End-of-Day report
Timeframe: Montag 25-03-2024 18:00 - Dienstag 26-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Free VPN apps on Google Play turned Android phones into proxies
Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots.
https://www.bleepingcomputer.com/news/security/free-vpn-apps-on-google-play-turned-android-phones-into-proxies/
New tool: linux-pkgs.sh, (Sun, Mar 24th)
During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do?
https://isc.sans.edu/diary/rss/30774
Agent Teslas New Ride: The Rise of a Novel Loader
This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas-new-ride-the-rise-of-a-novel-loader/
The Darkside of TheMoon
The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of -TheMoon- malware. [..] While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless- growth at of a rate of nearly 7,000 new users per week. Through Lumen-s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours.
https://blog.lumen.com/the-darkside-of-themoon/
Recent -MFA Bombing- Attacks Targeting Apple Users
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apples password reset feature. In this scenario, a targets Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Dont Allow" to each prompt. [..] But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple-s real customer support line).
https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/
Suspicious NuGet Package Harvesting Information From Industrial Systems
A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon.
https://www.securityweek.com/suspicious-nuget-package-harvesting-information-from-industrial-systems/
Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script
This blog entry discusses the Agenda ransomware groups use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers.
https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).
https://lwn.net/Articles/966678/
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23252, CVE-2024-23254,CVE-2024-23263, CVE-2024-23280,CVE-2024-23284, CVE-2023-42950,CVE-2023-42956, CVE-2023-42843.
https://webkitgtk.org/security/WSA-2024-0002.html
macOS 14.4.1 mit jeder Menge Bugfixes - Sicherheitshintergründe zu iOS 17.4.1
Apple hat am Montagabend ein weiteres Update für macOS 14 veröffentlicht. Es behebt diverse Fehler. Parallel gibt es Infos zu iOS 17.4.1 und dessen Fixes.
https://heise.de/-9666170
Loadbalancer: Sicherheitslücken in Loadmaster von Progress/Kemp
In der Loadbalancer-Software Loadmaster von Progress/Kemp klaffen Sicherheitslücken, durch die Angreifer etwa Befehle einschleusen können.
https://heise.de/-9666253
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Siemens: SSB-201698 V1.0: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality
https://cert-portal.siemens.com/productcert/html/ssb-201698.html
Rockwell Automation FactoryTalk View ME
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04
Rockwell Automation PowerFlex 527
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02
Rockwell Automation Arena Simulation
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03
Automation-Direct C-MORE EA9 HMI
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01