Tageszusammenfassung - 22.02.2024

End-of-Day report

Timeframe: Mittwoch 21-02-2024 18:00 - Donnerstag 22-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

New SSH-Snake malware steals SSH keys to spread across the network

A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure.

https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals-ssh-keys-to-spread-across-the-network/


Google Play Store: Banking-Trojaner nimmt europäische Nutzer ins Visier

Im Google Play Store tauchen Varianten des Anatsa-Banking-Trojaners auf. Sie kommen auf über 100.000 Installationen.

https://www.heise.de/news/Google-Play-Store-Banking-Trojaner-nimmt-europaeische-Nutzer-ins-Visier-9635463.html


Why ransomware gangs love using RMM tools-and how to stop them

More and more ransomware gangs are using RMM tools in their attacks.

https://www.malwarebytes.com/blog/business/2024/02/why-ransomware-gangs-love-using-rmm-tools-and-how-to-stop-them


Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures

In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally.

https://research.nccgroup.com/2024/02/22/unmasking-lorenz-ransomware-a-dive-into-recent-tactics-techniques-and-procedures/


Angriffe gegen ConnectWise ScreenConnect

Die Remote Desktop und Access Software ConnectWise ScreenConnect ist aktuell Ziel von Cyberangriffen. Der Hersteller der Software hatte kürzlich ein Security Advisory bezüglich Authentication Bypass und Path Traversal Vulnerabilities veröffentlicht und dieses inzwischen um Hinweise auf bereits laufende Angriff und Indikatoren für eine bereits stattgefundene Kompromittierung erweitert.

https://cert.at/de/aktuelles/2024/2/angriffe-gegen-connectwise-screenconnect


TinyTurla-NG in-depth tooling and command and control analysis

Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/


LockBit Attempts to Stay Afloat With a New Version

This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations.

https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html


Decrypted: HomuWitch Ransomware

HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users - individuals - rather than institutions and companies.

https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/


-To live is to fight, to fight is to live! - IBM ODM Remote Code Execution

In today-s match-up, we-re looking at various versions(both old and new!) of IBM-s -Operational Decision Manager- (ODM).

https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/

Vulnerabilities

Codeschmuggel-Lücke in diversen HP Laser-Druckern

HP warnt mit gleich zwei Sicherheitsmeldungen vor Lücken in diversen Laserjet-Druckern. Firmwareupdates sollen sie schließen.

https://www.heise.de/news/Codeschmuggel-Luecke-in-diversen-HP-Laser-Druckern-9635826.html


Security updates for Thursday

Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), [...]

https://lwn.net/Articles/963205/


Progress Kemp LoadMaster (Load-Balancer) Schwachstelle CVE-2024-1212

Zum 8. Februar 2024 gab es den Hinweis für Administratoren, die den Load-Balancer LoadMaster von Progress Kemp verwenden, dessen Firmware zu aktualisieren.

https://www.borncity.com/blog/2024/02/22/progress-kemp-loadmaster-load-balancer-schwachstelle-cve-2024-1212/


2024-02-22: Cyber Security Advisory - B&R Automation Studio & Technology Guarding products use insufficient communication encryption

https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


WAGO: Multiple products affected by Terrapin

https://cert.vde.com/de/advisories/VDE-2024-014/


[R1] Tenable Identity Exposure Secure Relay Version 3.59.4 Fixes Multiple Vulnerabilities

https://www.tenable.com/security/tns-2024-03


[R1] Tenable Identity Exposure Version 3.59.4 Fixes Multiple Vulnerabilities

https://www.tenable.com/security/tns-2024-04


Delta Electronics CNCSoft-B DOPSoft

https://www.cisa.gov/news-events/ics-advisories/icsa-24-053-01