End-of-Day report
Timeframe: Montag 15-04-2024 18:00 - Dienstag 16-04-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)
At watchTowr, we no longer publish Proof of Concepts. Why prove something is vulnerable when we can just believe its so? Iinstead, weve decided to do something better - thats right! Were proud to release another detection artefact generator tool, this time in the form of an HTTP request:
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th)
One of our readers, Mark, observed attacks attempting to exploit the vulnerability from two IP addresses: 173.255.223.159: An Akamai/Linode IP address. We do not have any reports from this IP address. Shodan suggests that the system may have recently hosted a WordPress site. 146.70.192.174: A system in Singapore that has been actively scanning various ports in March and April.
https://isc.sans.edu/diary/rss/30838
New SteganoAmor attacks use steganography to target 320 orgs globally
A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [..] The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017.
https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-steganography-to-target-320-orgs-globally/
AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs
New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. [..] Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager.
https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html
Vorsicht vor falschen Bankanrufen
Sie erhalten einen Anruf - angeblich von einer Bank. Die Person am Telefon behauptet, Sie hätten einen Kreditantrag eingereicht. Wenn Sie widersprechen, erklärt die Person am Telefon, dass dann wohl Kriminelle in Ihrem Namen den Kreditantrag gestellt hätten. Legen Sie auf! Es handelt sich um eine Betrugsmasche!
https://www.watchlist-internet.at/news/vorsicht-vor-falschen-bankanrufen/
Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials
Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. [..] We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here.
https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/
Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen
Die Privileged-Access-Management-Lösung (PAM) Secret Server von Delinea ist verwundbar. Ein Sicherheitsupdate ist verfügbar.
https://heise.de/-9686457
Vulnerabilities
Schwere Sicherheitslücke in PuTTY - CVE-2024-31497
Sicherheitsforscher:innen haben in PuTTY, einer verbreiteten quelloffenen Software zur Herstellung von Verbindungen über Secure Shell (SSH), eine schwere Sicherheitslücke gefunden. Die Ausnutzung von CVE-2024-31497 erlaubt es Angreifer:innen unter bestimmten Umständen, den privaten Schlüssel eines kryptographischen Schlüsselpaares wiederherzustellen.
https://cert.at/de/aktuelles/2024/4/schwere-sicherheitslucke-in-putty-cve-2024-31497
Security updates for Tuesday
Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).
https://lwn.net/Articles/970036/
Proscend Communications M330-W and M330-W5 vulnerable to OS command injection
https://jvn.jp/en/jp/JVN23835228/
B&R: 2024-04-15: Cyber Security Advisory - Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products
https://www.br-automation.com/fileadmin/SA24P002_xPCs_vulnerable_to_LogoFail-bf1f2ea5.pdf
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.10
https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/
Mozilla: Security Vulnerabilities fixed in Firefox 125
https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/
Libreswan: IKEv1 default AH/ESP responder can crash and restart
https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt
Measuresoft ScadaPro
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-01
Electrolink FM/DAB/TV Transmitter
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Rockwell Automation ControlLogix and GuardLogix
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-03
RoboDK RoboDK
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-04