities
4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability
This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin. CVE-2024-10924, CVSS Score: 9.8 (Critical)
https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/
Security updates for Thursday
Security updates have been issued by Fedora (llama-cpp, mingw-expat, python3.6, webkit2gtk4.0, and xorg-x11-server-Xwayland), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk and libarchive), Oracle (expat, gstreamer1-plugins-base, kernel, libsoup, podman, and tigervnc), SUSE (buildah, java-1_8_0-openjdk, and switchboard-plug-bluetooth), and Ubuntu (zlib).
https://lwn.net/Articles/998143/
CISA Releases Nineteen Industrial Control Systems Advisories
Siemens, Rockwell, Hitachi, 2N, Elvaco, Baxter
https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-releases-nineteen-industrial-control-systems-advisories
GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. [..] An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. CVE-2024-9693, CVE-2024-7404, CVE-2024-8648, CVE-2024-8180, CVE-2024-10240
https://thecyberthrone.in/2024/11/14/gitlab-fixes-high-severity-vulnerability-cve-2024-9693/
Drupal: POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060
https://www.drupal.org/sa-contrib-2024-060
Drupal: POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059
https://www.drupal.org/sa-contrib-2024-059
Fortinet: Lack of capacity to filter logs by administrator access
https://fortiguard.fortinet.com/psirt/FG-IR-23-267
Palo Alto: CVE-2024-2551 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2024-2551