End-of-Day report
Timeframe: Dienstag 12-03-2024 18:00 - Mittwoch 13-03-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
RisePro stealer targets Github users in -gitgub- campaign
We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named -gitgub- by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. [..] RisePro resurfaces with new string encryption and a bloated MSI installer that crashes reversing tools like IDA. The "gitgub" campaign already sent more than 700 archives of stolen data to Telegram.
https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github
Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th)
Today, most of the malicious scripts in the wild are heavily obfuscated. [...] There was a huge amount of obfuscated strings (443 in total). Let's try tro process them with ChatGPT [..] The request took a few seconds to get some feedback but results were perfect (I only submitted a small part of the script).
https://isc.sans.edu/diary/rss/30740
FakeBat delivered via several active malvertising campaigns
A number of software brands are being impersonated with malicious ads and fake sites to distribute malware.
https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns
Geldwäsche statt Babysitting: Vorsicht vor diesem Jobbetrug!
Kriminelle suchen über Babysitter-Börsen angeblich eine Betreuung für ihr Kind oder ihre Kinder. Das vermeintliche Elternteil behauptet, derzeit noch im Ausland zu leben und erst zu einem späteren Zeitpunkt nach Österreich zu ziehen. Damit sich die Kinder gleich von Anfang an wohl fühlen, sollen die neuen Babysitter:innen bereits im Vorfeld Spielzeug einkaufen.
https://www.watchlist-internet.at/news/geldwaesche-statt-babysitting-vorsicht-vor-diesem-jobbetrug/
JetBrains vulnerability exploitation highlights debate over silent patching
Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers- servers to Rapid7-s decision to release detailed information on the vulnerabilities.
https://therecord.media/jetbrains-rapid7-silent-patching-dispute
Unpacking Flutter hives
The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code.
https://blog.nviso.eu/2024/03/13/unpacking-flutter-hives/
Threat actors leverage document publishing sites for ongoing credential and session token theft
Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow.
https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. [..] This campaign was part of the larger Water Hydra APT zero-day analysis.
https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
Vulnerabilities
Cisco Security Advisories 2024-03-13
Security Impact Rating: 3x High, 4x Medium
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2024%2F03%2F13&firstPublishedEndDate=2024%2F03%2F13&pageNum=1&isRenderingBugList=false
Palo Alto Security Advisories 2024-03-13
Security Impact Rating: 3x Medium
https://security.paloaltonetworks.com/
Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins - $1,250 Bounty Awarded
Both miniOrange-s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! [..] This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.
https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpatched-in-two-permanently-closed-miniorange-wordpress-plugins-1250-bounty-awarded/
Security updates for Wednesday
Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn).
https://lwn.net/Articles/965278/
März-Patchday: Microsoft stopft zwei kritische Löcher in Hyper-V
Insgesamt bringt der März-Patchday Fixes für 61 Sicherheitslücken.
https://www.zdnet.de/88414822/maerz-patchday-microsoft-stopft-zwei-kritische-loecher-in-hyper-v/
Adobe Releases Security Updates for Multiple Products
Adobe Experience Manager, Adobe Premiere Pro, Adobe ColdFusion, Adobe Bridge, Adobe Lightroom, Adobe Animate
https://www.cisa.gov/news-events/alerts/2024/03/12/adobe-releases-security-updates-multiple-products
AMD und Intel schließen CPU-Sicherheitslücken in Core- und Ryzen-CPUs
Zum Patch-Tuesday räumen AMD und Intel weitere Sicherheitslücken in ihren Prozessoren ein. Es geht unter anderem um Race Conditions.
https://heise.de/-9653846
Fortinet-Patchday: Updates gegen kritische Schwachstellen
Fortinet hat zum März-Patchday Sicherheitslücken in FortiOS, FortiProxy, FortiClientEMS und im FortiManager geschlossen.
https://heise.de/-9653730
Citrix Hypervisor Security Update for CVE-2023-39368 and CVE-2023-38575
https://support.citrix.com/article/CTX616982/citrix-hypervisor-security-update-for-cve202339368-and-cve202338575
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Lenovo Security Advisories 2024-03-12
https://support.lenovo.com/at/de/product_security/home
Xen Security Advisory CVE-2024-2193 / XSA-453
https://xenbits.xen.org/xsa/advisory-453.html
Xen Security Advisory CVE-2023-28746 / XSA-452
https://xenbits.xen.org/xsa/advisory-452.html
Wago: Multiple vulnerabilities in web-based management of multiple products
https://cert.vde.com/de/advisories/VDE-2023-039/
Bosch: BVMS affected by Autodesk Design Review Multiple Vulnerabilities
https://psirt.bosch.com/security-advisories/bosch-sa-246962-bt.html
Bosch: RPS and RPS-LITE operator and communication process vulnerabilities.
https://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html
Canon: CPE2024-002 - Vulnerability Mitigation/Remediation for Small Office Multifunction Printers and Laser Printers - 14 March 2024
https://www.canon-europe.com/support/product-security-latest-news/
SonicWall: SonicWall Email Security Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006
SonicWall: SonicOS SSLVPN Portal Stored Cross-site Scripting Vulnerability
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005
SonicWall: Integer-Based Buffer Overflow Vulnerability In SonicOS via IPSec
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0004
Google Chrome: Drei Sicherheitslöcher gestopft
https://heise.de/-9653082