End-of-Day report
Timeframe: Freitag 17-05-2024 18:00 - Dienstag 21-05-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Alexander Riepl
News
Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising
A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP.
https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-windows-admins-via-putty-winscp-malvertising/
Banking malware Grandoreiro returns after police disruption
The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks.
https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-returns-after-police-disruption/
CISA warns of hackers exploiting Chrome, EoL D-Link bugs
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its Known Exploited Vulnerabilities catalog, one impacting Google Chrome and two affecting some D-Link routers.
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-chrome-eol-d-link-bugs/
New BiBi Wiper version also destroys the disk partition table
A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims.
https://www.bleepingcomputer.com/news/security/new-bibi-wiper-version-also-destroys-the-disk-partition-table/
GitHub warns of SAML auth bypass flaw in Enterprise Server
GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication.
https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-bypass-flaw-in-enterprise-server/
Ungeschützte API: Sicherheitslücke macht Studenten zu Wäsche-Millionären
In vielen Hochschulen und Wohnheimen stehen Wäscheautomaten von CSC Serviceworks. Zwei Studenten haben darin eine Sicherheitslücke entdeckt - mit erheblichem Missbrauchspotenzial.
https://www.golem.de/news/ungeschuetzte-api-sicherheitsluecke-macht-studenten-zu-waesche-millionaeren-2405-185242.html
Fluent Bit: Kritische Schwachstelle betrifft alle gängigen Cloudanbieter
Mit der Schwachstelle lassen sich nicht nur Ausfälle provozieren und Daten abgreifen. Auch eine Schadcodeausführung aus der Ferne ist unter gewissen Umständen möglich.
https://www.golem.de/news/fluent-bit-kritische-schwachstelle-betrifft-alle-gaengigen-cloudanbieter-2405-185277.html
Analyzing MSG Files, (Mon, May 20th)
.msg email files are ole files and can be analyzed with my tool oledump.py.
https://isc.sans.edu/diary/Analyzing+MSG+Files/30940
Latrodectus Malware Loader Emerges as IcedIDs Successor in Phishing Campaigns
Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware."These campaigns typically involve a ..
https://thehackernews.com/2024/05/latrodectus-malware-loader-emerges-as.html
Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail
A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible ..
https://thehackernews.com/2024/05/cyber-criminals-exploit-github-and.html
SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure
The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from ..
https://thehackernews.com/2024/05/solarmarker-malware-evolves-to-resist.html
Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users
A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads."The VBScript and PowerShell scripts in the ..
https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html
Vorsicht vor Telegram-Gruppe -Scammerpayback-
Kriminelle verbreiten in Foren, auf Facebook-Seiten oder Gruppen, in denen Betrugsopfer Unterstützung oder Informationen suchen, falsche Hilfsangebote. Mit gefälschten oder gekaperten Profilen kommentieren sie Facebook-Beiträge der Watchlist Internet und locken in eine Telegram-Gruppe, in der Opfer angeblich ihr Geld zurückbekommen.
https://www.watchlist-internet.at/news/vorsicht-vor-telegram-gruppe-scammerpayback/
Sicherheitsupdate: DoS-Lücken in Netzwerkanalysetool Wireshark geschlossen
In der aktuellen Version von Wireshark haben die Entwickler drei Sicherheitslücken geschlossen und mehrere Bugs gefixt.
https://heise.de/-9725317
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (bind9, chromium, and thunderbird), Fedora (buildah, chromium, firefox, mingw-python-werkzeug, and suricata), Mageia (golang), Oracle (firefox and nodejs:20), Red Hat (firefox, httpd:2.4, nodejs, and thunderbird), and SUSE (firefox, git-cliff, and ucode-intel).
https://lwn.net/Articles/974339/
Security updates for Tuesday
Security updates have been issued by AlmaLinux (firefox, nodejs, and thunderbird), Fedora (uriparser), Oracle (firefox and thunderbird), Slackware (mariadb), SUSE (cairo, gdk-pixbuf, krb5, libosinfo, postgresql14, and python310), and Ubuntu (firefox, linux-aws, linux-aws-5.15, and linux-azure).
https://lwn.net/Articles/974450/
WAGO: Vulnerability in WAGO Navigator
https://cert.vde.com/de/advisories/VDE-2024-021/
WAGO: Multiple Vulnerabilities in e!Cockpit and e!Runtime / CODESYS Runtime
https://cert.vde.com/de/advisories/VDE-2023-068/
Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerabilities-in-some-5g-nr-4g-lte-cpe-dsl-ethernet-cpe-fiber-ont-wifi-extender-and-home-router-devices-05-21-2024
Security updates 1.6.7 and 1.5.7 released
https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7