End-of-Day report
Timeframe: Dienstag 07-01-2025 18:00 - Mittwoch 08-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
How initial access brokers (IABs) sell your users- credentials
Initial Access Brokers (IABs) are specialized cybercriminals that break into corporate networks and sell stolen access to other attackers. Learn from Specops Software about how IABs operate and how businesses can protect themselves.
https://www.bleepingcomputer.com/news/security/how-initial-access-brokers-iabs-sell-your-users-credentials/
Wegen Sicherheitslücken: Ärzteschaft empfiehlt Widerspruch zu ePA für alle
Kurz vor dem Start der ePA für alle ist die Verunsicherung groß. Die Ärzte sehen noch "große Einfallstore" für Hacker.
https://www.golem.de/news/wegen-sicherheitsluecken-aerzteschaft-empfiehlt-widerspruch-zu-epa-fuer-alle-2501-192224.html
FCC Launches Cyber Trust Mark for IoT Devices to Certify Security Compliance
The U.S. government on Tuesday announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for Internet-of-Things (IoT) consumer devices."IoT products can be susceptible to a range of security vulnerabilities," the U.S. Federal ..
https://thehackernews.com/2025/01/fcc-launches-cyber-trust-mark-for-iot.html
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks
A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.The botnet maintains ..
https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html
Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques
Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems."The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated ..
https://thehackernews.com/2025/01/researchers-expose-noneuclid-rat-using.html
US-Sicherheitsbehörde warnt vor Attacken auf MiCollab und WebLogic Server
Admins sollten ihre Systeme mit Mitel- und Oracle-Software gegen derzeit laufende Angriffe rüsten.
https://www.heise.de/news/US-Sicherheitsbehoerde-warnt-vor-Attacken-auf-MiCollab-und-WebLogic-Server-10231353.html
Forscher: KI sorgt für effektiveres Phishing
Wie wirksam ist per LLM automatisch erzeugtes Phishing? Es ist gleichauf mit menschlich erzeugtem Spear-Phishing, sagen Forscher.
https://www.heise.de/news/Forscher-KI-sorgt-fuer-effektiveres-Phishing-10232370.html
A Day in the Life of a Prolific Voice Phishing Crew
Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound ..
https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-phishing-crew/
Vorsicht vor versteckten Kosten auf finelo.com und coursiv.io
Die Aussicht auf finanziellen Aufstieg lockt viele Menschen auf Plattformen wie finelo.com und coursive.io, die von der IT-Firma zimran.io betrieben werden. Beide Plattformen werben mit großen Versprechungen: Während finelo.com den Nutzer:innen beibringen möchte, clever zu investieren, zielt coursiv.io darauf ab, berufliche Fähigkeiten mithilfe künstlicher ..
https://www.watchlist-internet.at/news/vorsicht-vor-versteckten-kosten-auf-finelocom-und-coursiveio/
Drupal 7 End of Life - PSA-2025-01-06
Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided. What this means for you:Any vulnerabilities that impact Drupal 7 may be released and ..
https://www.drupal.org/psa-2025-01-06
Russian internet provider confirms its network was -destroyed- following attack claimed by Ukrainian hackers
In a statement on the Russian social media platform VKontakte, the St. Petersburg-based company said the -planned- attack -destroyed- its infrastructure overnight. Nodex added that it was working to restore systems from backups but could not provide a timeline for when operations would fully resume.
https://therecord.media/russian-internet-provider-says-network-destroyed-cyberattack
Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps
SUMMARY Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools.
https://hackread.com/scammers-impersonate-swipe-otps-remote-access-apps/
Backdooring Your Backdoors - Another $20 Domain, More Governments
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves ..
https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/
Solving NIST Password Complexities: Guidance From a GRC Perspective
Not another password change! Isn-t one (1) extra-long password enough? As a former Incident Response, Identity and Access Control, and Education and Awareness guru, I can attest ..
https://trustedsec.com/blog/solving-nist-password-complexities-guidance-from-a-grc-perspective
How We Cracked a 512-Bit DKIM Key for Less Than $8 in the Cloud
In our study on the SPF, DKIM, and DMARC records of the top 1M websites, we were surprised to uncover more than 1,700 public DKIM keys that were shorter than 1,024 bits in length. This finding was unexpected, as RSA keys shorter than 1,024 bits are considered insecure, and their use in DKIM has been deprecated since the introduction of RFC 8301 in 2018.
https://dmarcchecker.app/articles/crack-512-bit-dkim-rsa-key
Vulnerabilities
Cisco Common Services Platform Collector Cross-Site Scripting Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface ..
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cspc-xss-CDOJZyH
Cisco Crosswork Network Controller Stored Cross-Site Scripting Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users of the interface of an affected system. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied ..
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xwork-xss-KCcg7WwU
Security updates for Wednesday
Security updates have been issued by Fedora (firefox, mupdf, and php-tcpdf), SUSE (etcd, file-roller, gtk3, kernel, python-django-ckeditor, rubygem-json-jwt, and tomcat10), and Ubuntu (ffmpeg, HTMLDOC, linux-aws, linux-raspi, linux-gke, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, and tinyproxy).
https://lwn.net/Articles/1004428/