End-of-Day report
Timeframe: Dienstag 02-04-2024 18:00 - Mittwoch 03-04-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
NIS2-Begutachtungsverfahren gestartet
Die Regierung hat am 3. April 2024 das Cybersicherheitsgesetz zur europäischen NIS2-Verordnung in Begutachtung geschickt.
https://www.bmi.gv.at/news.aspx?id=7567384169746C75366D413D
Kritik nach Cyberangriff: Microsoft hat seine Kronjuwelen nicht im Griff
Ein im Sommer 2023 festgestellter Cyberangriff auf Microsofts Server hatte für einige Kunden verheerende Folgen. Eine US-Kommission erhebt nun schwere Vorwürfe gegen den Konzern.
https://www.golem.de/news/us-kommission-aeussert-kritik-hackerangriff-auf-microsoft-waere-vermeidbar-gewesen-2404-183792.html
The Mystery of -Jia Tan,- the XZ Backdoor Mastermind
As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. [..] The Jia Tan persona has vanished since the backdoor was discovered [..] In fact, the only real footprints Jia Tan appears to have left behind were their contributions to the open source development community, where they were a prolific contributor: Disturbingly, Jia Tan-s first code change was to the -libarchive- compression library, another very widely used open source component. [..] In total, Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024 [..] Security researchers agree, at least, that it-s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization-a tactic that nearly worked.
https://www.wired.com/story/jia-tan-xz-backdoor/
XZ Utils Backdoor Attack Brings Another Similar Incident to Light
In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident.
https://www.securityweek.com/xz-utils-backdoor-attack-brings-another-similar-incident-to-light/
Distinctive Campaign Evolution of Pikabot Malware
PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. [..] During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/
Hohe Handyrechnung durch ungewolltes Abo?
Per E-Mail oder SMS werden Sie plötzlich von Ihrem Mobilfunkanbieter darüber informiert, dass Sie ein Abo abgeschlossen haben. Sie sind sich aber sicher, dass Sie keinem Vertrag zugestimmt haben und wissen auch nicht, wie es dazu gekommen ist? Wir zeigen Ihnen, was Sie gegen unseriöse Abbuchungen von Ihrer Handyrechnung tun können und wie Sie sich vor Abofallen schützen.
https://www.watchlist-internet.at/news/hohe-handyrechnung-durch-ungewolltes-abo/
Another Path to Exploiting CVE-2024-1212 in Progress Kemp LoadMaster
Rhino Labs discovered a pre-authentication command injection vulnerability in the Progress Kemp LoadMaster. [..] This was a really cool find by Rhino Labs. Here I add one additional exploitation path and some additional ways to test for this vulnerability.
https://medium.com/tenable-techblog/another-path-to-exploiting-cve-2024-1212-in-progress-kemp-loadmaster-a6b06cd0b9f8
Unveiling the Fallout: Operation Cronos Impact on LockBit Following Landmark Disruption
Our new article provides key highlights and takeaways from Operation Cronos disruption of LockBits operations, as well as telemetry details on how LockBit actors operated post-disruption.
https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html
Vulnerabilities
Security updates for Wednesday
Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).
https://lwn.net/Articles/968218/
Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites
A critical SQL injection vulnerability in the LayerSlider WordPress plugin allows attackers to extract sensitive information.
https://www.securityweek.com/critical-vulnerability-found-in-layerslider-plugin-installed-on-a-million-wordpress-sites/
CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED)
Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva-s Armor product family. The root cause of this vulnerability is Minerva-s implementation of OpenSSL-s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users.
https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-armor-privilege-escalation-fixed/
Patchday Android: Angreifer können sich höhere Rechte verschaffen
Neben Google haben auch Samsung und weitere Hersteller wichtige Sicherheitsupdates für Androidgeräte veröffentlicht.
https://heise.de/-9673480
Codeschmuggellücke in VMware SD-WAN Edge und Orchestrator
Drei Sicherheitslücken in VMwares SD-WAN Edge und Orchestrator ermöglichen Angreifern unter anderem, Schadcode einzuschleusen.
https://heise.de/-9673416
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Mozilla: Security Vulnerabilities fixed in Firefox for iOS 124
https://www.mozilla.org/en-US/security/advisories/mfsa2024-17/
Unify: Credentials disclosure vulnerability in Unify OpenScape Desk Phones CP
https://networks.unify.com/security/advisories/OBSO-2404-01.pdf