End-of-Day report
Timeframe: Dienstag 10-12-2024 18:00 - Mittwoch 11-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Global Ongoing Phishing Campaign Targets Employees Across 12 Industries
Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions. [..] What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. [..] This campaign is ongoing therefore, companies need to watch out for what comes to their inbox.
https://hackread.com/ongoing-phishing-campaign-targets-employees/
AMD-s trusted execution environment blown wide open by new BadRAM attack
On Tuesday, an international team of researchers unveiled BadRAM, a proof-of-concept attack that completely undermines security assurances that chipmaker AMD makes to users of one of its most expensive and well-fortified microprocessor product lines. Starting with the AMD Epyc 7003 processor, a feature known as SEV-SNP-short for Secure Encrypted Virtualization and Secure Nested Paging-has provided the cryptographic means for certifying that a VM hasn-t been compromised by any sort of backdoor installed by someone with access to the physical machine running it.
https://arstechnica.com/information-technology/2024/12/new-badram-attack-neuters-security-assurances-in-amd-epyc-processors/
Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts
Cybersecurity researchers have flagged a "critical" security vulnerability in Microsofts multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victims account. [..] Following responsible disclosure, the issue - codenamed AuthQuake - was addressed by Microsoft in October 2024.
https://thehackernews.com/2024/12/microsoft-mfa-authquake-flaw-enabled.html
Decrypting Full Disk Encryption with Dissect
Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. [..] One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft-s BitLocker or its Linux equivalent LUKS. Internally at Fox-IT we were able to already use these capabilities. With the release of Dissect version 3.17 these capabilities are now also available to the community at large.
https://blog.fox-it.com/2024/12/11/decrypting-full-disk-encryption-with-dissect/
The Stealthy Stalker: Remcos RAT
As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-remcos-rat/
How easily access cards can be cloned and why your PACS might be vulnerable
PACS can be bad, but also good if you configure them right. These systems protect your building, and control access to your most sensitive systems. Give them some love.
https://www.pentestpartners.com/security-blog/how-easily-access-cards-can-be-cloned-and-why-your-pacs-might-be-vulnerable/
Zeitplan veröffentlicht: Lets Encrypt schafft OCSP-Zertifikatsüberprüfung ab
Das Protokoll zur Echtzeit-Gültigkeitsprüfung hat Datenschutzprobleme. Die weltgrößte CA ersetzt es nun durch Zertifikats-Sperrlisten.
https://heise.de/-10195107
Vulnerabilities
Ivanti: December Security Update
Today, fixes have been released for the Ivanti solutions detailed below. [..] Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Policy Secure, Ivanti Sentry, Ivanti Patch SDK, Ivanti Application Control, Ivanti Automation, Ivanti Workspace Control, Ivanti Performance Manager, Ivanti Security Controls (iSec) [..] Ivanti Cloud Services Application (CSA) 10.0 (Critical): An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access. CVE-2024-11639
https://www.ivanti.com/blog/december-security-update
Microsoft Security Update Summary (10. Dezember 2024)
Am 10. Dezember 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office - sowie für weitere Produkte - veröffentlicht. Die Sicherheitsupdates beseitigen 70 Schwachstellen (CVEs), davon 16 kritische Sicherheitslücken, davon eine als 0-day klassifiziert (bereits ausgenutzt).
https://www.borncity.com/blog/2024/12/10/microsoft-security-update-summary-10-dezember-2024/
Solarwinds Web Help Desk: Software-Update schließt kritische Lücken
In Solarwinds Web Help Desk haben die Entwickler teils kritische Sicherheitslücken korrigiert. IT-Verantwortliche sollten rasch aktualisieren.
https://heise.de/-10195207
Patchday: Adobe schließt mehr als 160 Sicherheitslücken in Acrobat & Co.
Insgesamt hat der Softwarehersteller mehr als 160 Schwachstellen mit Updates für die Produkte geschlossen.
https://www.heise.de/-10194979
Synology-SA-24:28 Media Server
A vulnerability allows remote attackers to read specific files.
https://www.synology.com/en-global/support/security/Synology_SA_24_28
PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement
The CERT/CC is creating this Vulnerability Note to advise and make users of PDQ Deploy aware of potential avenues of attack through the deploy service. System administrators that are using PDQ Deploy should employ LAPS to mitigate this vulnerability.
https://kb.cert.org/vuls/id/164934
Security updates for Wednesday
Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro).
https://lwn.net/Articles/1001728/
Mozilla: Security Vulnerabilities fixed in Thunderbird 128.5.2
https://www.mozilla.org/en-US/security/advisories/mfsa2024-69/
F5: K000148931: Linux kernel vulnerability CVE-2024-26923
https://my.f5.com/manage/s/article/K000148931
Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System
http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-91f7c6fa-en
Numerix: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-numerix-license-server-administration-system-login/
Splunk: SVD-2024-1207: Third-Party Package Updates in Splunk Universal Forwarder - December 2024
https://advisory.splunk.com//advisories/SVD-2024-1207
Splunk: SVD-2024-1206: Third-Party Package Updates in Splunk Enterprise - December 2024
https://advisory.splunk.com//advisories/SVD-2024-1206
Splunk: SVD-2024-1205: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app
https://advisory.splunk.com//advisories/SVD-2024-1205
Splunk: SVD-2024-1204: Sensitive Information Disclosure through SPL commands
https://advisory.splunk.com//advisories/SVD-2024-1204
Splunk: SVD-2024-1203: Information Disclosure due to Username Collision with a Role that has the same Name as the User
https://advisory.splunk.com//advisories/SVD-2024-1203
Splunk: SVD-2024-1202: Risky command safeguards bypass in -/en-US/app/search/report- endpoint through -s- parameter
https://advisory.splunk.com//advisories/SVD-2024-1202
Splunk: SVD-2024-1201: Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway
https://advisory.splunk.com//advisories/SVD-2024-1201