Tageszusammenfassung - 28.03.2024

End-of-Day report

Timeframe: Mittwoch 27-03-2024 18:00 - Donnerstag 28-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

New Darcula phishing service targets iPhone users via iMessage

A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries.

https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service-targets-iphone-users-via-imessage/


Cisco warns of password-spraying attacks targeting VPN services

Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spraying-attacks-targeting-vpn-services/


DinodasRAT Linux implant targeting entities worldwide

In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022.

https://securelist.com/dinodasrat-linux-implant/112284/


From JavaScript to AsyncRAT, (Thu, Mar 28th)

It has been a while since I found an interesting piece of JavaScript. This one was pretty well obfuscated. It was called -_Rechnung_01941085434_PDF.js- (Invoice in German) with a low VT score.

https://isc.sans.edu/diary/rss/30788


Android Malware Vultur Expands Its Wingspan

The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim-s mobile device. [..] In this blog we provide a comprehensive analysis of Vultur, beginning with an overview of its infection chain.

https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/


Netz-digitalisierung.com eröffnet Konten in Ihrem Namen!

Verlockende Nebenjob-Angebote als App-Tester:in oder Studienteilnehmer:in über die Seite netz-digitalisierung.com führen zu Identitätsdiebstahl! Die Kriminellen eröffnen Konten in Ihrem Namen und verwenden diese möglicherweise für kriminelle Zwecke.

https://www.watchlist-internet.at/news/jobbetrug-netz-digitalisierungcom/


Pre-Ransomware Aktivität: Schadakteure nutzen CitrixBleed (CVE-2023-4966) noch immer und verstärkt für Initialzugriff

Aktuell sind uns einige Ransomware-Vorfälle in Österreich bekannt, bei denen mit sehr hoher Wahrscheinlichkeit CitrixBleed (CVE-2023-4966) als primärer Angriffsvektor für den initialen Zugriff auf die Organisationsnetzwerke benutzt wurde. Ein Patch steht seit geraumer Zeit zur Verfügung.

https://cert.at/de/aktuelles/2024/3/pre-ransomware-aktivitat-schadakteure-nutzen-citrixbleed-cve-2023-4966-noch-immer-und-verstarkt-fur-initialzugriff


Schon wieder zu viel Schadcode: Keine neuen Projekte für Python-Registry PyPI

Ein Ansturm von Paketen mit Schadcode hat die Betreiber des Python Package Index dazu veranlasst, die Aufnahme neuer Projekte und User zu stoppen.

https://heise.de/-9670240

Vulnerabilities

Nvidias newborn ChatRTX bot patched for security bugs

ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. [..] CVE-2024-0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE).

https://go.theregister.com/feed/www.theregister.com/2024/03/28/nvidia_chatrtx_security_flaws/


Security updates for Thursday

Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).

https://lwn.net/Articles/966961/


Splunk Patches Vulnerabilities in Enterprise Product

Splunk patches high-severity vulnerabilities in Enterprise, including an authentication token exposure issue.

https://www.securityweek.com/splunk-patches-vulnerabilities-in-enterprise-product/


Neue SugarCRM-Versionen schließen kritische Lücken

Insgesamt 18, teils kritische Lücken schließen die neuen Versionen SugarCRM 13.03. und 12.05.

https://heise.de/-9670436


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024)

https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-18-2024-to-march-24-2024/


Synology-SA-24:05 Synology Surveillance Station Client

https://www.synology.com/en-global/support/security/Synology_SA_24_05


Synology-SA-24:04 Surveillance Station

https://www.synology.com/en-global/support/security/Synology_SA_24_04