End-of-Day report
Timeframe: Donnerstag 28-03-2024 18:00 - Freitag 29-03-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Doctor Web-s January 2024 review of virus activity on mobile devices
According to detection statistics collected by the Dr.Web for Android anti-virus, in January 2024, users were most likely to encounter Android.HiddenAds trojan applications; these were detected on protected devices 54.45% more often than in December 2023. At the same time, the activity of another adware trojan family, Android.MobiDash, remained virtually unchanged, increasing by only 0.90%.
https://news.drweb.com/show/review/?lng=en&i=14833
Quick Forensics Analysis of Apache logs, (Fri, Mar 29th)
Sometimes, you-ve to quickly investigate a webserver logs for potential malicious activity. If you're lucky, logs are already indexed in real-time in a log management solution and you can automatically launch some hunting queries. If that's not the case, you can download all logs on a local system or a cloud instance and index them manually. But it's not always the easiest/fastest way due to the amount of data to process. These days, I'm always trying to process data as close as possible of their location/source and only download the investigation results.
https://isc.sans.edu/diary/rss/30792
New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking
Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a users password or alter the clipboard on certain Linux distributions. The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante.
https://thehackernews.com/2024/03/new-linux-bug-could-lead-to-user.html
Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds
Security vulnerabilities discovered in Dormakabas Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms. [..] They were reported to the Zurich-based company in September 2022. [..] Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988.
https://thehackernews.com/2024/03/dormakaba-locks-used-in-millions-of.html
Pentagon Outlines Cybersecurity Strategy for Defense Industrial Base
US Defense Department releases defense industrial base cybersecurity strategy with a focus on four key goals. [..] The cybersecurity strategy published this week covers fiscal years 2024 through 2027 and its primary mission is to ensure the generation, reliability and preservation of warfighting capabilities by protecting operational capabilities, sensitive information, and product integrity.
https://www.securityweek.com/pentagon-outlines-cybersecurity-strategy-for-defense-industrial-base/
E-Mail über -fragwürdige Transaktion- führt zu Schadsoftware
Aktuell versenden Kriminelle wahllos E-Mails an Unternehmen mit dem Betreff -Questionable Transaction on Credit Card - Need Explanation-. Die Kriminellen bitten darum, auf die E-Mail zu antworten, um zu erklären, woher die -fragwürdige Transaktion- auf der Kreditkarte kommt. Wer antwortet, erhält prompt eine neue E-Mail. Diesmal wird ein Kontoauszug als Beweis mitgeschickt. Das behaupten zumindest die Kriminellen.
https://www.watchlist-internet.at/news/e-mail-ueber-fragwuerdige-transaktion-fuehrt-zu-schadsoftware/
Stories from the SOC Part 1: IDAT Loader to BruteRatel
In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. [..] In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected.
https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/
Vulnerabilities
Security updates for Friday
Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15).
https://lwn.net/Articles/967134/
26 Security Issues Patched in TeamCity
TeamCity 2024.03, released on March 27, patches 26 -security problems-, according to JetBrains. The company highlighted that it-s not sharing the details of security-related issues -to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity-.
https://www.securityweek.com/26-security-issues-patched-in-teamcity/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
F5: K000139084 : DNS vulnerability CVE-2023-50868
https://my.f5.com/manage/s/article/K000139084