End-of-Day report
Timeframe: Freitag 15-11-2024 18:00 - Montag 18-11-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
Honeypot: Forscher veralbert Scriptkiddies mit Fake-Ransomware
Ein Tool namens Jinn sollte Ransomware-Angriffe vereinfachen. Tatsächlich war das ein Honeypot, auf den so einige Akteure reingefallen sind.
https://www.golem.de/news/honeypot-forscher-veralbert-scriptkiddies-mit-fake-ransomware-2411-190885.html
Women In Russian-Speaking Cybercrime: Mythical Creatures or Significant Members of Underground?
A blog detailing in-depth research into women in Russian-speaking cybercrime.
https://www.sans.org/blog/women-in-russian-speaking-cybercrime-mythical-creatures-or-significant-members-of-underground
DORA-Kernthemen meistern: Ein Deep Dive in Incident Management
In diesem Blogbeitrag befassen wir uns mit den Anforderungen an DORA Incident Management.
https://sec-consult.com/de/blog/detail/dora-kernthemen-meistern-ein-deep-dive-in-incident-management/
Swiss cheesed off as postal service used to spread malware
QR codes arrive via an age-old delivery system Switzerlands National Cyber Security Centre (NCSC) has issued an alert about malware being spread via the countrys postal service.
https://www.theregister.com/2024/11/16/swiss_malware_qr/
WTF: Sicherheitsforscher finden beim Nachstellen einer Lücke drei neue
Als die Watchtowr Labs-Forscher die Lücke im FortiManager nachprüfen wollten, fanden sie weitere Fehler und unvollständige Fixes.
https://www.heise.de/news/Sicherheitsforscher-finden-beim-Nachstellen-einer-Luecke-drei-neue-10039106.html
T-Mobile von chinesischem Cyberangriff betroffen
Laut einem Bericht konnten die Hacker in mehrere Telekommunikationsunternehmen in den USA wie auch international eindringen
https://www.derstandard.at/story/3000000245232/t-mobile-von-chinesischem-cyberangriff-betroffen
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations.
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen
Seit heute Früh sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse ..
https://www.cert.at/de/aktuelles/2024/11/ddos-angriffe-november-2024
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinets Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the ..
https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/
Inside Water Barghest-s Rapid Exploit-to-Market Strategy for IoT Devices
In this blog entry, we discuss Water Barghests exploitation of IoT devices, transforming them into profitable assets through advanced automation and monetization techniques.
https://www.trendmicro.com/en_us/research/24/k/water-barghest.html
What To Use Instead of PGP
It-s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing ..
https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/
TPM-Backed SSH Keys on Windows 11
On my MacBook, I-ve been using using TPM/security key-based SSH keys for years since it-s where I do the most development and the software support is good. Secretive is a decent app I can vouch for. Before that, I was ..
https://cedwards.xyz/tpm-backed-ssh-keys-on-windows-11/
Reverse Engineering iOS 18 Inactivity Reboot
iOS 18 introduced a new inactivity reboot security feature. What does it protect from and how does it work? This blog post covers all the details down to a kernel extension and the Secure Enclave Processor.
https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html
Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
https://socket.dev/blog/malicious-npm-package-exploits-whatsapp-authentication-with-remote-kill-switch?utm_medium=feed
Redis CVE-2024-31449: How to Reproduce and Mitigate the Vulnerability
On October 7, 2024, information about a serious vulnerability in Redis, identified as CVE-2024-31449, was published. This vulnerability allows an authenticated user to execute remote code using specially ..
https://redrays.io/blog/redis-cve-2024-31449-how-to-reproduce-and-mitigate-the-vulnerability/
Vulnerabilities
Security updates for Monday
Security updates have been issued by AlmaLinux (binutils, libsoup, squid:4, tigervnc, and webkit2gtk3), Debian (icinga2, postgresql-13, postgresql-15, smarty3, symfony, thunderbird, and waitress), Fedora (dotnet9.0, ghostscript, microcode_ctl, php-bartlett-PHP-CompatInfo, python-waitress, and webkitgtk), Gentoo (Perl, Pillow, and X.Org X server, XWayland), ..
https://lwn.net/Articles/998570/
CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) (Severity: CRITICAL)
https://security.paloaltonetworks.com/CVE-2024-0012
CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2024-9474