Tageszusammenfassung - 08.05.2024

End-of-Day report

Timeframe: Dienstag 07-05-2024 18:00 - Mittwoch 08-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Der Briefkasten daheim als Einfallstor für Internet-Betrugsmaschen?

Online-Betrug lauert nicht nur im Internet. Zu Anrufen und SMS, die oft in Online-Betrugsmaschen führen, gesellt sich nun auch der Postkasten des Eigenheims als Einfallstor für Kriminelle hinzu. Sie nutzen die Briefkästen ihrer Opfer beispielsweise, um Sendungen aus Bestellbetrug zu erhalten, Daten und in weiterer Folge Geld zu stehlen oder um betrügerische Handwerksdienste und dazugehörige Websites zu bewerben.

https://www.watchlist-internet.at/news/der-briefkasten-daheim-als-einfallstor-fuer-internet-betrugsmaschen/


Massive webshop fraud ring steals credit cards from 850,000 people

A massive network of 75,000 fake online shops called BogusBazaar tricked over 850,000 people in the US and Europe into making purchases, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders.

https://www.bleepingcomputer.com/news/security/massive-webshop-fraud-ring-steals-credit-cards-from-850-000-people/


Detecting XFinity/Comcast DNS Spoofing, (Mon, May 6th)

DNS interception, even if well-meaning, does undermine some of the basic "internet trust issues". Even if it is used to block users from malicious sites, it needs to be properly declared to the user, and switches to turn it off will have to function. This could be a particular problem if queries to other DNS filtering services are intercepted. I have yet to test this for Comcast and, for example, OpenDNS.

https://isc.sans.edu/diary/rss/30898


Analyzing Synology Disks on Linux, (Wed, May 8th)

Synology NAS solutions are popular devices. They are also used in many organizations. [..] They offer multiple disk management options but rely on many open-source software (like most appliances). [..] Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools. In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders.

https://isc.sans.edu/diary/rss/30904


Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar.

https://thehackernews.com/2024/05/hijack-loader-malware-employs-process.html


New Spectre-Style Pathfinder Attack Targets Intel CPU, Leak Encryption Keys and Data

Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm. The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google. [..] Following responsible disclosure in November 2023, Intel, in an advisory released last month, said Pathfinder builds on Spectre v1 attacks and that previously deployed mitigations for Spectre v1 and traditional side-channels mitigate the reported exploits. There is no evidence that it impacts AMD CPUs.

https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html


Ghidra nanoMIPS ISA module

Here we will demonstrate how to load a MediaTek baseband firmware into Ghidra for analysis with our nanoMIPS ISA module.

https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/


Vorsicht vor gefälschten Online-Banking-Seiten auf Bing, Google & Co

Kriminelle schalten Anzeigen in Suchmaschinen (vor allem BING) und locken so Opfer auf gefälschte Online-Banking-Seiten. Vorsicht: Wenn Sie hier Ihre Daten eingeben, können hohe Beträge von Ihrem Konto abgebucht werden! Vergewissern Sie sich immer, dass Sie auf der echten Login-Seite Ihrer Bank sind!

https://www.watchlist-internet.at/news/gefaelschtes-online-banking-suchmaschinen/


RemcosRAT Distributed Using Steganography

AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed.

https://asec.ahnlab.com/en/65111/

Vulnerabilities

F5: K000139404: Quarterly Security Notification (May 2024)

F5 has released 13 security advisories (7x high, 6x medium) and 3 security exposures.

https://my.f5.com/manage/s/article/K000139404


Security updates for Wednesday

Security updates have been issued by Debian (glib2.0 and php7.3), Gentoo (Commons-BeanUtils, Epiphany, glibc, MariaDB, Node.js, NVIDIA Drivers, qtsvg, rsync, U-Boot tools, and ytnef), Oracle (kernel), Red Hat (git-lfs and kernel), SUSE (flatpak, less, python311, rpm, and sssd), and Ubuntu (libde265, libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oem-6.5, and nghttp2).

https://lwn.net/Articles/972861/


WordPress: Cross-Site-Scripting-Schwachstelle in älteren Cores; und WordPress 6.5.3 verfügbar

Ich hoffe, ihr seid auf der aktuellen WordPress-Version, denn in älteren WordPress-Versionen gibt es eine Cross-Site-Scripting-Schwachstelle [..] und wer LightSpeed Cache als Plugin nutzt, sollte dringend updaten.

https://www.borncity.com/blog/2024/05/07/wordpress-cross-site-scripting-schwachstelle-im-core-wordpress-6-5-3/


VMware Avi Load Balancer: Rechteausweitung zu root möglich

Im Load Balancer VMware Avi können Angreifer ihre Rechte erhöhen oder unbefugt auf Informationen zugreifen. Updates korrigieren das.

https://heise.de/-9711733


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/