End-of-Day report
Timeframe: Mittwoch 04-09-2024 18:00 - Donnerstag 05-09-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords
Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware.
https://www.bleepingcomputer.com/news/security/hacker-trap-fake-onlyfans-tool-backstabs-cybercriminals-steals-passwords/
Windows 11/Server 2024 SMB Security-Hardening
Microsoft hat im Vorgriff auf die kommenden Releases von Windows 11 24H2 und Windows Server 2025 Ende August 2024 einen Techcommunity-Beitrag zum Thema "SMB Security-Hardening" veröffentlicht. Das Ganze ist Teil der Microsoft Secure Future Initiative (SFI), und die Betriebssysteme sollen bereits vom Start an über gehärtete SMB-Einstellungen verfügen, um sich vor Cyberangriffen besser zu schützen.
https://www.borncity.com/blog/2024/09/05/windows-11-server-2024-smb-security-hardening/
CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed)
Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution (CVE-2024-45195) on Linux and Windows. Exploitation is facilitated by bypassing previous patches. [..] Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause. Since the patch bypass we are disclosing today elaborates on those previous disclosures, we-ll outline them now.
https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/
Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions
In this blog, we explain how we managed to leverage typosquatting in GitHub Actions and got several applications with inadvertent typos to run our -fake- action. If we had bad intentions, these mistakenly triggered actions could have included malicious code, for instance installing malware, stealing secrets, or making covert changes to code.
https://orca.security/resources/blog/typosquatting-in-github-actions/
Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401
On July 1, the project maintainers released an advisory for the vulnerability CVE-2024-36401 (CVSS score: 9.8). Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. [..] In this article, we will explore the details of the payload and malware.
https://feeds.fortinet.com/~/904077668/0/fortinet/blogs~Threat-Actors-Exploit-GeoServer-Vulnerability-CVE
Vulnerabilities
Veeam warns of critical RCE flaw in Backup & Replication software
Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.
https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-flaw-in-backup-and-replication-software/
Angreifer können durch Hintertür in Cisco Smart Licensing Utility schlüpfen
Aufgrund von mehreren Schwachstellen sind Attacken auf Cisco Expressway Edge, Duo Epic for Hyperdrive, Identity Services Engine, Meraki Systems Manager und Smart Licensing Utility vorstellbar. [..] Smart Licensing Utility ist durch zwei "kritische" Sicherheitslücken (CVE-2024-20439, CVE-2024-20440) bedroht. Im ersten Fall kann ein entfernter Angreifer ohne Anmeldung aufgrund von statischen Admin-Zugangsdaten auf Instanzen zugreifen. Mit den Adminrechten des Accounts erlangt ein Angreifer die volle Kontrolle. [..] Meraki Systems Manager Agent for Windows kann sich aufgrund einer Lücke (CVE-2024-20430 "hoch") an einer mit Schadcode präparierten DLL-Datei verschlucken. [..]
https://heise.de/-9857962
Drupal: Security advisories 2024-September-04
Drupal released 5 security advisories (1x Critical, 4x Moderately critical)
https://www.drupal.org/security
Security updates for Thursday
Security updates have been issued by AlmaLinux (bubblewrap and flatpak, containernetworking-plugins, fence-agents, ghostscript, krb5, orc, podman, python3.11, python3.9, resource-agents, runc, and wget), Debian (chromium, cinder, glance, gnutls28, nova, nsis, python-oslo.utils, ruby-sinatra, and setuptools), Fedora (kernel), Oracle (bubblewrap and flatpak, buildah, containernetworking-plugins, fence-agents, ghostscript, gvisor-tap-vsock, kernel, krb5, libndp, nodejs:18, orc, podman, postgresql, python-urllib3, python3.11, python3.12, python3.9, runc, skopeo, and wget), SUSE (hdf5, netcdf, trilinos), and Ubuntu (firefox, imagemagick, ironic, openssl, python-django, vim, and znc).
https://lwn.net/Articles/989046/
Juniper: SA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP9 IF02
https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vulnerabilities-resolved-in-Juniper-Secure-Analytics-in-7-5-0-UP9-IF02