End-of-Day report
Timeframe: Mittwoch 21-02-2024 18:00 - Donnerstag 22-02-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
New SSH-Snake malware steals SSH keys to spread across the network
A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure.
https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals-ssh-keys-to-spread-across-the-network/
Google Play Store: Banking-Trojaner nimmt europäische Nutzer ins Visier
Im Google Play Store tauchen Varianten des Anatsa-Banking-Trojaners auf. Sie kommen auf über 100.000 Installationen.
https://www.heise.de/news/Google-Play-Store-Banking-Trojaner-nimmt-europaeische-Nutzer-ins-Visier-9635463.html
Why ransomware gangs love using RMM tools-and how to stop them
More and more ransomware gangs are using RMM tools in their attacks.
https://www.malwarebytes.com/blog/business/2024/02/why-ransomware-gangs-love-using-rmm-tools-and-how-to-stop-them
Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures
In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally.
https://research.nccgroup.com/2024/02/22/unmasking-lorenz-ransomware-a-dive-into-recent-tactics-techniques-and-procedures/
Angriffe gegen ConnectWise ScreenConnect
Die Remote Desktop und Access Software ConnectWise ScreenConnect ist aktuell Ziel von Cyberangriffen. Der Hersteller der Software hatte kürzlich ein Security Advisory bezüglich Authentication Bypass und Path Traversal Vulnerabilities veröffentlicht und dieses inzwischen um Hinweise auf bereits laufende Angriff und Indikatoren für eine bereits stattgefundene Kompromittierung erweitert.
https://cert.at/de/aktuelles/2024/2/angriffe-gegen-connectwise-screenconnect
TinyTurla-NG in-depth tooling and command and control analysis
Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.
https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/
LockBit Attempts to Stay Afloat With a New Version
This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations.
https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html
Decrypted: HomuWitch Ransomware
HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users - individuals - rather than institutions and companies.
https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/
-To live is to fight, to fight is to live! - IBM ODM Remote Code Execution
In today-s match-up, we-re looking at various versions(both old and new!) of IBM-s -Operational Decision Manager- (ODM).
https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/
Vulnerabilities
Codeschmuggel-Lücke in diversen HP Laser-Druckern
HP warnt mit gleich zwei Sicherheitsmeldungen vor Lücken in diversen Laserjet-Druckern. Firmwareupdates sollen sie schließen.
https://www.heise.de/news/Codeschmuggel-Luecke-in-diversen-HP-Laser-Druckern-9635826.html
Security updates for Thursday
Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), [...]
https://lwn.net/Articles/963205/
Progress Kemp LoadMaster (Load-Balancer) Schwachstelle CVE-2024-1212
Zum 8. Februar 2024 gab es den Hinweis für Administratoren, die den Load-Balancer LoadMaster von Progress Kemp verwenden, dessen Firmware zu aktualisieren.
https://www.borncity.com/blog/2024/02/22/progress-kemp-loadmaster-load-balancer-schwachstelle-cve-2024-1212/
2024-02-22: Cyber Security Advisory - B&R Automation Studio & Technology Guarding products use insufficient communication encryption
https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
WAGO: Multiple products affected by Terrapin
https://cert.vde.com/de/advisories/VDE-2024-014/
[R1] Tenable Identity Exposure Secure Relay Version 3.59.4 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2024-03
[R1] Tenable Identity Exposure Version 3.59.4 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2024-04
Delta Electronics CNCSoft-B DOPSoft
https://www.cisa.gov/news-events/ics-advisories/icsa-24-053-01