Tageszusammenfassung - 18.06.2024

End-of-Day report

Timeframe: Montag 17-06-2024 18:02 - Dienstag 18-06-2024 18:02 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

Hackers use F5 BIG-IP malware to stealthily steal data for years

A group of suspected Chinese cyberespionage actors named Velvet Ant are deploying custom malware on F5 BIG-IP appliances to gain a persistent connection to the internal network and steal data.

https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malware-to-stealthily-steal-data-for-years/

Analysis of user password strength

Kaspersky experts conducted a study of password resistance to attacks that use brute force and smart guessing techniques.

https://securelist.com/passworde-brute-force-time/112984/

New Malware Targets Exposed Docker APIs for Cryptocurrency Mining

Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads.

https://thehackernews.com/2024/06/new-malware-targets-exposed-docker-apis.html

From Clipboard to Compromise: A PowerShell Self-Pwn

Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware.

https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn

Exfiltrate sensitive user data from apps on Android 12 and 13 using CVE-2024-0044 vulnerability

With physical access to Android device with enabled ADB debugging running Android 12 or 13 before receiving March 2024 security patch, it is possible to access internal data of any user installed app by misusing CVE-2024-0044 vulnerability.

https://www.mobile-hacker.com/2024/06/17/exfiltrate-sensitive-user-data-from-apps-on-android-12-and-13-using-cve-2024-0044-vulnerability/

Achtung Fake: doouglasparfum.com

In professionell wirkenden Online-Shops von Douglas werden aktuell Markenparfüms um mehr als 50 Prozent billiger angeboten. Sogar die Internetadressen doouglasparfum.com oder dougllas.com erscheinen zunächst plausibel. Wer in diesen Fake-Shops einkauft verliert aber Geld und erhält keine Ware.

https://www.watchlist-internet.at/news/achtung-fake-doouglasparfumcom/

Attack Paths Into VMs in the Cloud

Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths.

https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/

Private Microsoft Outlook-Mailkonten sollen besser abgesichert werden

Microsoft hat vor einigen Tagen eine Ankündigung gemacht, dass man "Outlook für private Nutzer" in Zukunft besser absichern will.

https://www.borncity.com/blog/2024/06/18/private-microsoft-outlook-mailkonten-sollen-besser-abgesichert-werden/

How are attackers trying to bypass MFA?

Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their push-spray MFA attacks

https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/

Malvertising Campaign Leads to Execution of Oyster Backdoor

Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.

https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/

Cloaked and Covert: Uncovering UNC3886 Espionage Operations

Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale.

https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/

CISA and Partners Release Guidance for Modern Approaches to Network Access Security

Today, CISA, in partnership with the Federal Bureau of Investigation (FBI), released guidance, Modern Approaches to Network Access Security.

https://www.cisa.gov/news-events/alerts/2024/06/18/cisa-and-partners-release-guidance-modern-approaches-network-access-security

New Diamorphine rootkit variant seen undetected in the wild

Diamorphine is a well-known Linux kernel rootkit that supports different Linux kernel versions (2.6.x, 3.x, 4.x, 5.x and 6.x) and processor architectures (x86, x86_64 and ARM64). Briefly stated, when loaded, the module becomes invisible and hides all the files and folders starting with the magic prefix chosen by the attacker at compilation time.

https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild/

Vulnerabilities

Security updates for Tuesday

Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd).

https://lwn.net/Articles/978804/

Sicherheitsupdates: Root-Lücke bedroht VMware vCenter Server

Unter anderem zwei kritische Schwachstelle bedrohen vCenter Server und Cloud Foundation von VMware.

https://heise.de/-9767493