Tageszusammenfassung - 23.01.2025

End-of-Day report

Timeframe: Mittwoch 22-01-2025 18:00 - Donnerstag 23-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Zendesk-s Subdomain Registration Abused in Phishing Scams

Leveraging Zendesk-s communication features, they can send phishing emails disguised as legitimate customer support messages. These emails often include malicious links or attachments to lure victims into clicking.

https://hackread.com/zendesk-subdomain-registration-abused-phishing-scams/

Heimserver-Betriebssystem: Updates beheben Sicherheitslücken in Unraid

Angreifer könnten die Lücken ausnutzen, um dem UnRAID-Admin eigenen Javascript-Code oder bösartige Plug-ins unterzuschieben. [..] Alle Sicherheitslücken sind in der Anfang Januar veröffentlichten neuesten Major-Version 7.0.0 und in einem Bugfix-Release für die Vorgängerversion behoben.

https://heise.de/-10253366

Researchers say new attack could take down the European power grid

Late last month, researchers revealed a finding that-s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent.

https://arstechnica.com/security/2025/01/could-hackers-use-new-attack-to-take-down-european-power-grid/

Telegram captcha tricks you into running malicious PowerShell scripts

Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into executing PowerShell code that infects them with malware.

https://www.bleepingcomputer.com/news/security/telegram-captcha-tricks-you-into-running-malicious-powershell-scripts/

Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks

The attack chain begins when a victim visits a compromised website, which directs them to a bogus CAPTCHA page that specifically instructs the site visitor to copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server. [..] The HTA file, in turn, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script responsible for decoding and loading the Lumma payload, but not before taking steps to bypass the Windows Antimalware Scan Interface (AMSI) in an effort to evade detection.

https://thehackernews.com/2025/01/beware-fake-captcha-campaign-spreads.html

Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits

An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting the devices firmware as well as misconfigured security features.

https://thehackernews.com/2025/01/palo-alto-firewalls-found-vulnerable-to.html

Supply chain attack hits Chrome extensions, could expose millions

Cybersecurity outfit Sekoia is warning Chrome users of a supply chain attack targeting browser extension developers that has potentially impacted hundreds of thousands of individuals already. [..] A number of the potentially affected extensions (according to Booz Allen Hamilton's report) appear to have been pulled from the Chrome Web Store at the time of writing.

https://go.theregister.com/feed/www.theregister.com/2025/01/22/supply_chain_attack_chrome_extension/

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a

Denuvo Analysis

Denuvo is an anti-tamper and digital rights management system (DRM). It is primarily used to protect digital media such as video games from piracy and reverse engineering efforts. Unlike traditional DRM systems, Denuvo employs a wide range of unique techniques and checks to confirm the integrity of both the game-s code and licensed user.

https://connorjaydunn.github.io/blog/posts/denuvo-analysis/

Vulnerabilities

Kritische Sicherheitslücke in SonicWall SMA1000 - aktiv ausgenutzt - Update verfügbar

In SonicWall SMA1000 Appliance Management Console (AMC) und Central Management Console (CMC) wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht die Ausführung von beliebigem Code ohne vorherige Authentifizierung. CVE-Nummer(n): CVE-2025-23006

https://www.cert.at/de/warnungen/2025/1/sonicwall-amc-cmc-rce

Critical zero-days impact premium WordPress real estate plugins

The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges. [..] Also, Patchstack says the vendor released three versions since September, but no security fixes to address the critical issues were introduced. Hence, the issues remain unfixed and exploitable.

https://www.bleepingcomputer.com/news/security/critical-zero-days-impact-premium-wordpress-real-estate-plugins/

Schwachstellen in Jenkins-Plug-ins gefährden Entwicklungsumgebungen

Unter bestimmten Bedingungen können Angreifer Softwareentwicklungsserver mit Jenkins-Plug-ins attackieren. Darunter fallen etwa die Plug-ins Azure Service Fabric und Zoom.

https://heise.de/-10254105

Security updates for Thursday

Security updates have been issued by AlmaLinux (redis:6), Debian (frr and git-lfs), Fedora (SDL2_sound and webkit2gtk4.0), Gentoo (firefox, GPL Ghostscript, libgsf, libuv, PHP, Qt, QtWebEngine, and Yubico pam-u2f), Mageia (chromium-browser-stable), SUSE (helmfile, nvidia-modprobe, qt6-webengine, ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1, ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1, ruby3.4-rubygem-actiontext-8.0-8.0.1-1.1, ruby3.4-rubygem-actionview-8.0-8.0.1-1.1, ruby3.4-rubygem-activejob-8.0-8.0.1-1.1, ruby3.4-rubygem-activerecord-8.0-8.0.1-1.1, ruby3.4-rubygem-activestorage-8.0-8.0.1-1.1, ruby3.4-rubygem-rails-8.0-8.0.1-1.1, and ruby3.4-rubygem-railties-8.0-8.0.1-1.1), and Ubuntu (bluez, openjpeg2, and python-django).

https://lwn.net/Articles/1005946/

Drupal: Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

https://www.drupal.org/sa-contrib-2025-007

Drupal: Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006

https://www.drupal.org/sa-contrib-2025-006

Drupal: Flattern - Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005

https://www.drupal.org/sa-contrib-2025-005

Drupal: AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004

https://www.drupal.org/sa-contrib-2025-004