Tageszusammenfassung - 10.06.2024

End-of-Day report

Timeframe: Freitag 07-06-2024 18:00 - Montag 10-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

How We Cover Your Back

As a national CERT, one of our extremely important tasks is to proactively inform network operators about potential or confirmed security issues that could affect Austrian companies. Initially, I intended to discuss the technical changes in our systems, but I believe its better to start by explaining what we actually do and how we help you sleep well at night - though you should never rely solely on us!

https://www.cert.at/en/blog/2024/6/how-we-cover-your-back


Exploit for critical Veeam auth bypass available, patch now

A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates.

https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-auth-bypass-available-patch-now/


DDoS attacks target EU political parties as elections begin

Hacktivists are conducting DDoS attacks on European political parties that represent and promote strategies opposing their interests, according to a report by Cloudflare.

https://www.bleepingcomputer.com/news/security/ddos-attacks-target-eu-political-parties-as-elections-begin/


Malicious VSCode extensions with millions of installs discovered

A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs.

https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-with-millions-of-installs-discovered/


Bypassing 2FA with phishing and OTP bots

Explaining how scammers use phishing and OTP bots to gain access to accounts protected with 2FA.

https://securelist.com/2fa-phishing/112805/


Attacker Probing for New PHP Vulnerablity CVE-2024-4577, (Sun, Jun 9th)

Our honeypots have detected the first probes for CVE-2024-4577. [..] Watchtwr Labs says PHP is only vulnerable if used in CGI mode in Chinese and Japanese locales. According to Orange Tsai, other locales may be vulnerable as well.

https://isc.sans.edu/diary/rss/30994


LightSpy Spywares macOS Variant Found with Advanced Surveillance Capabilities

Cybersecurity researchers have disclosed that the LightSpy spyware allegedly targeting Apple iOS users is in fact a previously undocumented macOS variant of the implant. [..] The attack chain begins with the exploitation of CVE-2018-4233, a Safari WebKit flaw, via rogue HTML pages to trigger code execution, leading to the delivery of a 64-bit Mach-O binary that masquerades as a PNG image file.

https://thehackernews.com/2024/06/lightspy-spywares-macos-variant-found.html


Technical Analysis of the Latest Variant of ValleyRAT

ValleyRAT is a remote access trojan (RAT) that was initially documented in early 2023. Its main objective is to infiltrate and compromise systems, providing remote attackers with unauthorized access and control over infected machines. ValleyRAT is commonly distributed through phishing emails or malicious downloads. In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs.

https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat

Vulnerabilities

Veeam Recovery Orchestrator Vulnerability (CVE-2024-29855)

A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges. Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack

https://www.veeam.com/kb4585


Nvidia Patches High-Severity GPU Driver Vulnerabilities

The GPU driver updates, rolling out as versions R555, R550, R535, and R470, resolve a total of five security defects, three of which are rated -high severity- and two rated -medium severity-, Nvidia-s advisory reveals. The most severe of these flaws, tracked as CVE-2024-0090, could allow attackers to execute arbitrary code, access or tamper with data, escalate privileges, or cause a denial-of-service (DoS) condition.

https://www.securityweek.com/nvidia-patches-high-severity-gpu-driver-vulnerabilities/


Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft

A critical vulnerability in the PyTorch distributed RPC framework could be exploited for remote code execution. Impacting the distributed RPC (Remote Procedure Call) framework of PyTorch and tracked as CVE-2024-5480, the issue exists because the framework does not verify the functions called during RPC operations.

https://www.securityweek.com/critical-pytorch-vulnerability-can-lead-to-sensitive-ai-data-theft/


tenable: [R1] Security Center Version 6.4.0 Fixes Multiple Vulnerabilities

A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page. - CVE-2024-1891 An improper privilege management vulnerability exists in Tenable Security Center where an authenticated, remote attacker could view unauthorized objects and launch scans without having the required privileges. - CVE-2024-5759

https://www.tenable.com/security/tns-2024-10


Security updates for Monday

Security updates have been issued by Fedora (galera and mariadb10.11), Mageia (0-plugins-base and plasma-workspace), Oracle (ruby:3.1 and ruby:3.3), Red Hat (bind, bind-dyndb-ldap, and dhcp), SUSE (apache2, glib2, libvirt, openssl-1_1, openssl-3, opera, python-Jinja2, python-requests, and squid), and Ubuntu (linux, linux-gcp, linux-gcp-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-xilinx-zynqmp, linux, linux-gcp, linux-gcp-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-raspi, linux, linux-ibm, linux-lowlatency, linux-raspi, linux-aws, linux-gcp, linux-azure, linux-azure-6.5, linux-starfive, linux-starfive-6.5, and linux-gke, linux-ibm, linux-intel-iotg, linux-oracle).

https://lwn.net/Articles/977789/


Vulnerability Summary for the Week of June 3, 2024

https://www.cisa.gov/news-events/bulletins/sb24-162


Canon: CPE2024-003 - uniFLOW Online Device Registration Susceptible To Compromise - 10 June 2024

https://www.canon-europe.com/support/product-security-latest-news/