Tageszusammenfassung - 11.11.2024

End-of-Day report

Timeframe: Freitag 08-11-2024 18:00 - Montag 11-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer

News

Palo Alto untersucht mögliche Sicherheitslücke in PAN-OS-Webinterface

Palo Alto untersucht eine angebliche Codeschmuggel-Lücke in der Verwaltungsoberfläche von PAN-OS. Ein Teil betroffener Kunden wird informiert. [..] Palo Alto empfiehlt Kunden dringend, sicherzustellen, dass der Zugang zur Verwaltungsoberfläche korrekt und im Einklang mit den empfohlenen Best-Practices-Richtlinien erfolgt. Dafür stellt das Unternehmen auch eine Anleitung bereit.

https://www.heise.de/-10013896.html

Zugangsdaten aus 2023 für Zugriff ausgenutzt - "Helldown Leaks"-Ransomware kompromittiert Unternehmen über Zyxel-Firewalls

Seit etwa Anfang August 2024 werden international Unternehmen durch die Ransomware-Gruppe "Helldown Leaks" verschlüsselt. Als initialer Angriffsvektor können durchgängig Zyxel-Firewalls ausgemacht werden, selbst wenn diese auf dem letzten Software-Stand sind.

https://www.cert.at/de/aktuelles/2024/11/zugangsdaten-aus-2023-fur-zugriff-ausgenutzt-helldown-leaks-ransomware-kompromittiert-unternehmen-uber-zyxel-firewalls

Testing the Koord2ool

As part of the EU-funded project -AWAKE-, we built the Koord2ool, which is a tool that allowed us to track the state of an incident across our constituency over time. We implemented this application as an extension to LimeSurvey (an Open Source survey tool) which generates a dashboard to visualize the state of the answers over time.

https://www.cert.at/en/blog/2024/11/testing-the-koord2ool

Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware

Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT. [..] The malicious Excel document is designed to exploit a known remote code execution flaw in Office (CVE-2017-0199, CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.exe.

https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html

#StopRansomware: Black Basta

Updates to this advisory, originally published May 10, 2024 [..] The advisory was updated to reflect new TTPs employed by Black Basta affiliates, as well as provide current IOCs/remove outdated IOCs for effective threat hunting.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a

Cyberattack causes credit card readers to malfunction in Israel

As reported by the Jerusalem Post, the cause was a distributed denial-of-service attack (DDoS) that targeted the payment gateway company Hyp-s CreditGuard product. The attack disrupted communications between the card terminals and the wider payment system, but was not capable of stealing information or payments.

https://therecord.media/cyberattack-causes-credit-card-readers-in-israel-to-malfunction

Malware Steals Account Credentials

It-s common for malware to target e-commerce sites, and these attackers are usually seeking to steal credit card details. In most cases, they will insert scripts that extract data from the checkout forms to siphon fields like the cardholder name, card number and expiration date. [..] However, every now and then we encounter a case where in addition to that they are also looking to steal details for accounts that customers have created on these sites along with admin account credentials. We-ll explore one such case.

https://blog.sucuri.net/2024/11/malware-steals-account-credentials.html

Known Attacks On Elliptic Curve Cryptography

In recent years the Elliptic Curve Cryptography approach has become popular due to its high efficiency and strong security. The purpose of this article is to present this topic in a relatively clearer way than it exists today on the internet.

https://github.com/elikaski/ECC_Attacks

Pishi: Coverage guided macOS KEXT fuzzing

In this blog post I will try to explain everything as clearly as possible so that even those who are not familiar with fuzzing can enjoy and understand it. I-ll break down the concepts, provide relatable examples, and resources, My goal is to make fuzzing approachable and interesting.

https://r00tkitsmm.github.io/fuzzing/2024/11/08/Pishi.html

Vulnerabilities

Veeam Backup Enterprise Manager: Unbefugte Zugriffe durch Angreifer möglich

Setzen Angreifer erfolgreich an der Schwachstelle (CVE-2024-40715 "hoch") an, können sie die Authentifizierung umgehen und Verbindungen als Man-in-the-Middle belauschen. Wie das im Detail ablaufen könnte, ist bislang nicht bekannt. [..] Ein Sicherheitspatch steht zum Download bereit.

https://www.heise.de/-10018234.html

Security updates for Monday

Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu).

https://lwn.net/Articles/997774/