End-of-Day report
Timeframe: Montag 20-01-2025 18:00 - Dienstag 21-01-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Sophos MDR tracks two ransomware campaigns using -email bombing,- Microsoft Teams -vishing-
Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware.
https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
7-Zip: Lücke erlaubt Umgehung von Mark-of-the-Web
In 7-Zip ermöglicht eine Sicherheitslücke, den Mark-of-the-Web-Schutzmechanismus auszuhebeln und so Code auszuführen. [..] Die Sicherheitslücke schließt 7-Zip Version 24.09 oder neuer, die auf der Download-Seite von 7-Zip bereits seit Ende November vergangenen Jahres zum Herunterladen bereitsteht. [..] 7-Zip-Nutzer müssen selbst aktiv werden, um sich zu schützen und das verfügbare Update installieren.
https://heise.de/-10250351
13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks
A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices. The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week.
https://thehackernews.com/2025/01/13000-mikrotik-routers-hijacked-by.html
Exchange 2016 und 2019 erreichen Support-Ende - in 9 Monaten
Microsoft erinnert an das dräuende Support-Ende der Exchange-Server 2016 und 2019.
https://www.heise.de/-10249853
Medusa Ransomware: What You Need To Know
What is the Medusa ransomware? Medusa is a ransomware-as-a-service (RaaS) platform that first came to prominence in 2023. The ransomware impacts organisations running Windows, predominantly exploiting vulnerable and unpatched systems and hijacking accounts through initial access brokers.
https://www.tripwire.com/state-of-security/medusa-ransomware-what-you-need-know
How to secure body-worn cameras and protect footage from cyber threats
Body-worn cameras are used by police [..] Cameras are taken into the field but footage could be presented as evidence [..] Cryptographic approaches are needed to ensure the confidentiality and integrity of captured video and audio.
https://www.pentestpartners.com/security-blog/how-to-secure-body-worn-cameras-and-protect-footage-from-cyber-threats/
Offene Rechnung für -Gelbe Seiten Online--Eintrag nicht bezahlen
In den letzten Tagen haben zahlreiche Unternehmen eine E-Mail von gsol-dach.com erhalten. Darin werden sie aufgefordert, eine Rechnung für einen angeblichen Premium-Firmenbucheintrag zu bezahlen. Achtung: Diese Rechnungen sind Betrug!
https://www.watchlist-internet.at/news/rechnung-fuer-gelbe-seiten-online-eintrag-nicht-bezahlen/
Hackers impersonate Ukraine-s CERT to trick people into allowing computer access
CERT-UA is warning Ukrainians not to accept requests for help via AnyDesk software unless they are sure the source is legitimate.
https://therecord.media/fake-ukraine-cert-anydesk-requests-hackers
Reverse Engineering Bambu Connect
The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
https://wiki.rossmanngroup.com/wiki/Reverse_Engineering_Bambu_Connect
Vulnerability Archeology: Stealing Passwords with IBM i Access Client Solutions
Two weeks ago IBM published a support article about a compatibility issue affecting IBM i Access Client Solutions (ACS) when running on Windows 11 24H2. [..] Debugging the entry point in cwbnetnt.dll also confirms that password information is no longer passed to the Network Provider!. This change was documented by Microsoft here in March 2024, we believe IBM should-ve referenced this document in their memo. This is an important change from Microsoft - let-s hope not many applications rely on this backdoor and their insecure artifacts get cleaned up properly!
https://blog.silentsignal.eu/2025/01/21/ibm-acs-password-dump/
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by AlmaLinux (grafana), Debian (libebml, poco, redis, sympa, tiff, and ucf), Fedora (rsync), Mageia (dcmtk, git, proftpd, and raptor2), Red Hat (grafana, iperf3, kernel, microcode_ctl, and redis), SUSE (chromium, dhcp, git, libqt5-qtwebkit, and pam_u2f), and Ubuntu (python3.10, python3.8 and python3.12).
https://lwn.net/Articles/1005708/
Webbrowser: Lücke in Brave ermöglicht gefälschte Anzeige der Download-Quelle
Im Webbrowser Brave können Angreifer eine Sicherheitslücke missbrauchen, die zur falschen Anzeige einer Download-Quelle führt. [..] Die Sicherheitslücke schließt Brave mit der Version 1.74.48, die in der Mitte vergangener Woche veröffentlicht wurde.
https://heise.de/-10250205
Traffic Alert and Collision Avoidance System (TCAS) II
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-01
ZF Roll Stability Support Plus (RSSPlus)
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03