Tageszusammenfassung - 03.12.2024
End-of-Day report
Timeframe: Montag 02-12-2024 18:00 - Dienstag 03-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a
News
Building Cyber Resilience Against Ransomware Attacks
This is the first blogpost in this series. Its aim is twofold: to enable organizations embarking on a journey to build resilience against ransomware to recognize common misconceptions hindering readiness efforts and offer a conceptual framework to guide effective resilience building.
https://blog.nviso.eu/2024/12/03/building-cyber-resilience-against-ransomware-attacks/
Unveiling RevC2 and Venom Loader
Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. These tools have been utilized by other threat groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz uncovered two significant campaigns leveraging Venom Spider's MaaS tools between August and October 2024. During our investigation, we identified two new malware families, which we named RevC2 and Venom Loader, that were deployed using Venom Spider MaaS Tools.
https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader
Gafgyt Malware Targeting Docker Remote API Servers
Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior.
Secure Coding: Sichere Fehlerbehandlung in Java - CWE-778-Risiken vermeiden
Mit sicheren Java-Design-Patterns wie dem Decorator und Proxy Pattern die Kontrolle über Fehlerberichte verbessern - zum Schutz gegen CWE-778-Schwachstellen.
On Almost Signing Android Builds
This blog post has two goals: to raise awareness about this issue, to introduce a script intended as a quick check to verify if an Android build was (incorrectly) signed with a known private key. When Android-based devices boot up, first the bootloader is verified to be running signed code, then the bootloader verifies the high-level operating system (HLOS). This blog post only covers the latter part.
https://www.nccgroup.com/us/research-blog/on-almost-signing-android-builds/
Extracting Files Embedded Inside Word Documents, (Tue, Dec 3rd)
I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools.
https://isc.sans.edu/diary/rss/31486
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy).
https://lwn.net/Articles/1000591/
Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and WiFi extenders
CVE-2024-8748 ... could allow an attacker to cause denial of service (DoS) conditions against the web management interface [..] CVE-2024-9197 ... could allow an authenticated attacker with administrator privileges to cause DoS conditions against the web management interface [..] CVE-2024-9200 ... could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.
Patchday: Android 12, 13, 14 und 15 für Schadcode-Attacken anfällig
In einer Warnmeldung hebt Google eine Sicherheitslücke (CVE-2024-43767 "hoch") im System als besonders bedrohlich hervor: Angreifer können Schadcode ausführen. Dafür seien keine zusätzlichen Ausführungsrechte nötig. Wie so ein Angriff genau ablaufen könnte, bleibt aber unklar.
HPE: HPESBGN04760 rev.1 - HPE AutoPass License Server (APLS), Multiple Vulnerabilities
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04760en_us&docLocale=en_US
Fuji Electric Monitouch V-SFT
https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-05
Fuji Electric Tellus Lite V-Simulator
https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-06
ICONICS and Mitsubishi Electric GENESIS64 Products
https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04
Open Automation Software
https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-03
Ruijie Reyee OS
https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01
F5: K000148809: Qt vulnerabilities CVE-2023-38197, CVE-2023-37369, and CVE-2023-32763
https://my.f5.com/manage/s/article/K000148809
F5: K000148689: Qt vulnerability CVE-2023-32762
https://my.f5.com/manage/s/article/K000148689
Veeam: Veeam Service Provider Console Vulnerability (CVE-2024-42448 | CVE-2024-42449)
Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3
ZDI-24-1640: XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-24-1640/