Tageszusammenfassung - 05.03.2024

End-of-Day report

Timeframe: Montag 04-03-2024 18:00 - Dienstag 05-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

ScreenConnect flaws exploited to drop new ToddleShark malware

The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark.

https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddleshark-malware/


Network tunneling with- QEMU?

While investigating an incident, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the QEMU hardware emulator.

https://securelist.com/network-tunneling-with-qemu/111803/


Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes

The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.

https://thehackernews.com/2024/03/warning-thread-hijacking-attack-targets.html


Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users

Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users.

https://www.malwarebytes.com/blog/news/2024/03/pegasus-spyware-creator-ordered-to-reveal-code-used-to-spy-on-whatsapp-users


AnyDesk: Zugriffsversuche aus Spanien; Unsignierter Client verteilt

Das Drama bei AnyDesk geht anscheinend weiter, obwohl ich die Hoffnung hatte, das Thema langsam abschließen zu können...

https://www.borncity.com/blog/2024/03/05/anydesk-zugriffsversuche-aus-spanien-unsignierter-client-verteilt/


WogRAT Malware Exploits aNotepad (Windows, Linux)

AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform.

https://asec.ahnlab.com/en/62446/


GhostSec-s joint ransomware operation and evolution of their arsenal

Cisco Talos observed a surge in GhostSec, a hacking group-s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/


Ransomware: ALPHV/Blackcat betrügt offensichtlich Partner und zieht sich zurück

Die Fakten legen nahe, dass ALPHV/Blackcat einen Cybercrime-Partner um 22 Millionen US-Dollar betrogen und sich nun zurückgezogen hat.

https://heise.de/-9646707

Vulnerabilities

Exploit available for new critical TeamCity auth bypass bug, patch now

A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions.

https://www.bleepingcomputer.com/news/security/exploit-available-for-new-critical-teamcity-auth-bypass-bug-patch-now/


Multiple vulnerabilities in RT-Thread RTOS

I reviewed RT-Thread-s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution.

https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/


Security updates for Tuesday

Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django).

https://lwn.net/Articles/964450/


Zeek Security Tool Vulnerabilities Allow ICS Network Hacking

Vulnerabilities in a plugin for the Zeek network security monitoring tool can be exploited in attacks aimed at ICS environments.

https://www.securityweek.com/zeek-security-tool-vulnerabilities-allow-ics-network-hacking/


VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption

https://kb.cert.org/vuls/id/782720


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


Security Vulnerabilities fixed in Thunderbird 115.8.1

https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/


Nice Linear eMerge E3-Series

https://www.cisa.gov/news-events/ics-advisories/icsa-24-065-01


Santesoft Sante FFT Imaging

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-065-01


K000138814 : OpenLDAP vulnerability CVE-2023-2953

https://my.f5.com/manage/s/article/K000138814


Patchday: Kritische Schadcode-Lücken bedrohen Android 12, 13 und 14

https://heise.de/-9646073