End-of-Day report
Timeframe: Donnerstag 14-03-2024 18:00 - Freitag 15-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
SIM swappers hijacking phone numbers in eSIM attacks
SIM swappers have adapted their attacks to steal a targets phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models.
https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone-numbers-in-esim-attacks/
StopCrypt: Most widely distributed ransomware now evades detection
A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools.
https://www.bleepingcomputer.com/news/security/stopcrypt-most-widely-distributed-ransomware-now-evades-detection/
5Ghoul Revisited: Three Months Later, (Fri, Mar 15th)
About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability.
https://isc.sans.edu/diary/rss/30746
Third-Party ChatGPT Plugins Could Lead to Account Takeovers
Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data. According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub.
https://thehackernews.com/2024/03/third-party-chatgpt-plugins-could-lead.html
Vorsicht vor Abo-Falle auf produktretter.at!
Einmal registrieren und schon erhalten Sie hochwertige und voll funktionsfähige Produkte, die andere retourniert haben. Es fallen lediglich Versandkosten von maximal 2,99 Euro an. Klingt zu schön, um wahr zu sein? Ist es auch. Denn Seiten wie produktretter.at, produkttest-anmeldung.com oder retourenheld.io locken in eine Abo-Falle. Die versprochenen Produkte kommen nie an.
https://www.watchlist-internet.at/news/vorsicht-vor-abo-falle-auf-produktretterat/
Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled
We analyze recent samples of BunnyLoader 3.0 to illuminate this malware-s evolved and upscaled capabilities, including its new downloadable module system.
https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/
How to share sensitive files securely online
Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe.
https://www.welivesecurity.com/en/how-to/share-sensitive-files-securely-online/
The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions
Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later.
https://blog.talosintelligence.com/ransomware-affiliate-model/
Zwei Backdoors in Ivanti-Appliances analysiert
Anfang 2024 wurden die Pulse Secure Appliances von Ivanti durch die damals gemeldeten Schwachstellen CVE-2023-46805 und CVE-2024-21887 weiträumig ausgenutzt. Zwei Exemplare dieser Backdoors haben Sicherheitsforscher jetzt ausführlich beschrieben.
https://heise.de/-9656137
Sicherheitsforscher genervt: Lücken-Datenbank NVD seit Wochen unvollständig
Die von der US-Regierung betriebene Datenbank reichert im CVE-System gemeldete Sicherheitslücken mit wichtigen Metadaten an. Das blieb seit Februar aus. [..] Von über 2.200 seit 15. Februar veröffentlichten Sicherheitslücken mit CVE-ID sind lediglich 59 mit Metadaten versehen, 2.152 liegen brach. [..] Darüber, wie sie die Tausenden offenen Sicherheitslücken abarbeiten will und vor allem, wann sie ihre Arbeit wieder aufnimmt, schweigt sich die NVD derzeit aus.
https://heise.de/-9656574
Vulnerabilities
Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF06
Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF06. Severity Critical
https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vulnerabilities-resolved-in-Juniper-Secure-Analytics-in-7-5-0-UP7-IF06
Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413)
In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on users computer when the user opened a malicious hyperlink in attackers email. The micropatch was written for the following security-adopted versions of Office with all available updates installed: Microsoft Office 2013, Microsoft Office 2010
https://blog.0patch.com/2024/03/micropatches-released-for-microsoft.html
Security updates for Friday
Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird).
https://lwn.net/Articles/965576/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
CVE-2024-2247: JFrog Artifactory Cross-Site Scripting
https://jfrog.com/help/r/jfrog-release-information/cve-2024-2247-jfrog-artifactory-cross-site-scripting