End-of-Day report
Timeframe: Mittwoch 24-04-2024 18:00 - Donnerstag 25-04-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
New Brokewell malware takes over Android devices, steals data
Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches.
https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/
Does it matter if iptables isnt running on my honeypot?, (Thu, Apr 25th)
I've been working on comparing data from different DShield honeypots to understand differences when the honeypots reside on different networks.
https://isc.sans.edu/diary/rss/30862
Sifting through the spines: identifying (potential) Cactus ransomware victims
This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access.
https://research.nccgroup.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.
https://blog.talosintelligence.com/talos-ir-quarterly-trends-q1-2024/
Threat Bulletin - New variant of IDAT Loader
Morphisec has successfully identified and prevented a new variant of IDAT loader.
https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant
Ransomware Roundup - KageNoHitobito and DoNex
The KageNoHitobito and DoNex are recent ransomware that are financially motivated, demanding payment from victims to decrypt files.
https://feeds.fortinet.com/~/882489596/0/fortinet/blogs~Ransomware-Roundup-KageNoHitobito-and-DoNex
Vulnerabilities
Maximum severity Flowmon bug has a public exploit, patch now
Proof-of-concept exploit code has been released for a top-severity security vulnerability in Progress Flowmon, a tool for monitoring network performance and visibility.
https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug-has-a-public-exploit-patch-now/
WP Automatic WordPress plugin hit by millions of SQL injection attacks
Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access.
https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugin-hit-by-millions-of-sql-injection-attacks/
Über Zero-Day-Schwachstellen: Cisco-Firewalls werden seit Monaten attackiert
Eine zuvor unbekannte Hackergruppe nutzt mindestens seit November 2023 zwei Zero-Day-Schwachstellen in Cisco-Firewalls aus, um Netzwerke zu infiltrieren.
https://www.golem.de/news/ueber-zero-day-schwachstellen-cisco-firewalls-werden-seit-monaten-attackiert-2404-184540.html
Unter Windows: Schwachstelle in Virtualbox verleiht Angreifern Systemrechte
Zwei Forscher haben unabhängig voneinander eine Schwachstelle in Oracles Virtualbox entdeckt. Angreifer können damit auf Windows-Hosts ihre Rechte ausweiten.
https://www.golem.de/news/unter-windows-schwachstelle-in-virtualbox-verleiht-angreifern-systemrechte-2404-184545.html
Security updates for Thursday
Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird).
https://lwn.net/Articles/971140/
Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking
The Brocade SANnav management application is affected by multiple vulnerabilities, including a publicly available root password.
https://www.securityweek.com/vulnerabilities-expose-brocade-san-appliances-switches-to-hacking/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Cisco Security Advisories 2024-04-25
https://sec.cloudapps.cisco.com/security/center/publicationListing.x
Multiple Vulnerabilities in Hitachi Energy RTU500 Series
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-01
Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04
Hitachi Energy MACH SCM
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-02
PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules (Severity: NONE)
https://security.paloaltonetworks.com/PAN-SA-2024-0005
PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR Agent (Severity: NONE)
https://security.paloaltonetworks.com/PAN-SA-2024-0005