End-of-Day report
Timeframe: Dienstag 25-02-2025 18:00 - Mittwoch 26-02-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
News
Datenleck-Such-Website Have I Been Pwned um 284 Millionen Accounts aufgestockt
Im Telegram-Kanal ALIEN TXTBASE wurden von Infostealer-Malware erbeute Mailadressen und Passwörter geteilt. Diese Daten sind nun in HIBP integriert.
https://www.heise.de/news/Datenleck-Such-Website-Have-I-Been-Pwned-um-284-Millionen-Accounts-aufgestockt-10296120.html
Russian officials warn of potential compromise of major tech services provider
In an unusual public disclosure, the Russian government said that subsidiaries of LANIT, a major tech services provider, had potentially been breached.
https://therecord.media/lanit-russia-government-contractor-potential-compromise
EncryptHub breaches 618 orgs to deploy infostealers, ransomware
A threat actor tracked as EncryptHub, aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.
https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs-to-deploy-infostealers-ransomware/
Cyberattacken: Lücken in Zimbra und Microsoft Partner Center werden angegriffen
Ältere Sicherheitslücken in Zimbra und Microsoft Partner Center werden aktuell angegriffen, warnt die US-IT-Sicherheitsbehörde CISA.
https://heise.de/-10296961
Wenn Fußballliebe teuer wird: Fake-Shops im Namen von Manchester United, Real Madrid oder FC Barcelona
Betrüger:innen imitieren immer wieder die Onlinestores der Top-Clubs und locken mit niedrigsten Preisen. Die Fans freuen sich über ein vermeintliches Super-Sonderangebot. Die Ware erhalten Sie aber nie, das Geld ist weg.
https://www.watchlist-internet.at/news/fussball-fake-shops/
Android happy to check your nudes before you forward them
The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency. [..] The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so.
https://www.malwarebytes.com/blog/news/2025/02/android-happy-to-check-your-nudes-before-you-forward-them
Exploits and vulnerabilities in Q4 2024
This report provides statistics on vulnerabilities and exploits and discusses the most frequently exploited vulnerabilities in Q4 2024.
https://securelist.com/vulnerabilities-and-exploits-in-q4-2024/115761/
The Best Security Is When We All Agree To Keep Everything Secret (Except The Secrets) - NAKIVO Backup & Replication (CVE-2024-48248)
Today, we-re here to talk about an unauthenticated Arbitrary File Read vulnerability we discovered in NAKIVO's Backup and Replication solution - specifically in version 10.11.3.86570 [..] 18th October 2024 watchTowr is assigned CVE-2024-48248 for this vulnerability [..] 4th November 2024: NAKIVO silently patches the vulnerability (v11.0.0.88174)
https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/
A dive into the Rockchip Bootloader
Rockchip has a structured sequence of bootloaders. Using various plugs can allow access to the MCU-s RAM and storage. There are many utilities to allow reading of information from the MCU. Use this guide to access and reverse engineer bootloaders.
https://www.pentestpartners.com/security-blog/a-dive-into-the-rockchip-bootloader/
Technical Advisory: Multiple Vulnerabilities in TCPDF
NCC Group has identified multiple vulnerabilities in TCPDF, which is a popular library used for PDF generation. [..] 12/23/24 - Vendor releases version 6.8.0 to address issues.
https://www.nccgroup.com/us/research-blog/technical-advisory-multiple-vulnerabilities-in-tcpdf/
Pwn everything Bounce everywhere all at once (part 1)
The following article describes how, during an "assumed breach" security audit, we compromised multiple web applications on our client's network in order to carry out a watering hole attack by installing fake Single Sign-On pages on the compromised servers.
http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part-1.html
Pwn everything Bounce everywhere all at once (part 2)
In our second episode we take a look at SOPlanning, a project management application that we encountered during the audit.
http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part-2.html
Vulnerabilities
Synology-SA-25:03 DSM
A vulnerability allows attackers to read any file via writable Network File System (NFS) service.
https://www.synology.com/en-global/support/security/Synology_SA_25_03
Cisco Application Policy Infrastructure Controller Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apic-multi-vulns-9ummtg5
Cisco Nexus 3000 and 9000 Series Switches Command Injection Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ici-dpOjbWxk
Cisco Nexus 3000 and 9000 Series Switches Health Monitoring Diagnostics Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3kn9k-healthdos-eOqSWK4g