Tageszusammenfassung - 16.05.2024

End-of-Day report

Timeframe: Mittwoch 15-05-2024 18:00 - Donnerstag 16-05-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

To the Moon and back(doors): Lunar landing in diplomatic missions

ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs.

https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/

Windows Quick Assist abused in Black Basta ransomware attacks

Microsoft has been investigating this campaign since at least mid-April 2024, and, as they observed, the threat group (tracked as Storm-1811) started their attacks by email bombing the target after subscribing their addresses to various email subscription services. Once their mailboxes flood with unsolicited messages, the threat actors call them while impersonating a Microsoft technical support or the attacked company's IT or help desk staff to help remediate the spam issues.

https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-in-black-basta-ransomware-attacks/

Google patches third exploited Chrome zero-day in a week

Google has released a new emergency Chrome security update to address the third zero-day vulnerability exploited in attacks within a week.

https://www.bleepingcomputer.com/news/google/google-patches-third-exploited-chrome-zero-day-in-a-week/

Springtail: New Linux Backdoor Added to Toolkit

The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants.

https://symantec-enterprise-blogs.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage

Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices

This blog post aims to provide details on methods for investigating potentially compromised Palo Alto Networks firewall devices and a general approach towards edge device threat detection.

https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/

ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information

AhnLab SEcurity intelligence Center (ASEC) has recently discovered ViperSoftX attackers using Tesseract to exfiltrate users- image files. ViperSoftX is a malware strain responsible for residing on infected systems and executing the attackers- commands or stealing cryptocurrency-related information. The malware newly discovered this time utilizes the open-source OCR engine Tesseract.

https://asec.ahnlab.com/en/65426/

Talos releases new macOS open-source fuzzer

Cisco Talos has developed a fuzzer that enables us to test macOS software on commodity hardware. [..] Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties.

https://blog.talosintelligence.com/talos-releases-new-macos-fuzzer/

Llama Drama: Critical Vulnerability CVE-2024-34359 Threatening Your Software Supply Chain

Jinja2: This library is a popular Python tool for template rendering, primarily used for generating HTML. Its ability to execute dynamic content makes it powerful but can pose a significant security risk if not correctly configured to restrict unsafe operations. `llama_cpp_python`: This package integrates Python's ease of use with C++'s performance, making it ideal for complex AI models handling large data volumes. However, its use of Jinja2 for processing model metadata without enabling necessary security safeguards exposes it to template injection attacks. [..] The vulnerability identified has been addressed in version 0.2.72 of the llama-cpp-python package, which includes a fix enhancing sandboxing and input validation measures.

https://checkmarx.com/blog/llama-drama-critical-vulnerability-cve-2024-34359-threatening-your-software-supply-chain/

The xz apocalypse that almost was

Given Bitsight’s pretty broad view of the Internet, I thought I could contribute to the discussion a bit and ask “how bad could this have been?” and as a corollary “how many chances would there have been to notice?” So let’s get into the “how bad could this have been?” question first.

https://www.bitsight.com/blog/xz-apocalypse-almost-was

Vulnerabilities

Security updates for Thursday

Security updates have been issued by AlmaLinux (.NET 7.0, .NET 8.0, and nodejs:20), Debian (chromium, firefox-esr, ghostscript, and libreoffice), Fedora (djvulibre, mingw-glib2, mingw-python-jinja2, and mingw-python-werkzeug), Oracle (.NET 7.0, .NET 8.0, kernel, and nodejs:18), Red Hat (nodejs:20), Slackware (gdk and git), SUSE (python), and Ubuntu (linux-hwe-5.15, linux-raspi).

https://lwn.net/Articles/973908/

Sicherheitslücken in Überwachungskameras und Video-Babyphones

Schwachstellen aus der ThroughTek Kaylay-IoT-Plattform. Dringend Update-Status der IoT-Geräte prüfen.

https://www.zdnet.de/88415973/sicherheitsluecken-in-ueberwachungskameras-und-video-babyphones/

WLAN-Attacke: SSID-Verwechslungs-Angriff macht Nutzer verwundbar

Eine Sicherheitslücke in WLAN-Protokollen führt dazu, dass Angreifer in einer Man-in-the-Middle-Position WLAN-Verkehr manipulieren können. [..] Das ohnehin nicht mehr sicher zu nutzende WEP ist anfällig, und das neuere, sonst sicherere WPA3 ebenfalls. 802.11X/EAP und Mesh-Netzwerke mit AMPE-Authentifizierung sind laut Auflistung ebenfalls für SSID-Confusion verwundbar.

https://heise.de/-9720818

Cisco: Updates schließen Sicherheitslücken in mehreren Produkten

In mehreren Cisco-Produkten klaffen Sicherheitslücken, durch die Angreifer sich etwa root-Rechte verschaffen und Geräte kompromittieren können. [..] Insgesamt warnt Cisco in drei Mitteilungen vor hochriskanten Sicherheitslücken.

https://heise.de/-9720226

Freies Admin-Panel: Codeschmuggel durch Cross-Site-Scripting in Froxlor

Dank schludriger Eingabefilterung können Angreifer ohne Anmeldung Javascript im Browser des Server-Admins ausführen. Ein Patch steht bereit.

https://heise.de/-9721569

Netzwerksicherheit: Diverse Fortinet-Produkte für verschiedene Attacken anfällig

Es sind wichtige Sicherheitsupdates für unter anderem FortiSandbox, FortiPortal und FortiWebManager erschienen.

https://heise.de/-9720252

Access Points von Aruba verwundbar – keine Updates für ältere Versionen

Insgesamt haben die Entwickler sechs "kritische" Sicherheitslücken in noch unterstützten Versionen von ArubaOS und InstantOS geschlossen.

https://heise.de/-9720385