Tageszusammenfassung - 04.12.2024

End-of-Day report

Timeframe: Dienstag 03-12-2024 18:00 - Mittwoch 04-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Supply Chain Attack Detected in Solanas web3.js Library

A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library, which receives more than ~350,000 weekly downloads on npm. These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets. [..] npm has moved swiftly to remove the affected versions. [..] Anza recommends developers who suspect they were compromised to rotate any suspect authority keys, including multisigs, program authorities, and server keypairs.

https://socket.dev/blog/supply-chain-attack-solana-web3-js-library

Jetzt patchen! Exploit für kritische Lücke in Whatsup Gold in Umlauf

Eine "kritische" Sicherheitslücke ist seit September dieses Jahres bekannt. Seitdem gibt es auch ein Sicherheitsupdate. Weil mittlerweile Exploitcode für die Schwachstelle kursiert, könnten Attacken bevorstehen.

https://heise.de/-10187538

Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability

Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA. [..] The vulnerability itself isn-t new - Cisco originally issued a warning back in March 2014. However, the company-s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug.

https://hackread.com/cisco-patch-decade-old-webvpn-vulnerability/

(QR) Coding My Way Out of Here: C2 in Browser Isolation Environments

In this blog post, Mandiant demonstrates a novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2. Mandiant shows how attackers can use machine-readable QR codes to send commands from an attacker-controlled server to a victim device.

https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolation-environments/

Wegem schwerem Cyberangriff auf US-Provider: FBI wirbt für Verschlüsselung

Angesichts eines verheerenden Cyberangriffs auf US-Provider haben die US-Bundespolizei FBI und die Cybersicherheitsbehörde CISA die Menschen in den Vereinigten Staaten aufgefordert, ihre Kommunikation möglichst zu verschlüsseln.

https://heise.de/-10187110

Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware

Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators.

https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/

PROXY.AM Powered by Socks5Systemz Botnet

After a year long investigation, Bitsight TRACE follows up on Socks5Systemz research.

https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet

New era of slop security reports for open source

Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects. [..] Security reports that waste maintainers' time result in confusion, stress, frustration, and to top it off a sense of isolation due to the secretive nature of security reports. [..] If this is happening to a handful of projects that I have visibility for, then I suspect that this is happening on a large scale to open source projects. This is a very concerning trend.

https://sethmlarson.dev/slop-security-reports

Vulnerabilities

Identitätsmanagement: Sicherheitslücke mit Höchstwertung bedroht IdentityIQ

Bislang gibt es von SailPoint noch keine Warnung zur Sicherheitslücke. Alle Informationen zur "kritischen" Schwachstelle (CVE-2024-10905) basieren derzeit auf einem Eintrag in der National Vulnerability Database (NVD) des National Insitute of Standards and Technology (NIST). [..] Die Lücke soll in den Ausgaben 8.2p8, 8.3p5 und 8.4p2 geschlossen sein.

https://heise.de/-10187194

Cisco NX-OS Software Image Verification Bypass Vulnerability

A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signature verification. CVE-2024-20397

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-image-sig-bypas-pQDRQvjL

Security updates for Wednesday

Security updates have been issued by Red Hat (go-toolset:rhel8, grafana, kernel, kernel-rt, kernel:4.18.0, pam, pam:1.5.1, pcs, postgresql:12, postgresql:15, postgresql:16, python3:3.6.8, qemu-kvm, rhc, rhc-worker-playbook, and virt:rhel and virt-devel:rhel) and SUSE (ansible-10, ansible-core, avahi, bpftool, python, python3, python36, webkit2gtk3, and xen).

https://lwn.net/Articles/1000721/