Tageszusammenfassung - 23.09.2024

End-of-Day report

Timeframe: Freitag 20-09-2024 18:00 - Montag 23-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer

News

Hyper-V und VMware: Schwachstellen, Patches, PoCs

In Hyper-V wurde kürzlich eine Schwachstelle gepatcht - jetzt gibt es einen Proof of Concept (PoC) für diese Schwachstelle. Und bei VMware gibt es ebenfalls Schwachstellen sowie Infos, wie sich aus der VM ausbrechen lässt.

https://www.borncity.com/blog/2024/09/23/hyper-v-und-vmware-schwachstellen-patches-pocs/


Android malware Necro infects 11 million devices via Google Play

A new version of the Necro Trojan malware for Android was installed on 11 million devices through Google Play in malicious SDK supply chain attacks.

https://www.bleepingcomputer.com/news/security/android-malware-necro-infects-11-million-devices-via-google-play/


Global infostealer malware operation targets crypto users, gamers

A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo."

https://www.bleepingcomputer.com/news/security/global-infostealer-malware-operation-targets-crypto-users-gamers/


Phishing links with @ sign and the need for effective security awareness building, (Mon, Sep 23rd)

While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or because it used some completely new technique, but rather because its authors took advantage of one of the less commonly misused aspects of the URI format - the ability to specify information about a user in the URI before its "host" part (domain or IP address).

https://isc.sans.edu/diary/rss/31288


Staying a Step Ahead: Mitigating the DPRK IT Worker Threat

This report aims to increase awareness of the DPRK's efforts to obtain employment as IT workers and shed light on their operational tactics for obtaining employment and maintaining access to corporate systems. Understanding these methods can help organizations better detect these sorts of suspicious behaviors earlier in the hiring process.

https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/


Why Do Criminals Love Phishing-as-a-Service Platforms?

Phishing-as-a-Service (PaaS) platforms have become the go-to tool for cybercriminals, to launch sophisticated phishing campaigns targeting the general public and businesses, especially in the financial services sector. [..] In this blog, we-ll explore the key features offered by PaaS platforms, highlight the major platforms Trustwave SpiderLabs has recently observed, and cover effective phishing mitigation strategies.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/why-do-criminals-love-phishing-as-a-service-platforms/


CISA boss: Makers of insecure software are enablers of the real villains

Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued. "The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference.

https://go.theregister.com/feed/www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains/


Proxy Detection: Comparing Detection Services with the Truth

In our previous blog post, we looked at different (free and paid) solutions to detect the use of anonymity tools during attacks executed on our Remote Desktop Protocol (RDP) honeypots. Confronted with inconclusive outcomes, this blog post aims to evaluate the different proxy detector tools by analyzing their results with our dataset of Truth.

https://gosecure.ai/blog/2024/09/23/proxy-detection-comparing-detection-services-with-the-truth/


Hackers Claim Second Dell Data Breach in One Week

Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident.

https://hackread.com/dell-hit-by-second-security-breach-in-week/

Vulnerabilities

Security updates for Monday

Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15).

https://lwn.net/Articles/991377/