Tageszusammenfassung - 21.05.2024

End-of-Day report

Timeframe: Freitag 17-05-2024 18:00 - Dienstag 21-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl

News

Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising

A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP.

https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-windows-admins-via-putty-winscp-malvertising/

Banking malware Grandoreiro returns after police disruption

The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks.

https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-returns-after-police-disruption/

CISA warns of hackers exploiting Chrome, EoL D-Link bugs

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its Known Exploited Vulnerabilities catalog, one impacting Google Chrome and two affecting some D-Link routers.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-chrome-eol-d-link-bugs/

New BiBi Wiper version also destroys the disk partition table

A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims.

https://www.bleepingcomputer.com/news/security/new-bibi-wiper-version-also-destroys-the-disk-partition-table/

GitHub warns of SAML auth bypass flaw in Enterprise Server

GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication.

https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-bypass-flaw-in-enterprise-server/

Ungeschützte API: Sicherheitslücke macht Studenten zu Wäsche-Millionären

In vielen Hochschulen und Wohnheimen stehen Wäscheautomaten von CSC Serviceworks. Zwei Studenten haben darin eine Sicherheitslücke entdeckt - mit erheblichem Missbrauchspotenzial.

https://www.golem.de/news/ungeschuetzte-api-sicherheitsluecke-macht-studenten-zu-waesche-millionaeren-2405-185242.html

Fluent Bit: Kritische Schwachstelle betrifft alle gängigen Cloudanbieter

Mit der Schwachstelle lassen sich nicht nur Ausfälle provozieren und Daten abgreifen. Auch eine Schadcodeausführung aus der Ferne ist unter gewissen Umständen möglich.

https://www.golem.de/news/fluent-bit-kritische-schwachstelle-betrifft-alle-gaengigen-cloudanbieter-2405-185277.html

Analyzing MSG Files, (Mon, May 20th)

.msg email files are ole files and can be analyzed with my tool oledump.py.

https://isc.sans.edu/diary/Analyzing+MSG+Files/30940

Latrodectus Malware Loader Emerges as IcedIDs Successor in Phishing Campaigns

Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware."These campaigns typically involve a ..

https://thehackernews.com/2024/05/latrodectus-malware-loader-emerges-as.html

Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail

A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible ..

https://thehackernews.com/2024/05/cyber-criminals-exploit-github-and.html

SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure

The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from ..

https://thehackernews.com/2024/05/solarmarker-malware-evolves-to-resist.html

Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users

A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads."The VBScript and PowerShell scripts in the ..

https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html

Vorsicht vor Telegram-Gruppe -Scammerpayback-

Kriminelle verbreiten in Foren, auf Facebook-Seiten oder Gruppen, in denen Betrugsopfer Unterstützung oder Informationen suchen, falsche Hilfsangebote. Mit gefälschten oder gekaperten Profilen kommentieren sie Facebook-Beiträge der Watchlist Internet und locken in eine Telegram-Gruppe, in der Opfer angeblich ihr Geld zurückbekommen.

https://www.watchlist-internet.at/news/vorsicht-vor-telegram-gruppe-scammerpayback/

Sicherheitsupdate: DoS-Lücken in Netzwerkanalysetool Wireshark geschlossen

In der aktuellen Version von Wireshark haben die Entwickler drei Sicherheitslücken geschlossen und mehrere Bugs gefixt.

https://heise.de/-9725317

Vulnerabilities

Security updates for Monday

Security updates have been issued by Debian (bind9, chromium, and thunderbird), Fedora (buildah, chromium, firefox, mingw-python-werkzeug, and suricata), Mageia (golang), Oracle (firefox and nodejs:20), Red Hat (firefox, httpd:2.4, nodejs, and thunderbird), and SUSE (firefox, git-cliff, and ucode-intel).

https://lwn.net/Articles/974339/

Security updates for Tuesday

Security updates have been issued by AlmaLinux (firefox, nodejs, and thunderbird), Fedora (uriparser), Oracle (firefox and thunderbird), Slackware (mariadb), SUSE (cairo, gdk-pixbuf, krb5, libosinfo, postgresql14, and python310), and Ubuntu (firefox, linux-aws, linux-aws-5.15, and linux-azure).

https://lwn.net/Articles/974450/

WAGO: Vulnerability in WAGO Navigator

https://cert.vde.com/de/advisories/VDE-2024-021/

WAGO: Multiple Vulnerabilities in e!Cockpit and e!Runtime / CODESYS Runtime

https://cert.vde.com/de/advisories/VDE-2023-068/

Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerabilities-in-some-5g-nr-4g-lte-cpe-dsl-ethernet-cpe-fiber-ont-wifi-extender-and-home-router-devices-05-21-2024

Security updates 1.6.7 and 1.5.7 released

https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7