End-of-Day report
Timeframe: Freitag 23-02-2024 18:00 - Montag 26-02-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Hijacked subdomains of major brands used in massive spam campaign
A massive ad fraud campaign named "SubdoMailing" is using over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day to generate revenue through scams and malvertising. [..] As these domains belong to trusted companies, they gain the benefit of being able to bypass spam filters and, in some cases, take advantage of configured SPF and DKIM email policies that tell secure email gateways that the emails are legitimate and not spam.
https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major-brands-used-in-massive-spam-campaign/
New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT
Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader.
https://thehackernews.com/2024/02/new-idat-loader-attacks-using.html
Actively exploited open redirect in Google Web Light
An open redirect vulnerability exists in the remains of Google Web Light service, which is being actively exploited in multiple phishing campaigns. Google decided not to fix it, so it might be advisable to block access to the Web Light domain in corporate environments.
https://untrustednetwork.net/en/2024/02/26/google-open-redirect/
Webinar: Wie schütze ich mich vor Identitätsdiebstahl?
n diesem Webinar schauen wir uns aktuelle Betrugsmaschen an und besprechen Tools, mit denen man sicherer im Internet unterwegs ist.
https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-identitaetsdiebstahl/
Mattermost: Support for Extended Support Release 8.1 is ending soon
As of May 15, 2024, Mattermost Extended Support Release (ESR) version 8.1 will no longer be supported. If any of your servers are not on ESR 9.5 or later, upgrading is recommended.
https://mattermost.com/blog/support-for-extended-support-release-8-1-is-ending-soon/
SVR Cyber Actors Adapt Tactics for Initial Cloud Access
This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT-s Variant)
AhnLab SEcurity intelligence Center (ASEC) recently discovered that Nood RAT is being used in malware attacks. Nood RAT is a variant of Gh0st RAT that works in Linux. Although the number of Gh0st RAT for Linux is fewer compared to Gh0st RAT for Windows, the cases of Gh0st RAT for Linux are continuously being collected.
https://asec.ahnlab.com/en/62144/
Ransomware Roundup - Abyss Locker
FortiGuard Labs highlights the Abyss Locker ransomware group that steals information from victims and encrypts files for financial gain.
https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-locker
Ransomware: LockBit gibt Fehler zu, plant Angriffe auf staatliche Einrichtungen
Die Ransomware-Gruppe LockBit gesteht Fehler aus Faulheit ein, macht sich über das FBI lustig und will Angriffe auf staatliche Einrichtungen intensivieren.
https://heise.de/-9638063
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (gnutls28, iwd, libjwt, and thunderbird), Fedora (chromium, expat, mingw-expat, mingw-openexr, mingw-python3, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtquickcontrols2, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebchannel, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, and thunderbird), Gentoo (btrbk, Glances, and GNU Aspell), Mageia (clamav and xen, qemu and libvirt), Oracle (firefox and postgresql), Red Hat (firefox, opensc, postgresql:10, postgresql:12, postgresql:13, postgresql:15, thunderbird, and unbound), SUSE (firefox, java-1_8_0-ibm, libxml2, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-oem-6.1, and roundcube).
https://lwn.net/Articles/963725/
Critical Flaw in Popular -Ultimate Member- WordPress Plugin
The vulnerability carries a CVSS severity score of 9.8/10 and affects web sites running the Ultimate Member WordPress membership plugin.
https://www.securityweek.com/critical-flaw-in-popular-ultimate-member-wordpress-plugin/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Local Privilege Escalation via DLL Hijacking im Qognify VMS Client Viewer
https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escalation-via-dll-hijacking-im-qognify-vms-client-viewer/
F5: K000138695 : OpenSSL vulnerability CVE-2024-0727
https://my.f5.com/manage/s/article/K000138695
F5: K000138682 : libssh vulnerability CVE-2023-2283
https://my.f5.com/manage/s/article/K000138682