End-of-Day report
Timeframe: Freitag 01-03-2024 18:00 - Montag 04-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Gemini, ChatGPT und LLaVA: Neuer Wurm verbreitet sich in KI-Ökosystemen selbst
Forscher haben einen KI-Wurm entwickelt. Dieser kann nicht nur sensible Daten abgreifen, sondern sich auch selbst in einem GenAI-Ökosystem ausbreiten.
https://www.golem.de/news/gemini-chatgpt-und-llava-neuer-wurm-verbreitet-sich-in-ki-oekosystemen-selbst-2403-182790.html
Hunting For Integer Overflows In Web Servers
In order to overflow something (e.g. an integer overflow) we clearly need some way to be able to do that (think pouring water from a kettle into a cup), and that-s the source (us using the kettle) to overflow the cup. Cup of tea aside, what things can be accessed remotely and take user input (those sources)? Web servers! This blog post title does not lie!
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hunting-for-integer-overflows-in-web-servers/
New Wave of SocGholish Infections Impersonates WordPress Plugins
SocGholish malware, otherwise known as -fake browser updates-, is one of the most common types of malware infections that we see on hacked websites. This long-standing malware campaign leverages a JavaScript malware framework that has been in use since at least 2017. The malware attempts to trick unsuspecting users into downloading what is actually a Remote Access Trojan (RAT) onto their computers, which is often the first stage in a ransomware infection. Late last week our incident response team identified a fresh wave of SocGholish (fake browser update) infections targeting WordPress websites.
https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html
Rise in Deceptive PDF: The Gateway to Malicious Payloads
McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-the-gateway-to-malicious-payloads/
Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers
A team of researchers has developed malware designed to target modern programmable logic controllers (PLCs) in an effort to demonstrate that remote Stuxnet-style attacks can be launched against such industrial control systems (ICS).
https://www.securityweek.com/remote-stuxnet-style-attack-possible-with-web-based-plc-malware-researchers/
Vorsicht vor falschen Paketbenachrichtigungen
Sie erwarten ein Paket? Prüfen Sie Benachrichtigungen über den Sendungsstatus sehr genau! Derzeit sind gefälschte Paketbenachrichtigungen im Namen aller gängigen Zustelldiensten im Umlauf. Klicken Sie niemals voreilig auf Links in E-Mails und SMS und geben Sie keine Kreditkartendaten preis!
https://www.watchlist-internet.at/news/vorsicht-vor-falschen-paketbenachrichtigungen/
Threat Brief: WordPress Exploit Leads to Godzilla Web Shell, Discovery & New CVE
Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 50 detailed Threat Briefs, which follow a format similar to the below. Typically, these reports include specific dates and times to provide comprehensive insights; however, please note that such information has been redacted in this public version. IOCs are available to customers within Event 27236 (uuid - fe12e833-6f0c-45c9-97d6-83337ea6c5d3).
https://thedfirreport.com/2024/03/04/threat-brief-wordpress-exploit-leads-to-godzilla-web-shell-discovery-new-cve/
Microsoft schließt ausgenutzte Windows 0-day Schwachstelle CVE-2024-21338 sechs Monate nach Meldung
Im Februar 2024 hat Microsoft die Schwachstelle CVE-2024-21338 im Kernel von Windows 10/11 und diversen Windows Server-Versionen geschlossen. Super! Der Fehler an der Geschichte: Die Schwachstelle wurde von AVAST im August 2023 gemeldet, und die Schwachstelle wurde zu dieser Zeit als 0-day ausgenutzt.
https://www.borncity.com/blog/2024/03/03/microsoft-schliet-ausgenutzte-windows-0-day-schwachstelle-cve-2024-21338-sechs-monate-nach-meldung/
Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO
The RA World (previously the RA Group) ransomware has managed to successfully breach organizations around the world since its first appearance in April 2023. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors.
https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomware.html
GitHub als Malware-Schleuder
Eine Sicherheitsfirma berichtet über eine neue Masche, wie Schadcode im großen Stil verteilt wird: über kompromittierte Klon-Repositories auf GitHub.
https://heise.de/-9644525
Vulnerabilities
Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199)
JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately.
https://www.helpnetsecurity.com/2024/03/04/cve-2024-27198-cve-2024-27199/
Security updates for Monday
Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (dotnet6.0, dotnet8.0, and mod_auth_openidc), Gentoo (Blender, Tox, and UltraJSON), Oracle (kernel), Red Hat (edk2), SUSE (sendmail and zabbix), and Ubuntu (nodejs and thunderbird).
https://lwn.net/Articles/964376/
Hikvision Patches High-Severity Vulnerability in Security Management System
Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional. The most important of these flaws is CVE-2024-25063, a high-severity bug that could lead to unauthorized access to certain URLs.
https://www.securityweek.com/hikvision-patches-high-severity-vulnerability-in-security-management-system/
Aruba: Codeschmuggel durch Sicherheitslücken im Clearpass Manager möglich
Im Aruba Clearpass Manager von HPE klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. [..] Eine Lücke betrifft den mitgelieferten Apache Struts-Server und erlaubt das Einschleusen von Befehlen (CVE-2023-50164, CVSS 9.8, Risiko "kritisch").
https://heise.de/-9644607
Solarwinds: Schadcode-Lücke in Security Event Manager
Sicherheitslücken in Solarwinds Secure Event Manager können Angreifer zum Einschleusen von Schadcode missbrauchen. Updates stopfen die Lecks.
https://heise.de/-9644643
Angreifer können Systeme mit Dell-Software kompromittieren
Es sind wichtige Sicherheitspatches für Dell Data Protection Advisor, iDRAC8 und Secure Connect Gateway erschienen.
https://heise.de/-9644978
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
F5: K000138726 : Linux kernel vulnerability CVE-2023-3611
https://my.f5.com/manage/s/article/K000138726