Tageszusammenfassung - 19.02.2024

End-of-Day report

Timeframe: Freitag 16-02-2024 18:00 - Montag 19-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Anatsa Android malware downloaded 150,000 times via Google Play

The Anatsa banking trojan has been targeting users in Europe by infecting Android devices through malware droppers hosted on Google Play.

https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downloaded-150-000-times-via-google-play/

Mirai-Mirai On The Wall... [Guest Diary], (Sun, Feb 18th)

This article is about one of the ways attackers on the open Internet are attempting to use the Mirai Botnet [1][2] malware to exploit vulnerabilities on exposed IoT devices.

https://isc.sans.edu/diary/rss/30658

Remote Access Trojan (RAT): Types, Mitigation & Removal

Remote Access Trojans (RATs) are a serious threat capable of giving attackers control over infected systems. This malware stealthily enters systems (often disguised as legitimate software or by exploiting a vulnerability in the system) and opens backdoors for attackers to perform a wide range of malicious activities on the victim-s computer. This blog post is designed to educate readers on RATs - how they work, the risks they pose, and how to protect against them.

https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-removal.html

The scary DNS -KeyTrap- bug explained in plain words

If you were following the IT media last week, you-d have been forgiven for awaiting the imminent implosion of the internet, with DNS itself in desperate danger. [...] Obviously, the next step is for the community to update the DNSSEC specifications, and thereby to protect proactively against this sort of extreme denial-of-service attack by building in new precautions for everyone to follow.

https://pducklin.com/2024/02/18/the-scary-dns-keytrap-bug-explained-in-plain-words/

KI: OpenAI und Microsoft schließen Konten staatlicher Bedrohungsakteure

Microsoft und OpenAI haben Konten mutmaßlicher staatlicher Bedrohungsakteure geschlossen, die ChatGPT für kriminelle Zwecke nutzten.

https://www.heise.de/-9631899.html

Mastodon: Spamwelle zeigt Schwächen auf und weckt Sorge vor schlimmerer Methode

Seit Tagen klagen einige User auf Mastodon über eine Spamwelle. Der liegen automatisierte Angriffe auf unzureichend geschützte Teile des Fediverse zugrunde.

https://www.heise.de/-9632055.html

CVE Prioritizer: Open-source tool to prioritize vulnerability patching

CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. It integrates data from CVSS, EPSS, and CISA-s KEV catalog to offer insights into the probability of exploitation and the potential effects of vulnerabilities on your systems.

https://www.helpnetsecurity.com/2024/02/19/cve-prioritizer-open-source-vulnerability-patching/

Why keeping track of user accounts is important

CISA has issued an advisory after the discovery of documents containing information about a state government organization-s network environment on a dark web brokerage site.

https://www.malwarebytes.com/blog/news/2024/02/why-keeping-track-of-user-accounts-is-important

Gefälschtes Flixbus-Angebot: -Verlorenes Gepäck für 2 Euro-

Auf Facebook und Instagram kursiert eine gefälschte Flixbus-Werbung. In der Anzeige steht, dass Flixbus angeblich verlorenes Gepäck um 2 Euro verkauft. Geködert werden Sie mit dem Versprechen, dass sich in den Koffern oft Handys, Laptops oder Schmuck befinden. Es handelt sich aber um eine Abo-Falle.

https://www.watchlist-internet.at/news/gefaelschtes-flixbus-angebot-verlorenes-gepaeck-fuer-2-euro/

The Most Dangerous Entra Role You-ve (Probably) Never Heard Of

Entra ID has a built-in role called -Partner Tier2 Support- that enables escalation to Global Admin, but [...]

https://posts.specterops.io/the-most-dangerous-entra-role-youve-probably-never-heard-of-e00ea08b8661

Vulnerabilities

CVE-2024-23724: Ghost CMS Stored XSS Leading to Owner Takeover

During research on the Ghost CMS application, the Rhino research team identified a Stored Cross-Site Scripting (XSS) vulnerability which can be triggered by a malicious profile image. [...] The vendor does not view this as a valid vector so will not be releasing an official patch, but it-s important to us at Rhino to not release unpatched vulnerabilities. While this is a unique case, we-ve decided to make the patch ourselves [...]

https://rhinosecuritylabs.com/research/cve-2024-23724-ghost-cms-stored-xss/

Solarwinds: Codeschmuggel möglich, Updates verfügbar

Solarwinds schließt Sicherheitslücken in Access Rights Manager und Platform (Orion). Angreifer können Schadcode einschleusen.

https://www.heise.de/-9632541.html

Security updates for Monday

Security updates have been issued by Debian (engrampa, openvswitch, pdns-recursor, and runc), Fedora (caddy, expat, freerdp, libgit2, libgit2_1.6, mbedtls, python-cryptography, qt5-qtbase, and sudo), Gentoo (Apache Log4j, Chromium, Google Chrome, Microsoft Edge, CUPS, e2fsprogs, Exim, firefox, Glade, GNU Tar, intel-microcode, libcaca, QtNetwork, QtWebEngine, Samba, Seamonkey, TACACS+, Thunar, and thunderbird), Mageia (dnsmasq, unbound, and vim), Oracle (container-tools:4.0, container-tools:ol8, dotnet6.0, dotnet7.0, kernel, nss, openssh, and sudo), Red Hat (python-pillow), and SUSE (bitcoin, dpdk, libssh, openvswitch, postgresql12, and postgresql13).

https://lwn.net/Articles/962753/

IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/

ADS-TEC Industrial IT: Docker vulnerability affects multiple products

https://cert.vde.com/de/advisories/VDE-2024-016/

K000138640 : Perl vulnerability CVE-2023-47038

https://my.f5.com/manage/s/article/K000138640

K000138641 : cURL vulnerability CVE-2023-46219

https://my.f5.com/manage/s/article/K000138641

K000138643 : OpenSSH vulnerability CVE-2023-51767

https://my.f5.com/manage/s/article/K000138643