End-of-Day report
Timeframe: Montag 16-12-2024 18:00 - Dienstag 17-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche
Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben.
https://heise.de/-10202355
Malicious ads push Lumma infostealer via fake CAPTCHA pages
DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages.
https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-infostealer-via-fake-captcha-pages/
Over 25,000 SonicWall VPN Firewalls exposed to critical flaws
Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords.
https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-firewalls-exposed-to-critical-flaws/
Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt
Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein.
https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in-windows-wird-aktiv-ausgenutzt-2412-191784.html
Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th)
Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim-s computer. Even better, it reconfigures the tool if it is already installed. The script, called -an5.py- has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims.
https://isc.sans.edu/diary/rss/31524
Technical Analysis of RiseLoader
In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro-s communication protocol, we named this new malware family RiseLoader.
https://www.zscaler.com/blogs/security-research/technical-analysis-riseloader
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors.
https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel).
https://lwn.net/Articles/1002496/
CrushFTP: Attacken auf Admins möglich
Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar.
https://heise.de/-10202537
Xen Security Advisory CVE-2024-53241 / XSA-466
https://xenbits.xen.org/xsa/advisory-466.html
Xen Security Advisory CVE-2024-53240 / XSA-465
https://xenbits.xen.org/xsa/advisory-465.html
Rockwell Automation PowerMonitor 1000 Remote
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03
Hitachi Energy TropOS Devices Series 1400/2400/6400
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02
ThreatQuotient ThreatQ Platform
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01
MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities.
https://github.com/MISP/MISP/releases/tag/v2.5.3
BD Diagnostic Solutions Products
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01