End-of-Day report
Timeframe: Mittwoch 31-07-2024 18:00 - Donnerstag 01-08-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
News
Credit card users get mysterious shopify-charge.com charges
People worldwide report seeing mysterious $1 or $0 charges from Shopify-charge.com appearing on their credit card bills, even when they did not attempt to purchase anything. [..] BleepingComputer attempted to contact Shopify multiple times but did not receive a reply to our emails. [..] Shopify has recently suffered a third-party data breach at one of its vendors, leading many to think these charges may be related. However, the data exposed in that breach did not contain credit card or payment information.
https://www.bleepingcomputer.com/news/security/credit-card-users-get-mysterious-shopify-chargecom-charges/
Onyx Sleet uses array of malware to gather intelligence [..]
First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern.
https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/
CrowdStrike Is Sued By Shareholders Over Huge Software Outage
Shareholders have sued CrowdStrike on Tuesday, claiming the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the global software outage earlier this month that crashed millions of computers.
https://yro.slashdot.org/story/24/07/31/2233234/crowdstrike-is-sued-by-shareholders-over-huge-software-outage
Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform
In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets.
https://thehackernews.com/2024/08/hackers-distributing-malicious-python.html
Mozilla follows Google in losing trust in Entrusts TLS certificates
A little over a month ago, Google was the first to make the bold step of dropping Entrust as a CA, saying it noted a "pattern of concerning behaviors" from the company. Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Mozilla.
https://go.theregister.com/feed/www.theregister.com/2024/08/01/mozilla_entrust/
Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3
To wrap up this blog series we wanted to include one more technique that you can use when exploiting this class of vulnerabilities. This technique, introduced to us by Abdelhamid Naceri, becomes useful when you have an on-boot arbitrary delete primitive that you want to transform into an on-demand delete, so that you can escalate using the C:\Config.msi technique.
https://www.thezdi.com/blog/2024/7/31/breaking-barriers-and-assumptions-techniques-for-privilege-escalation-on-windows-part-3
Detecting evolving threats: NetSupport RAT campaign
In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats.
https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-rat/
Vulnerabilities
Security updates for Thursday
ecurity updates have been issued by Debian (chromium), Fedora (kernel, obs-cef, and xen), Mageia (emacs), Oracle (freeradius, freeradius:3.0, and kernel), Red Hat (emacs, httpd, and kpatch-patch-4_18_0-305_120_1), Slackware (curl), SUSE (apache2, cockpit-wicked, glibc, gnutls, gvfs, less, nghttp2, opensc, python-idna, python-requests, qemu, rpm, tpm2-0-tss, tpm2.0-tools, and unbound), and Ubuntu (clickhouse, exim4, libcommons-collections3-java, linux, linux-aws, linux-kvm, linux-lts-xenial, mysql-8.0, openssl, php-cas, prometheus-alertmanager, and snapd).
https://lwn.net/Articles/984212/
CISA Releases Nine Industrial Control Systems Advisories
Johnson Controls, AVTECH, Vonets, Rockwell
https://www.cisa.gov/news-events/alerts/2024/08/01/cisa-releases-nine-industrial-control-systems-advisories
Wordfence Intelligence Weekly WordPress Vulnerability Report (July 22, 2024 to July 28, 2024)
https://www.wordfence.com/blog/2024/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-july-22-2024-to-july-28-2024/