End-of-Day report
Timeframe: Montag 19-02-2024 18:00 - Dienstag 20-02-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Ransomware: Lockbit durch Ermittler zerschlagen - zwei Festnahmen
Operation Cronos: Je eine Verhaftung in Polen und der Ukraine, Ermittler haben Datenschatz sowie Zugriff auf Kryptogeld und Websites von Lockbit erbeutet.
https://www.heise.de/-9633327
Hackers exploit critical RCE flaw in Bricks WordPress site builder
Hackers are actively exploiting a critical remote code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites.
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce-flaw-in-bricks-wordpress-site-builder/
Cactus ransomware claim to steal 1.5TB of Schneider Electric data
The Cactus ransomware gang claims they stole 1.5TB of data from Schneider Electric after breaching the companys network last month.
https://www.bleepingcomputer.com/news/security/cactus-ransomware-claim-to-steal-15tb-of-schneider-electric-data/
Over 28,500 Exchange servers vulnerable to actively exploited bug
Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting.
https://www.bleepingcomputer.com/news/security/over-28-500-exchange-servers-vulnerable-to-actively-exploited-bug/
Vorsicht vor falschen Microsoft-Sicherheitswarnungen beim Surfen im Internet
Beim Surfen im Internet taucht plötzlich eine Sicherheitswarnung von Microsoft auf. Darin heißt es, dass Ihr Gerät von einem Virus befallen sei und Sie die -Windowshilfe- anrufen sollen. Rufen Sie diese Nummer keinesfalls an. Es handelt sich um ein betrügerisches Pop-Up-Fenster. Wenn Sie anrufen, stehlen Kriminelle Daten und Geld!
https://www.watchlist-internet.at/news/vorsicht-vor-falschen-microsoft-sicherheitswarnungen-beim-surfen-im-internet/
Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns
Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns.
https://blog.talosintelligence.com/google-cloud-run-abuse/
A technical analysis of the BackMyData ransomware used to attack hospitals in Romania
Summary According to BleepingComputer, a ransomware attack that occurred starting 0n February 11 forced 100 hospitals across Romania to take their systems offline. BackMyData ransomware, which took credit for it, belongs to the Phobos family.
https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/
Vulnerabilities
Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now
ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems. The vulnerabilities, which currently lack CVE identifiers, are listed below - Authentication bypass using an alternate path or channel (CVSS score: 10.0) - Improper limitation of a pathname to a restricted directory aka "path traversal" (CVSS score: 8.4)
https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html
Multiple Stored Cross-Site-Scripting Vulnerabilities in OpenOLAT (Frentix GmbH)
Several stored XSS vulnerabilities were identified in the open source e-learning application OpenOLAT, as well as missing security measures in the standard configurations regarding content security policy (CSP). [..] The vendor provides a patch which should be installed immediately.
https://sec-consult.com/vulnerability-lab/advisory/mutiple-stored-cross-site-scripting-vulnerabilities-in-openolat-frentix-gmbh/
SQL Injection Vulnerability Patched in RSS Aggregator by Feedzy WordPress Plugin
On February 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a SQL Injection vulnerability in RSS Aggregator by Feedzy, a WordPress plugin with more than 50,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to extract sensitive data from the database, such as password hashes.
https://www.wordfence.com/blog/2024/02/sql-injection-vulnerability-patched-in-rss-aggregator-by-feedzy-wordpress-plugin/
Security updates for Tuesday
Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff).
https://lwn.net/Articles/962881/
Zyxel security advisory for multiple vulnerabilities in firewalls and APs
Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection. CVEs: CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, CVE-2023-6764
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024
Joomla: [20240205] - Core - Inadequate content filtering within the filter code
https://developer.joomla.org:443/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html
Joomla: [20240204] - Core - XSS in mail address outputs
https://developer.joomla.org:443/security-centre/928-20240204-core-xss-in-mail-address-outputs.html
Joomla: [20240203] - Core - XSS in media selection fields
https://developer.joomla.org:443/security-centre/927-20240203-core-xss-in-media-selection-fields.html
Joomla: [20240202] - Core - Open redirect in installation application
https://developer.joomla.org:443/security-centre/926-20240202-core-open-redirect-in-installation-application.html
Joomla: [20240201] - Core - Insufficient session expiration in MFA management views
https://developer.joomla.org:443/security-centre/925-20240201-core-insufficient-session-expiration-in-mfa-management-views.html
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Mozilla: Security Vulnerabilities fixed in Firefox 123
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/
MISP 2.4.185 released with sighting performance improvements, security and bugs fixes.
https://github.com/MISP/MISP/releases/tag/v2.4.185
Ethercat Zeek Plugin
https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02
Mitsubishi Electric Electrical Discharge Machines
https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-03
Commend WS203VICM
https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01