End-of-Day report
Timeframe: Freitag 06-12-2024 18:00 - Montag 09-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Phish Supper: An Incident Responder-s Bread and Butter
This post will delve into a recent business email compromise engagement handled by NCC Group-s Digital Forensics and Incident Response (DFIR) team, which saw the compromise of 12 users- Microsoft 365 accounts.
https://www.nccgroup.com/us/research-blog/phish-supper-an-incident-responder-s-bread-and-butter/
Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals Data
"The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer."
https://thehackernews.com/2024/12/hackers-using-fake-video-conferencing.html
Abusing Git branch names to compromise a PyPI package
A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script. [..] This problem has been known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets.
https://lwn.net/Articles/1001215/
A vulnerability in the OpenWrt attended sysupgrade server
The OpenWrt project has issued anadvisory regarding a vulnerability found in its Attended SysupgradeServer that could allow compromised packages to be installed on a router byan attacker. No official OpenWrt images were affected, and the vulnerability is not known to be exploited, but users who have installedimages created with an instance of this server are recommended toreinstall.
https://lwn.net/Articles/1001441/
Secure Coding: CWE-1007 - die unsichtbare Gefahr durch visuell ähnliche Zeichen
Vorsätzliche Homoglyphen-Angriffe durch visuell ähnliche Zeichen können Anwender in die Irre leiten. Zum Schutz dagegen helfen verschiedene Best Practices.
https://heise.de/-10188217
Malicious Maven Package Impersonating XZ for Java Library Introduces Backdoor Allowing Remote Code Execution
Socket researchers have discovered a malicious Maven package io.github.xz-java:xz-java that impersonates the legitimate XZ for Java library org.tukaani:xz. This deceptive package creates a hidden backdoor that enables remote command execution, posing a threat to enterprise supply chains.
https://socket.dev/blog/malicious-maven-package-impersonating-xz-for-java-library?utm_medium=feed
Exploit Code Released for Microsoft CVE-2024-38193
A critical use-after-free vulnerability, tracked as CVE-2024-38193 with a CVSS score of 7.8, has been discovered in the afd.sys Windows driver that allows attackers to escalate privileges and execute arbitrary code. This vulnerability has been fixed during the August 2024 patch on Tuesday. [..] Security researcher Nephster has published a proof-of-concept (PoC) code for the CVE-2024-38193 vulnerability on GitHub, further escalating its potential threat.
https://thecyberthrone.in/2024/12/09/exploit-code-released-for-microsoft-cve-2024-38193/
Vulnerabilities
Qlik: High Security fixes for Qlik Sense Enterprise for Windows (CVEs-pending)
Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. If the vulnerabilities are successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE).
https://community.qlik.com/t5/Official-Support-Articles/High-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows-CVEs/tac-p/2496004
Security updates for Monday
Security updates have been issued by AlmaLinux (redis:7, ruby, ruby:2.5, and ruby:3.1), Debian (avahi, ceph, chromium, gsl, jinja2, php7.4, renderdoc, ruby-doorkeeper, and zabbix), Fedora (chromium, python3.11, and uv), Gentoo (Asterisk, Cacti, Chromium, Google Chrome, Microsoft Edge. Opera, Dnsmasq, firefox, HashiCorp Consul, icinga2, OATH Toolkit, OpenJDK, PostgreSQL, R, Salt, Spidermonkey, and thunderbird), Mageia (kubernetes), Red Hat (grafana, grafana-pcp, osbuild-composer, and postgresql), SUSE (ansible-core, firefox, glib2, java-1_8_0-ibm, kernel-firmware, nanopb, netty, python310-django-ckeditor, python310-jupyter-ydoc, radare2, skopeo, and webkit2gtk3), and Ubuntu (tinyproxy).
https://lwn.net/Articles/1001433/
ZDI-24-1646: Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-24-1646/
F5: K000148896: Intel SGX vulnerability CVE-2023-43753
https://my.f5.com/manage/s/article/K000148896