Tageszusammenfassung - 19.12.2024

End-of-Day report

Timeframe: Mittwoch 18-12-2024 18:00 - Donnerstag 19-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Attackers exploiting a patched FortiClient EMS vulnerability in the wild

During a recent incident response, Kaspersky-s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company-s networks by targeting a Fortinet vulnerability for which a patch was already available.

https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-the-wild/115046/

HubPhish Abuses HubSpot Tools to Target 20,000 European Users for Credential Theft

Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims Microsoft Azure cloud infrastructure. [..] Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe. [..] The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials.

https://thehackernews.com/2024/12/hubphish-exploits-hubspot-tools-to.html

Spyware distributed through Amazon Appstore

Recently, we uncovered a seemingly harmless app called -BMI CalculationVsn- on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-through-amazon-appstore/

Achtung: AG Reparaturservice ist Betrug

Geschirrspüler kaputt? Die Website ag-reparaturservice.at bietet angeblich Reparaturen verschiedenster Geräte an. Von Kühlschränken über Waschmaschinen bis hin zu Backöfen repariert das Unternehmen angeblich Haushaltsgeräte. Wir raten zur Vorsicht: Die Reparatur wird trotz Bezahlung nicht durchgeführt. Sie verlieren Ihr Geld. Wir zeigen Ihnen, wie Sie die Betrugsmasche erkennen!

https://www.watchlist-internet.at/news/ag-reparaturservice-ist-betrug/

CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach

A 5-page advisory provided troves of guidance for both Apple and Android users, urging all -highly targeted individuals- to rely on the -consistent use of end-to-end encryption.-

https://therecord.media/cisa-urges-senior-officials-to-lock-down-devices-salt-typhoon

Hacker könnten über Schwachstellen in Solaranlagen das europäische Stromnetz knacken

Unschöne, aber keineswegs neue Erkenntnis. Deutschland ist zwar "stolz" ob der installierten Leistung an Solarkollektoren. Aber ein griechischer White Hat-Hacker hat gezeigt, wie er sich mittels Notebook und Internet in zahlreiche europäischen Solaranlagen hacken und diese - auch in Deutschland - einfach ausknipsen könnte.

https://www.borncity.com/blog/2024/12/19/hacker-koennten-ueber-schwachstellen-in-solaranlagen-das-europaeische-stromnetz-knacken/

Kritische LDAP-Schwachstelle in Windows (CVE-2024-49112)

Noch ein kleiner Nachtrag vom Dezember 2024-Patchday. Zum 10. Dezember 2024 hat Microsoft einen kritische Schwachstelle (CVE-2024-49112) im Lightweight Directory Access Protocol (LDAP) öffentlich gemacht. Diese ermöglicht Remote-Angriffe auf Windows-Clients und -Server, wurde aber gepatcht. [..] Hunter schreibt, dass jährlich 178.900 LDAP- und LDAPS-Dienste jährlich beim Scans über hunter.how gefunden würden.

https://www.borncity.com/blog/2024/12/19/kritische-ldap-schwachstelle-in-windows-cve-2024-49112/

Exploring vulnerable Windows drivers

This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos- series of posts about malicious Windows drivers.

https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/

Betrugsmail: Cyberversicherung muss Schaden nicht ersetzen

Klassisches Mail-Spoofing kostete eine deutsche Firma 85.000 Euro. Ihre Cyberversicherung deckt den Schaden nicht, sagt das Landgericht Hagen.

https://heise.de/-10215212

Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages

Socket-s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. [..] Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction.

https://socket.dev/blog/skuld-infostealer-returns-to-npm

Vulnerabilities

FortiWLM Unauthenticated limited file read vulnerability

A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files. Severity: Critical, CVE-2023-34990

https://www.fortiguard.com/psirt/FG-IR-23-144

FortiManager OS command injection

An Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. Severity: High, CVE-2024-48889

https://fortiguard.fortinet.com/psirt/FG-IR-24-425

Security updates for Thursday

Security updates have been issued by AlmaLinux (bluez, edk2:20220126gitbb1bba3d77, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, kernel-rt, mpg123, php:8.2, python3.11-urllib3, and tuned), Fedora (ColPack, glibc, golang-github-chainguard-dev-git-urls, golang-github-task, icecat, python-nbdime, python3.13, and python3.14), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, dwarves and kernel-linus), Red Hat (gstreamer1-plugins-base and gstreamer1-plugins-good), SUSE (curl, emacs, git-bug, glib2, helm, kernel, and traefik2), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, gstreamer1.0, libvpx, linux-gcp, phpunit, and yara).

https://lwn.net/Articles/1002903/