Tageszusammenfassung - 19.01.2024

End-of-Day report

Timeframe: Donnerstag 18-01-2024 18:00 - Freitag 19-01-2024 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer

News

TeamViewer abused to breach networks in new ransomware attacks

Ransomware actors are again using TeamViewer to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder.

https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-networks-in-new-ransomware-attacks/

macOS Python Script Replacing Wallet Applications with Rogue Apps, (Fri, Jan 19th)

Still today, many people think that Apple and its macOS are less targeted by malware. But the landscape is changing and threats are emerging in this ecosystem too.

https://isc.sans.edu/diary/rss/30572

Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.

https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html

Taking over WhatsApp accounts by reading voicemails

The investigation is centered on a vulnerability related to the Personal Identification Number (PIN) required for authenticating WhatsApp-s account backup feature. I describe how this PIN could be compromised through a voice call backup delivery method, forcing the call to go voicemail, and spoofing the victims phone number to read their voicemail.

https://medium.com/@rramgattie/taking-over-whatsapp-accounts-by-reading-voicemails-68ad70dc2499

Recovery Scam: Kriminelle geben sich als blockchain.com aus und informieren über angeblich ruhende Bitcoin-Wallet

Opfer einer betrügerischen Trading-Plattform erleiden mitunter erhebliche finanzielle Verluste. Entsprechend groß ist die Verzweiflung und der Wunsch, das Geld zurückzubekommen. Kriminelle nutzen dies aus und kontaktieren die Opfer nach einiger Zeit erneut.

https://www.watchlist-internet.at/news/recovery-scam-kriminelle-geben-sich-als-blockchaincom-aus-und-informieren-ueber-angeblich-ruhende-bitcoin-wallet/

Virtual kidnapping: How to see through this terrifying scam

Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims.

https://www.welivesecurity.com/en/scams/virtual-kidnapping-see-through-scam/

Ivanti Connect Secure VPN Exploitation: New Observations

Volexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh Ivanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may partially account for why there has been an increase in compromised systems in subsequent scans.

https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/

Vulnerabilities

VMware confirms critical vCenter flaw now exploited in attacks

VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation.

https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vcenter-flaw-now-exploited-in-attacks/

Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines.

https://thehackernews.com/2024/01/npm-trojan-bypasses-uac-installs.html

Smartphones und mehr: Auch Umgebungslichtsensoren können spionieren

Nicht nur Smartphone-Kameras können Personen ausspionieren, sondern auch Umgebungslichtsensoren. Das geht aus einer in "Science" veröffentlichen Studie hervor.

https://heise.de/-9601724

Angreifer attackieren Ivanti EPMM und MobileIron Core

Angreifer nutzen derzeit eine kritische Sicherheitslücke in Ivanti EPMM und MobileIron Core aus.

https://www.heise.de/news/Angreifer-attackieren-Ivanti-EPMM-und-MobileIron-Core-9602207.html

Security updates for Thursday

Security updates have been issued by CentOS (ImageMagick), Debian (chromium), Fedora (golang-x-crypto, golang-x-mod, golang-x-net, golang-x-text, gtkwave, redis, and zbar), Mageia (tinyxml), Oracle (.NET 7.0, .NET 8.0, java-1.8.0-openjdk, java-11-openjdk, python3, and sqlite), Red Hat (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), SUSE (kernel, libqt5-qtbase, libssh, pam, rear23a, and rear27a), and Ubuntu (pam and zookeeper).

https://lwn.net/Articles/958676/

Security updates for Friday

Security updates have been issued by Fedora (chromium, golang-github-facebook-time, podman, and xorg-x11-server-Xwayland), Oracle (.NET 6.0, java-1.8.0-openjdk, java-11-openjdk, and python3.11-cryptography), Red Hat (java-11-openjdk, python-requests, and python-urllib3), SUSE (chromium, kernel, libcryptopp, libuev, perl-Spreadsheet-ParseExcel, suse-module-tools, and xwayland), and Ubuntu (filezilla and xerces-c).

https://lwn.net/Articles/958760/

Important Progress OpenEdge Critical Alert for Progress Application Server in OpenEdge (PASOE) - Arbitrary File Upload Vulnerability in WEB Transport

https://community.progress.com/s/article/Important-Progress-OpenEdge-Critical-Alert-for-Progress-Application-Server-in-OpenEdge-PASOE-Arbitrary-File-Upload-Vulnerability-in-WEB-Transport

ZDI Security Advisories

https://www.zerodayinitiative.com/advisories/published/

IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/