Tageszusammenfassung - 12.09.2024

End-of-Day report

Timeframe: Mittwoch 11-09-2024 18:00 - Donnerstag 12-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

GitLab warns of critical pipeline execution vulnerability

GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions.

https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pipeline-execution-vulnerability/

Sicherheitspaket: CCC droht mit Anleitungen zur Überwachungssabotage

Zivilgesellschaftliche Verbände sind empört über das Sicherheitspaket der Bundesregierung. Der "billige Populismus" spiele Rechtsextremen in die Hände.

https://www.golem.de/news/sicherheitspaket-ccc-droht-mit-anleitungen-zur-ueberwachungssabotage-2409-188906.html

SiteCheck Remote Website Scanner - Mid-Year 2024 Report

Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote website scanners may not provide as comprehensive of a scan as server-side scanners, ..

https://blog.sucuri.net/2024/09/sitecheck-remote-website-scanner-mid-year-2024-report.html

DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe

A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.The black hat SEO ..

https://thehackernews.com/2024/09/dragonrank-black-hat-seo-campaign.html

Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking

Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns."Selenium Grid is a server that facilitates running test cases in parallel ..

https://thehackernews.com/2024/09/exposed-selenium-grid-servers-targeted.html

Transport for London confirms 5,000 user bank data exposed, pulls large chunks of IT infra offline

Hauling in 30,000 staff IN PERSON to do password resets Breaking Transport for Londons ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees passwords will need to be reset via in-person appointments.

https://www.theregister.com/2024/09/12/transport_for_londons_cyber_attack/

Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey

Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to ..

https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/

Living off the land, GPO style

TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog ..

https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/

Ransomware: Attacks Once More Nearing Peak Levels

Attacks surge again in second quarter of 2024 as attackers bounce back from disruption.

https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-attacks-rebound

Introduction to Third-Party Risk Management

In today-s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations. This way of working, in addition to the digitalization era we-re in, can have great advantages such as being able to offer new services quickly while relying on other-s expertise or cutting costs on already existing processes.

https://blog.nviso.eu/2024/09/12/introduction-to-third-party-risk-management/

Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API

CVE-2024-38257 is considered -less likely- to be exploited, though it does not require any user interaction or user privileges.

https://blog.talosintelligence.com/vulnerability-roundup-sept-11-2024/

Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities

In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software-s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.

https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html

Hadooken Malware Targets Weblogic Applications

Aqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls itself Hadooken which we think is referring to the attack -surge fist- in the Street Fighter series. When Hadooken is executed, ..

https://blog.aquasec.com/hadooken-malware-targets-weblogic-applications-1

Microsoft Office: ActiveX wird abgedreht

Länger war es still darum, aber ActiveX gibt es noch. Kommende Microsoft Office-Versionen schalten die Unterstützung endlich ab. Zumindest fast.

https://heise.de/-9865690

Vulnerabilities

Cisco Routed Passive Optical Network Controller Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ponctlr-ci-OHcHmsFL

Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pak-mem-exhst-3ke9FeFy

Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-auth-bypass-QnTEesp

Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-l2services-2mvHdNuC

Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-xehpbVNe