End-of-Day report
Timeframe: Donnerstag 29-02-2024 18:00 - Freitag 01-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
CISA cautions against using hacked Ivanti VPN gateways even after factory resets
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-hacked-ivanti-vpn-gateways-even-after-factory-resets/
Angriffe auf Windows-Lücke - Update seit einem halben Jahr verfügbar
Die CISA warnt vor Angriffen auf eine Lücke in Microsofts Streaming Service. Updates gibt es seit mehr als einem halben Jahr.
https://heise.de/-9643763
Wireshark Tutorial: Exporting Objects From a Pcap
This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills.
https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/
Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses
Here-s how the blue team wards off red teamers and a few open-source tools it may leverage to identify chinks in the corporate armor.
https://www.welivesecurity.com/en/business-security/blue-team-toolkit-6-open-source-tools-corporate-defenses/
Researchers spot new infrastructure likely used for Predator spyware
Cybersecurity researchers have identified new infrastructure likely used by the operators of the commercial spyware known as Predator in at least 11 countries.
https://therecord.media/new-predator-spyware-infrastructure-identified
Covert TLS n-day backdoors: SparkCockpit & SparkTar
This report documents two covert TLS-based backdoors identified by NVISO: SparkCockpit & SparkTar. Both backdoors employ selective interception of TLS communication towards the legitimate Ivanti server applications.
https://blog.nviso.eu/2024/03/01/covert-tls-n-day-backdoors-sparkcockpit-sparktar/
How To Hunt For UEFI Malware Using Velociraptor
UEFI threats have historically been limited in number and mostly implemented bynation state actors as stealthy persistence. However, the recent proliferationof Black Lotus on the dark web, Trickbot enumeration module (late 2022), andGlupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field.
https://www.rapid7.com/blog/post/2024/02/29/how-to-hunt-for-uefi-malware-using-velociraptor/
Bluetooth Unleashed: Syncing Up with the RattaGATTa Series! Part 1
This post introduces GreyNoise Labs series on BTLE, highlighting its privacy and security implications, as well as the journey from basic usage to sophisticated system development, offering insights for cybersecurity professionals and tech enthusiasts alike.
https://www.greynoise.io/blog/bluetooth-unleashed-syncing-up-with-the-rattagatta-series-part-1
Vulnerabilities
Security updates for Friday
Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7).
https://lwn.net/Articles/964166/
Sicherheitsupdate: Nividia-Grafikkarten-Treiber als Einfallstor für Angreifer
Insgesamt hat Nvidia mit den Updates acht Sicherheitslücken geschlossen. Davon sind vier (CVE-2024-0071, CVE-2024-0073, CVE-2024-0075, CVE-2024-0077) mit dem Bedrohungsgrad "hoch" eingestuft. An diesen Stellen können Angreifer auf einem nicht näher beschriebenen Weg Speicherfehler auslösen und so Schadcode auf Systeme schieben und ausführen. Im Anschluss gelten Computer in der Regel als vollständig kompromittiert.
https://heise.de/-9643306
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Autodesk: Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0004