End-of-Day report
Timeframe: Mittwoch 27-03-2024 18:00 - Donnerstag 28-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
New Darcula phishing service targets iPhone users via iMessage
A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries.
https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service-targets-iphone-users-via-imessage/
Cisco warns of password-spraying attacks targeting VPN services
Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spraying-attacks-targeting-vpn-services/
DinodasRAT Linux implant targeting entities worldwide
In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022.
https://securelist.com/dinodasrat-linux-implant/112284/
From JavaScript to AsyncRAT, (Thu, Mar 28th)
It has been a while since I found an interesting piece of JavaScript. This one was pretty well obfuscated. It was called -_Rechnung_01941085434_PDF.js- (Invoice in German) with a low VT score.
https://isc.sans.edu/diary/rss/30788
Android Malware Vultur Expands Its Wingspan
The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim-s mobile device. [..] In this blog we provide a comprehensive analysis of Vultur, beginning with an overview of its infection chain.
https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/
Netz-digitalisierung.com eröffnet Konten in Ihrem Namen!
Verlockende Nebenjob-Angebote als App-Tester:in oder Studienteilnehmer:in über die Seite netz-digitalisierung.com führen zu Identitätsdiebstahl! Die Kriminellen eröffnen Konten in Ihrem Namen und verwenden diese möglicherweise für kriminelle Zwecke.
https://www.watchlist-internet.at/news/jobbetrug-netz-digitalisierungcom/
Pre-Ransomware Aktivität: Schadakteure nutzen CitrixBleed (CVE-2023-4966) noch immer und verstärkt für Initialzugriff
Aktuell sind uns einige Ransomware-Vorfälle in Österreich bekannt, bei denen mit sehr hoher Wahrscheinlichkeit CitrixBleed (CVE-2023-4966) als primärer Angriffsvektor für den initialen Zugriff auf die Organisationsnetzwerke benutzt wurde. Ein Patch steht seit geraumer Zeit zur Verfügung.
https://cert.at/de/aktuelles/2024/3/pre-ransomware-aktivitat-schadakteure-nutzen-citrixbleed-cve-2023-4966-noch-immer-und-verstarkt-fur-initialzugriff
Schon wieder zu viel Schadcode: Keine neuen Projekte für Python-Registry PyPI
Ein Ansturm von Paketen mit Schadcode hat die Betreiber des Python Package Index dazu veranlasst, die Aufnahme neuer Projekte und User zu stoppen.
https://heise.de/-9670240
Vulnerabilities
Nvidias newborn ChatRTX bot patched for security bugs
ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. [..] CVE-2024-0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE).
https://go.theregister.com/feed/www.theregister.com/2024/03/28/nvidia_chatrtx_security_flaws/
Security updates for Thursday
Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).
https://lwn.net/Articles/966961/
Splunk Patches Vulnerabilities in Enterprise Product
Splunk patches high-severity vulnerabilities in Enterprise, including an authentication token exposure issue.
https://www.securityweek.com/splunk-patches-vulnerabilities-in-enterprise-product/
Neue SugarCRM-Versionen schließen kritische Lücken
Insgesamt 18, teils kritische Lücken schließen die neuen Versionen SugarCRM 13.03. und 12.05.
https://heise.de/-9670436
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024)
https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-18-2024-to-march-24-2024/
Synology-SA-24:05 Synology Surveillance Station Client
https://www.synology.com/en-global/support/security/Synology_SA_24_05
Synology-SA-24:04 Surveillance Station
https://www.synology.com/en-global/support/security/Synology_SA_24_04