End-of-Day report
Timeframe: Freitag 28-06-2024 18:00 - Montag 01-07-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Roles in Cybersecurity: CSIRTs / LE / others
Back in January 2024, I was asked by the Belgian EU Presidency to moderate a panel during their high-level conference on cyber security in Brussels. The topic was the relationship between cyber security and law enforcement: how do CSIRTs and the police / public prosecutors cooperate, what works here and where are the fault lines in this collaboration. As the moderator, I wasn-t in the position to really present my own view on some of the issues, so I-m using this blogpost to document my thinking regarding the CSIRT/LE division of labour. From that starting point, this text kind of turned into a rant on what-s wrong with IT Security.
https://www.cert.at/en/blog/2024/7/csirt-le-military
NIS2 - Implementing Acts
Es liegen endlich Entwürfe für die Implementing Acts zur NIS 2 Richtline vor, die Umsetzungsdetails regeln werden. Genauer gesagt: es geht um Kriterien, wann ein Vorfall meldepflichtig wird und Maßnahmen zum Risikomanagement. Seitens der EU gibt es ein öffentliches Konsultationsverfahren dazu, das bis zum 25. Juli offen ist. Die Entwürfe sind auch über diese Webseite abrufbar.
https://www.cert.at/de/blog/2024/6/nis2-implementing-acts
Vorsicht vor gefälschten Gewinnspielen zur UEFA EURO 2024
Kriminelle verbreiten per E-Mail gefälschte Gewinnspiele zur UEFA EURO 2024. In der E-Mail heißt es, dass man eine UEFA EURO 2024 Mystery Box gewinnen kann, wenn man auf den Link klickt und an einer kurzen Umfrage teilnimmt. Vorsicht: Kriminelle stehlen Ihre Daten und Sie tappen in eine Abo-Falle!
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-gewinnspielen-zur-uefa-euro-2024/
Hackers exploit critical D-Link DIR-859 router flaw to steal passwords
Hackers are exploiting a critical vulnerability that affects all D-Link DIR-859 WiFi routers to collect account information from the device, including passwords. The security issue was disclosed in January and is currently tracked as CVE-2024-0769 (9.8 severity score) - a path traversal flaw that leads to information disclosure.
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-d-link-dir-859-router-flaw-to-steal-passwords/
Dev rejects CVE severity, makes his GitHub repo read-only
The popular open source project, ip had its GitHub repository archived, or made "read-only" by its developer as a result of a dubious CVE report filed for his project. Unfortunately, open-source developers have recently been met with an uptick in debatable or outright bogus CVEs filed for their projects.
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/
Fake IT support sites push malicious PowerShell scripts as Windows fixes
Fake IT support sites promote malicious PowerShell "fixes" for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware.
https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-malicious-powershell-scripts-as-windows-fixes/
Router makers support portal responds with MetaMask phishing
BleepingComputer has verified that the helpdesk portal of a router manufacturer is currently sending MetaMask phishing emails in response to newly filed support tickets, in what appears to be a compromise.
https://www.bleepingcomputer.com/news/security/router-makers-support-portal-responds-with-metamask-phishing/
Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data
[..] threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension thats designed to steal sensitive information as part of an ongoing intelligence collection effort.
https://thehackernews.com/2024/06/kimsuky-using-translatext-chrome.html
CapraRAT Spyware Disguised as Popular Apps Threatens Android Users
The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. [..] The list of new malicious APK files identified by SentinelOne is as follows - Crazy Game, Sexy Videos, TikToks, Weapons
https://thehackernews.com/2024/07/caprarat-spyware-disguised-as-popular.html
Unveiling Qilin/Agenda Ransomware - A Deep Dive into Modern Cyber Threats
Agenda ransomware, also known as 'Qilin,' first emerged in July 2022. Written in Golang, Agenda supports multiple encryption modes, all controlled by its operators. The Agenda ransomware actors use double extortion tactics, demanding payment for both a decryptor and the non-release of stolen data. This ransomware primarily targets large enterprises and high-value organizations, focusing particularly on the healthcare and education sectors in Africa and Asia.
https://sec-consult.com/blog/detail/unveiling-qilin-agenda-ransomware-a-deep-dive-into-modern-cyber-threats/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (dcmtk, edk2, emacs, glibc, gunicorn, libmojolicious-perl, openssh, org-mode, pdns-recursor, tryton-client, and tryton-server), Fedora (freeipa, kitty, libreswan, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-poppler, and mingw-python-urllib3), Gentoo (cpio, cryptography, GNU Emacs, Org Mode, GStreamer, GStreamer Plugins, Liferea, Pixman, SDL_ttf, SSSD, and Zsh), Oracle (pki-core), Red Hat (httpd:2.4, libreswan, and pki-core), SUSE (glib2 and kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t), and Ubuntu (espeak-ng, libcdio, and openssh).
https://lwn.net/Articles/980252/
regreSSHion: Remote Unauthenticated Code Execution Vulnerability (CVE-2024-6387) in OpenSSH server
Eine kritische Schwachstelle (CVE-2024-6387) wurde im OpenSSH Server (sshd) auf glibc-basierten Linux-Systemen getestet. Diese Sicherheitslücke ermöglicht es einem nicht authentifizierten Angreifer potentiell, über eine Race-Condition im Signalhandler beliebigen Code als root auf dem betroffenen System auszuführen. OpenBSD-basierte Systeme sind nicht betroffen. Obwohl die Schwachstelle als Remote Code Execution (RCE) eingestuft wird, ist ihre Ausnutzung äußerst komplex. [..] Betroffen sind OpenSSH-Versionen früher als 4.4p1, es sei denn, sie wurden gegen die Schwachstellen CVE-2006-5051 und CVE-2008-4109 gepatcht, sowie OpenSSH-Versionen von 8.5p1 bis einschließlich 9.8p1.
https://www.cert.at/de/aktuelles/2024/7/regresshion-remote-unauthenticated-code-execution-vulnerability-cve-2024-6387-in-openssh-server
IP-Telefonie: Avaya IP Office stopft kritische Sicherheitslecks
Updates für Avaya IP Office dichten Sicherheitslecks in der Software ab. Angreifer können dadurch Schadcode einschleusen.
https://heise.de/-9784229
ABB: 2024-07-01: Cyber Security Advisory -ASPECT system operating with default credentials while exposed to the Internet
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&LanguageCode=en&DocumentPartId=&Action=Launch
Kubernetes: Invalid entry in vulnerability feed
https://github.com/kubernetes/website/issues/47003