Tageszusammenfassung - 13.12.2024

End-of-Day report

Timeframe: Donnerstag 12-12-2024 18:00 - Freitag 13-12-2024 18:05 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Social Engineering nach Mailbombing

Rapid7 hat vor Kurzem einen Blogbeitrag zur Vorgehensweise einer Ransomwaregruppe veröffentlicht, wir haben inzwischen von mehreren Firmen in Österreich gehört, die dieses Angriffsmuster selber beobachten mussten: Zuerst wird ein Mitarbeiter der Zielfirma mit E-Mail überschüttet: in vielen Fällen sind das legitime Newsletter, die aber in der Masse ein echtes Problem sind. Danach wird dieser Angestellte per Teams oder über andere Kanäle kontaktiert: Man sei der Helpdesk und will ihm bei der Bewältigung der Mail-Lawine helfen.

https://www.cert.at/de/aktuelles/2024/12/social-engineering-nach-mailbombing

Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion

In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection.

https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html

Germany sinkholes BadBox malware pre-loaded on Android devices

Germanys Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. [..] Germany's cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker's command and control servers.

https://www.bleepingcomputer.com/news/security/germany-sinkholes-badbox-malware-pre-loaded-on-android-devices/

Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat

The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasnt enforced them. Its unclear if they will help.

https://www.darkreading.com/vulnerabilities-threats/efforts-secure-us-telcos-salt-typhoon

IoT Cloud Cracked by Open Sesame Over-the-Air Attack

Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device.

https://www.darkreading.com/ics-ot-security/iot-cloud-cracked-open-sesame-attack

Windows Tooling Updates: OleView.NET

This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution.

https://googleprojectzero.blogspot.com/2024/12/windows-tooling-updates-oleviewnet.html

New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection

Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection.

https://thehackernews.com/2024/12/new-linux-rootkit-pumakit-uses-advanced.html

Attacking Entra Metaverse: Part 1

This first blog post is a short one, and demonstrates how complete control of an Entra user is equal to compromise of the on-premises user. For the entire blog series the point I am trying to make is this: The Entra Tenant is the trust boundary

https://posts.specterops.io/attacking-entra-metaverse-part-1-c9cf8c4fb4ee?source=rssf05f8696e3cc4

Vulnerabilities

DevSecOps-Plattform Gitlab: Accountübernahme möglich

In einem Beitrag schreiben die Entwickler, dass auf Gitlab.com bereits die abgesicherten Ausgaben laufen. Für selbstverwaltete Gitlab-Installation sind nun die Ausgaben 17.4.6, 17.5.4 und 17.6.2 in der Community Edition und Enterprise Edition erschienen. [..] Insgesamt haben die Entwickler zwölf Sicherheitslücken geschlossen. Zwei davon sind mit dem Bedrohungsgrad "hoch" eingestuft (CVE-2024-11274, CVE-2024-8233). Im ersten Fall können Angreifer durch Manipulation von Kubernetes-Proxy-Responses Accounts übernehmen.

https://heise.de/-10198923

Security updates for Friday

Security updates have been issued by Debian (chromium, pgpool2, and smarty4), Fedora (chromium, linux-firmware, matrix-synapse, open62541, and thunderbird), Red Hat (kernel, kernel-rt, python3.11, python3.12, python3.9:3.9.18, python3.9:3.9.21, and ruby:2.5), SUSE (buildah, chromium, govulncheck-vulndb, java-1_8_0-ibm, libsvn_auth_gnome_keyring-1-0, python310-Django, qemu, and radare2), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, php7.0, php7.2, python-asyncssh, and smarty3).

https://lwn.net/Articles/1002036/