End-of-Day report
Timeframe: Dienstag 26-11-2024 18:05 - Mittwoch 27-11-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
RomCom exploits Firefox and Windows zero days in the wild
ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit.
https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/
Betrug auf Telegram und WhatsApp mit Fake Job angeboten
Unterhalb finden Sie unseren Bericht des Telegram Betrugs und wie wir es sogar geschafft haben die Betrüger auszutricksen. Außerdem geben wir Ticks und Tricks, was Sie machen können und wie Sie solch einen Betrug erkennen.
https://www.zettasecure.com/post/betrug-auf-telegram-und-whatsapp-mit-fake-job-angeboten
Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers
A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023 , was not officially made available until August 2024 with the release of version r1720.
https://thehackernews.com/2024/11/critical-flaw-in-projectsend-under.html
Gaming Engines: An Undetected Playground for Malware Loaders
Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal.
https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
New NachoVPN attack uses rogue VPN servers to install malicious updates
A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them.
https://www.bleepingcomputer.com/news/security/new-nachovpn-attack-uses-rogue-vpn-servers-to-install-malicious-updates/
Rockstar 2FA Phishing-as-a-Service (PaaS): Noteworthy Email Campaigns
Welcome to the second part of our investigation into the Rockstar kit, please check out part one here.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/
Researchers Discover "Bootkitty" - First UEFI Bootkit Targeting Linux Kernels
Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks.
https://thehackernews.com/2024/11/researchers-discover-bootkitty-first.html
BEC-ware the Phish (part 3): Detect and Prevent Incidents in M365
This blog discusses a few options in M365, such as guidance on configuring threat and alert policies and how to deal with these alerts downstream in the SIEM.
https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-3-detect-and-prevent-incidents-in-m365/
Modern solutions against cross-site attacks
This article is about cross-site leak attacks and what recent defenses have been introduced to counter them. I also want to finally answer the question why web security best practices is always opt-in and finally how YOU can get increased security controls.
https://frederikbraun.de/modern-solutions-xsleaks.html
Vulnerabilities
Palo Alto Globalprotect: Schadcode-Lücke durch unzureichende Zertifikatsprüfung
Die Entdecker der Sicherheitslücke von Amberwolf schreiben in ihrer detaillierten Analyse, dass die Globalprotect-VPN-Clients sowohl unter macOS als auch unter Windows anfällig für das Ausführen von Schadcode aus dem Netz und der Ausweitung der Rechte sind, und zwar durch den automatischen Update-Mechanismus (CVE-2024-5921, CVSS-B 7.2, Risiko "hoch"). Zwar erfordert der Update-Prozess, dass MSI-Dateien signiert sind, jedoch können Angreifer den PanGPS-Dienst zum Installieren eines bösartigen, dadurch vertrautem Root-Zertifikat missbrauchen.
https://heise.de/-10178649
Microsoft patcht teils kritische Lücken außer der Reihe
Microsoft hat in der Nacht zum Mittwoch vier Sicherheitsmitteilungen veröffentlicht. [..] Einige Updates müssen Nutzer installieren.
https://www.heise.de/-10178400
Security updates for Wednesday
Security updates have been issued by Debian (mpg123 and php8.2), Fedora (libsndfile, mingw-glib2, mingw-libsoup, mingw-python3, and qbittorrent), Oracle (pam:1.5.1 and perl-App-cpanminus), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (mozilla), SUSE (firefox, rclone, tomcat, tomcat10, and xen), and Ubuntu (gh, libsoup2.4, libsoup3, pygments, TinyGLTF, and twisted).
https://lwn.net/Articles/999897/
GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5
https://about.gitlab.com/releases/2024/11/26/patch-release-gitlab-17-6-1-released/
HPE Insight Remote Support: Monitoring-Software ermöglicht Codeschmuggel
https://www.heise.de/-10178034
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007
https://webkitgtk.org/security/WSA-2024-0007.html
Synology-SA-24:27 DSM
https://www.synology.com/en-global/support/security/Synology_SA_24_27
Synology-SA-24:26 BeeDrive for desktop
https://www.synology.com/en-global/support/security/Synology_SA_24_26
Omada Identity: Stored Cross-Site Scripting in Omada Identity
https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-in-omada-identity/
F5: K000148716: REXML vulnerability CVE-2024-41123
https://my.f5.com/manage/s/article/K000148716
F5: K000148692: Qt vulnerability CVE-2023-34410
https://my.f5.com/manage/s/article/K000148692
F5: K000148690: Qt vulnerability CVE-2023-32573
https://my.f5.com/manage/s/article/K000148690