Tageszusammenfassung - 01.03.2024

End-of-Day report

Timeframe: Donnerstag 29-02-2024 18:00 - Freitag 01-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

CISA cautions against using hacked Ivanti VPN gateways even after factory resets

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.

https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-hacked-ivanti-vpn-gateways-even-after-factory-resets/


Angriffe auf Windows-Lücke - Update seit einem halben Jahr verfügbar

Die CISA warnt vor Angriffen auf eine Lücke in Microsofts Streaming Service. Updates gibt es seit mehr als einem halben Jahr.

https://heise.de/-9643763


Wireshark Tutorial: Exporting Objects From a Pcap

This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills.

https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/


Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses

Here-s how the blue team wards off red teamers and a few open-source tools it may leverage to identify chinks in the corporate armor.

https://www.welivesecurity.com/en/business-security/blue-team-toolkit-6-open-source-tools-corporate-defenses/


Researchers spot new infrastructure likely used for Predator spyware

Cybersecurity researchers have identified new infrastructure likely used by the operators of the commercial spyware known as Predator in at least 11 countries.

https://therecord.media/new-predator-spyware-infrastructure-identified


Covert TLS n-day backdoors: SparkCockpit & SparkTar

This report documents two covert TLS-based backdoors identified by NVISO: SparkCockpit & SparkTar. Both backdoors employ selective interception of TLS communication towards the legitimate Ivanti server applications.

https://blog.nviso.eu/2024/03/01/covert-tls-n-day-backdoors-sparkcockpit-sparktar/


How To Hunt For UEFI Malware Using Velociraptor

UEFI threats have historically been limited in number and mostly implemented bynation state actors as stealthy persistence. However, the recent proliferationof Black Lotus on the dark web, Trickbot enumeration module (late 2022), andGlupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field.

https://www.rapid7.com/blog/post/2024/02/29/how-to-hunt-for-uefi-malware-using-velociraptor/


Bluetooth Unleashed: Syncing Up with the RattaGATTa Series! Part 1

This post introduces GreyNoise Labs series on BTLE, highlighting its privacy and security implications, as well as the journey from basic usage to sophisticated system development, offering insights for cybersecurity professionals and tech enthusiasts alike.

https://www.greynoise.io/blog/bluetooth-unleashed-syncing-up-with-the-rattagatta-series-part-1

Vulnerabilities

Security updates for Friday

Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7).

https://lwn.net/Articles/964166/


Sicherheitsupdate: Nividia-Grafikkarten-Treiber als Einfallstor für Angreifer

Insgesamt hat Nvidia mit den Updates acht Sicherheitslücken geschlossen. Davon sind vier (CVE-2024-0071, CVE-2024-0073, CVE-2024-0075, CVE-2024-0077) mit dem Bedrohungsgrad "hoch" eingestuft. An diesen Stellen können Angreifer auf einem nicht näher beschriebenen Weg Speicherfehler auslösen und so Schadcode auf Systeme schieben und ausführen. Im Anschluss gelten Computer in der Regel als vollständig kompromittiert.

https://heise.de/-9643306


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


Autodesk: Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0004