Tageszusammenfassung - 20.02.2024

End-of-Day report

Timeframe: Montag 19-02-2024 18:00 - Dienstag 20-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer


Ransomware: Lockbit durch Ermittler zerschlagen - zwei Festnahmen

Operation Cronos: Je eine Verhaftung in Polen und der Ukraine, Ermittler haben Datenschatz sowie Zugriff auf Kryptogeld und Websites von Lockbit erbeutet.


Hackers exploit critical RCE flaw in Bricks WordPress site builder

Hackers are actively exploiting a critical remote code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites.


Cactus ransomware claim to steal 1.5TB of Schneider Electric data

The Cactus ransomware gang claims they stole 1.5TB of data from Schneider Electric after breaching the companys network last month.


Over 28,500 Exchange servers vulnerable to actively exploited bug

Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting.


Vorsicht vor falschen Microsoft-Sicherheitswarnungen beim Surfen im Internet

Beim Surfen im Internet taucht plötzlich eine Sicherheitswarnung von Microsoft auf. Darin heißt es, dass Ihr Gerät von einem Virus befallen sei und Sie die -Windowshilfe- anrufen sollen. Rufen Sie diese Nummer keinesfalls an. Es handelt sich um ein betrügerisches Pop-Up-Fenster. Wenn Sie anrufen, stehlen Kriminelle Daten und Geld!


Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns.


A technical analysis of the BackMyData ransomware used to attack hospitals in Romania

Summary According to BleepingComputer, a ransomware attack that occurred starting 0n February 11 forced 100 hospitals across Romania to take their systems offline. BackMyData ransomware, which took credit for it, belongs to the Phobos family.



Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now

ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems. The vulnerabilities, which currently lack CVE identifiers, are listed below - Authentication bypass using an alternate path or channel (CVSS score: 10.0) - Improper limitation of a pathname to a restricted directory aka "path traversal" (CVSS score: 8.4)


Multiple Stored Cross-Site-Scripting Vulnerabilities in OpenOLAT (Frentix GmbH)

Several stored XSS vulnerabilities were identified in the open source e-learning application OpenOLAT, as well as missing security measures in the standard configurations regarding content security policy (CSP). [..] The vendor provides a patch which should be installed immediately.


SQL Injection Vulnerability Patched in RSS Aggregator by Feedzy WordPress Plugin

On February 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a SQL Injection vulnerability in RSS Aggregator by Feedzy, a WordPress plugin with more than 50,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to extract sensitive data from the database, such as password hashes.


Security updates for Tuesday

Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff).


Zyxel security advisory for multiple vulnerabilities in firewalls and APs

Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection. CVEs: CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, CVE-2023-6764


Joomla: [20240205] - Core - Inadequate content filtering within the filter code


Joomla: [20240204] - Core - XSS in mail address outputs


Joomla: [20240203] - Core - XSS in media selection fields


Joomla: [20240202] - Core - Open redirect in installation application


Joomla: [20240201] - Core - Insufficient session expiration in MFA management views


IBM Security Bulletins


Mozilla: Security Vulnerabilities fixed in Firefox 123


MISP 2.4.185 released with sighting performance improvements, security and bugs fixes.


Ethercat Zeek Plugin


Mitsubishi Electric Electrical Discharge Machines


Commend WS203VICM