End-of-Day report
Timeframe: Montag 04-03-2024 18:00 - Dienstag 05-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
ScreenConnect flaws exploited to drop new ToddleShark malware
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark.
https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddleshark-malware/
Network tunneling with- QEMU?
While investigating an incident, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the QEMU hardware emulator.
https://securelist.com/network-tunneling-with-qemu/111803/
Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes
The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.
https://thehackernews.com/2024/03/warning-thread-hijacking-attack-targets.html
Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users
Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users.
https://www.malwarebytes.com/blog/news/2024/03/pegasus-spyware-creator-ordered-to-reveal-code-used-to-spy-on-whatsapp-users
AnyDesk: Zugriffsversuche aus Spanien; Unsignierter Client verteilt
Das Drama bei AnyDesk geht anscheinend weiter, obwohl ich die Hoffnung hatte, das Thema langsam abschließen zu können...
https://www.borncity.com/blog/2024/03/05/anydesk-zugriffsversuche-aus-spanien-unsignierter-client-verteilt/
WogRAT Malware Exploits aNotepad (Windows, Linux)
AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform.
https://asec.ahnlab.com/en/62446/
GhostSec-s joint ransomware operation and evolution of their arsenal
Cisco Talos observed a surge in GhostSec, a hacking group-s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/
Ransomware: ALPHV/Blackcat betrügt offensichtlich Partner und zieht sich zurück
Die Fakten legen nahe, dass ALPHV/Blackcat einen Cybercrime-Partner um 22 Millionen US-Dollar betrogen und sich nun zurückgezogen hat.
https://heise.de/-9646707
Vulnerabilities
Exploit available for new critical TeamCity auth bypass bug, patch now
A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions.
https://www.bleepingcomputer.com/news/security/exploit-available-for-new-critical-teamcity-auth-bypass-bug-patch-now/
Multiple vulnerabilities in RT-Thread RTOS
I reviewed RT-Thread-s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution.
https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/
Security updates for Tuesday
Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django).
https://lwn.net/Articles/964450/
Zeek Security Tool Vulnerabilities Allow ICS Network Hacking
Vulnerabilities in a plugin for the Zeek network security monitoring tool can be exploited in attacks aimed at ICS environments.
https://www.securityweek.com/zeek-security-tool-vulnerabilities-allow-ics-network-hacking/
VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption
https://kb.cert.org/vuls/id/782720
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Security Vulnerabilities fixed in Thunderbird 115.8.1
https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/
Nice Linear eMerge E3-Series
https://www.cisa.gov/news-events/ics-advisories/icsa-24-065-01
Santesoft Sante FFT Imaging
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-065-01
K000138814 : OpenLDAP vulnerability CVE-2023-2953
https://my.f5.com/manage/s/article/K000138814
Patchday: Kritische Schadcode-Lücken bedrohen Android 12, 13 und 14
https://heise.de/-9646073