Tageszusammenfassung - 16.04.2024

End-of-Day report

Timeframe: Montag 15-04-2024 18:00 - Dienstag 16-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

At watchTowr, we no longer publish Proof of Concepts. Why prove something is vulnerable when we can just believe its so? Iinstead, weve decided to do something better - thats right! Were proud to release another detection artefact generator tool, this time in the form of an HTTP request:

https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/


Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th)

One of our readers, Mark, observed attacks attempting to exploit the vulnerability from two IP addresses: 173.255.223.159: An Akamai/Linode IP address. We do not have any reports from this IP address. Shodan suggests that the system may have recently hosted a WordPress site. 146.70.192.174: A system in Singapore that has been actively scanning various ports in March and April.

https://isc.sans.edu/diary/rss/30838


New SteganoAmor attacks use steganography to target 320 orgs globally

A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [..] The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017.

https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-steganography-to-target-320-orgs-globally/


AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs

New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. [..] Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager.

https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html


Vorsicht vor falschen Bankanrufen

Sie erhalten einen Anruf - angeblich von einer Bank. Die Person am Telefon behauptet, Sie hätten einen Kreditantrag eingereicht. Wenn Sie widersprechen, erklärt die Person am Telefon, dass dann wohl Kriminelle in Ihrem Namen den Kreditantrag gestellt hätten. Legen Sie auf! Es handelt sich um eine Betrugsmasche!

https://www.watchlist-internet.at/news/vorsicht-vor-falschen-bankanrufen/


Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. [..] We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here.

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/


Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen

Die Privileged-Access-Management-Lösung (PAM) Secret Server von Delinea ist verwundbar. Ein Sicherheitsupdate ist verfügbar.

https://heise.de/-9686457

Vulnerabilities

Schwere Sicherheitslücke in PuTTY - CVE-2024-31497

Sicherheitsforscher:innen haben in PuTTY, einer verbreiteten quelloffenen Software zur Herstellung von Verbindungen über Secure Shell (SSH), eine schwere Sicherheitslücke gefunden. Die Ausnutzung von CVE-2024-31497 erlaubt es Angreifer:innen unter bestimmten Umständen, den privaten Schlüssel eines kryptographischen Schlüsselpaares wiederherzustellen.

https://cert.at/de/aktuelles/2024/4/schwere-sicherheitslucke-in-putty-cve-2024-31497


Security updates for Tuesday

Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).

https://lwn.net/Articles/970036/


Proscend Communications M330-W and M330-W5 vulnerable to OS command injection

https://jvn.jp/en/jp/JVN23835228/


B&R: 2024-04-15: Cyber Security Advisory - Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products

https://www.br-automation.com/fileadmin/SA24P002_xPCs_vulnerable_to_LogoFail-bf1f2ea5.pdf


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.10

https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/


Mozilla: Security Vulnerabilities fixed in Firefox 125

https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/


Libreswan: IKEv1 default AH/ESP responder can crash and restart

https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt


Measuresoft ScadaPro

https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-01


Electrolink FM/DAB/TV Transmitter

https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02


Rockwell Automation ControlLogix and GuardLogix

https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-03


RoboDK RoboDK

https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-04