Tageszusammenfassung - 25.03.2024

End-of-Day report

Timeframe: Freitag 22-03-2024 18:00 - Montag 25-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

New ZenHammer memory attack impacts AMD Zen CPUs

Academic researchers developed ZenHammer, the first variant of the Rowhammer DRAM attack that works on CPUs based on recent AMD Zen microarchitecture that map physical addresses on DDR4 and DDR5 memory chips.

https://www.bleepingcomputer.com/news/security/new-zenhammer-memory-attack-impacts-amd-zen-cpus/


New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named Tycoon 2FA to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. [..] In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks.

https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/


Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others

Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site. [..] The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data.

https://thehackernews.com/2024/03/hackers-hijack-github-accounts-in.html


New Go loader pushes Rhadamanthys stealer

A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware.

https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys


Phishing mit gefälschten Rechnungen von Anwaltskanzleien

Laut BlueVoyant geben sich die Angreifer als Anwaltskanzleien aus und missbrauchen das Vertrauen, das ihre Opfer "seriösen" Juristen entgegenbringen. [..] Die NaurLegal-Kampagne täuscht Legitimität vor, indem sie PDF-Dateien mit seriös anmutenden Dateinamen wie -Rechnung_[Nummer]_von_[Name der Anwaltskanzlei].pdf- erstellt und versendet. [..] Die Infrastruktur der NaurLegal-Kampagne umfasst Domänen, die mit WikiLoader verknüpft sind und deren Folgeaktivitäten auf eine Zuordnung zu dieser Malware-Familie schließen lassen. WikiLoader ist bekannt für ausgefeilte Verschleierungstechniken, wie z. B. die Überprüfung von Wikipedia-Antworten auf bestimmte Zeichenfolgen, um Sandbox-Umgebungen zu umgehen.

https://www.zdnet.de/88414996/phishing-mit-gefaelschten-rechnungen-von-anwaltskanzleien/


CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate SQL Injection Vulnerabilities

Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations.

https://www.cisa.gov/news-events/alerts/2024/03/25/cisa-and-fbi-release-secure-design-alert-urge-manufacturers-eliminate-sql-injection-vulnerabilities


APT29 Uses WINELOADER to Target German Political Parties

In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR-s responsibility to collect political intelligence and this APT29 cluster-s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum.

https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties

Vulnerabilities

Security updates for Monday

Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf).

https://lwn.net/Articles/966611/


Firefox: Notfall-Update schließt kritische Sicherheitslücken

Die Mozilla-Entwickler haben zwei kritische Sicherheitslücken mit dem Update auf Firefox 124.0.1 und Firefox ESR 115.9.1 geschlossen.

https://heise.de/-9664148


Sicherheitslücken in Microsofts WiX-Installer-Toolset gestopft

Das quelloffene WiX-Installer-Toolset von Microsoft hat zwei Sicherheitslücken. Die dichten aktualisierte Versionen ab.

https://heise.de/-9664602


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


MISP 2.4.188 released major performance improvements and many bugs fixed.

https://www.misp-project.org/2024/03/25/MISP.2.4.188.released.html/


MISP 2.4.187 released with security fixes, new features and bugs fixes.

https://www.misp-project.org/2024/03/24/MISP.2.4.187.released.html/


Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.1.1, 6.2.0 and 6.2.1: SC-202403.1

https://www.tenable.com/security/tns-2024-06


F5: K000138990 : BIND vulnerability CVE-2023-4408

https://my.f5.com/manage/s/article/K000138990