End-of-Day report
Timeframe: Donnerstag 13-02-2025 18:00 - Freitag 14-02-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
News
Palo Alto PAN-OS: Exploit-Code für hochriskante Lücke aufgetaucht
Im Betriebssystem PAN-OS für Firewalls von Palo Alto Networks klaffen Sicherheitslücken. Für eine davon gibt es bereits Exploit-Code. [..] Die Lücke mit dem höchsten Schweregrad betrifft laut Palo Altos Mitteilung eine mögliche Umgehung der Authentifizierung im Management-Web-Interface.
https://www.heise.de/-10282742
whoAMI attacks give hackers code execution on Amazon EC2 instances
Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name. [..] Amazon confirmed the vulnerability and pushed a fix in September but the problem persists on the customer side in environments where organizations fail to update the code.
https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-code-execution-on-amazon-ec2-instances/
Critical PostgreSQL bug tied to zero-day attack on US Treasury
A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say.
https://go.theregister.com/feed/www.theregister.com/2025/02/14/postgresql_bug_treasury/
Storm-2372 conducts device code phishing campaign
Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams.
https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
Fake BSOD Delivered by Malicious Python Script, (Fri, Feb 14th)
I found a Python script that implements a funny anti-analysis trick.
https://isc.sans.edu/diary/rss/31686
Triplestrength hits victims with triple trouble: Ransomware, cloud hijacks, crypto-mining
A previously unknown gang dubbed Triplestrength poses a triple threat to organizations: It infects victims' computers with ransomware, and also hijacks their cloud accounts to illegally mine for cryptocurrency.
https://go.theregister.com/feed/www.theregister.com/2025/02/11/triplestrength_google/
Cybersicherheit in Kriegszeiten: Täglich ist Tag Null
Im Bereich der Cybersicherheit kann Europa aus den Erfahrungen der Ukraine im Krieg gegen Russland lernen. Russlands hybrider Krieg habe das Land gezwungen, seine IT-Systeme fortlaufend besser abzusichern, sagten Vertreter ukrainischer Sicherheitsbehörden am Donnerstag auf der Münchner Cybersecurity-Konferenz (MCSC).
https://www.heise.de/-10283051
Geswiped, geflirted, getäuscht? Vorsicht vor Love Scams auf Dating-Portalen
Rund um den Valentinstag verspüren viele Menschen Druck, jemand Besondern kennenzulernen. Dating-Apps erleben in dieser Zeit einen regelrechten Boom. Doch zwischen echten Verbindungen verstecken sich auch unseriöse Profile, die es auf das Geld ihrer Chatpartner:innen abgesehen haben - oft geschickt getarnt und schwer zu durchschauen. Wir verraten, worauf man achten sollte, um sicher online zu daten.
https://www.watchlist-internet.at/news/vorsicht-vor-love-scams-auf-dating-portalen/
First analysis of Apples USB Restricted Mode bypass (CVE-2025-24200)
Although we believe this could work, we currently lack the necessary hardware to test it. We are also aware restricted mode isn't the only mitigation when it comes to physical accessories, and an actual exploit may be more complex. Furthermore, we have only explored one possible attack vector for this vulnerability, but others may exist. It is advisable to update your devices to the latest version, even if you do not use accessibility features.
http://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypass-cve-2025-24200.html
Vulnerabilities
Security updates for Friday
Security updates have been issued by AlmaLinux (doxygen, gcc-toolset-13-gcc, gcc-toolset-14-gcc, kernel, and libxml2), Debian (chromium, postgresql-13, and webkit2gtk), Fedora (krb5, openssl, and python3.13), Mageia (ark, ofono, and perl-Net-OAuth, perl-Crypt-URandom, perl-Module-Build), Oracle (firefox, gcc, gcc-toolset-14-gcc, kernel, openssl, tbb, and thunderbird), Red Hat (libxml2), SUSE (chromium, golang-github-prometheus-prometheus, grafana, kernel, kernel-firmware-ath10k-20250206, kernel-firmware-bnx2-20250206, kernel-firmware-brcm-20250206, kernel-firmware-chelsio-20250206, kernel-firmware-dpaa2-20250206, kernel-firmware-mwifiex-20250206, kernel-firmware-platform-20250206, kernel-firmware-realtek-20250206, kernel-firmware-serial-20250206, kernel-firmware-ueagle-20250206, libtasn1, python312, qemu, SUSE Manager Client Tools, SUSE Manager Client Tools MU 5.0.3, and ucode-intel-20250211), and Ubuntu (activemq and libsndfile).
https://lwn.net/Articles/1009765/
ABB Cylon FLXeon 9.3.4 (login.js) Node Timing Attack
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5925.php
ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5924.php
ABB Cylon FLXeon 9.3.4 Unauthenticated Dashboard Access
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5923.php
Kubernetes: CVE-2025-0426
https://github.com/kubernetes/kubernetes/issues/130016