Tageszusammenfassung - 26.02.2024

End-of-Day report

Timeframe: Freitag 23-02-2024 18:00 - Montag 26-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Hijacked subdomains of major brands used in massive spam campaign

A massive ad fraud campaign named "SubdoMailing" is using over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day to generate revenue through scams and malvertising. [..] As these domains belong to trusted companies, they gain the benefit of being able to bypass spam filters and, in some cases, take advantage of configured SPF and DKIM email policies that tell secure email gateways that the emails are legitimate and not spam.

https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major-brands-used-in-massive-spam-campaign/

New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT

Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader.

https://thehackernews.com/2024/02/new-idat-loader-attacks-using.html

Actively exploited open redirect in Google Web Light

An open redirect vulnerability exists in the remains of Google Web Light service, which is being actively exploited in multiple phishing campaigns. Google decided not to fix it, so it might be advisable to block access to the Web Light domain in corporate environments.

https://untrustednetwork.net/en/2024/02/26/google-open-redirect/

Webinar: Wie schütze ich mich vor Identitätsdiebstahl?

n diesem Webinar schauen wir uns aktuelle Betrugsmaschen an und besprechen Tools, mit denen man sicherer im Internet unterwegs ist.

https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-identitaetsdiebstahl/

Mattermost: Support for Extended Support Release 8.1 is ending soon

As of May 15, 2024, Mattermost Extended Support Release (ESR) version 8.1 will no longer be supported. If any of your servers are not on ESR 9.5 or later, upgrading is recommended.

https://mattermost.com/blog/support-for-extended-support-release-8-1-is-ending-soon/

SVR Cyber Actors Adapt Tactics for Initial Cloud Access

This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a

Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT-s Variant)

AhnLab SEcurity intelligence Center (ASEC) recently discovered that Nood RAT is being used in malware attacks. Nood RAT is a variant of Gh0st RAT that works in Linux. Although the number of Gh0st RAT for Linux is fewer compared to Gh0st RAT for Windows, the cases of Gh0st RAT for Linux are continuously being collected.

https://asec.ahnlab.com/en/62144/

Ransomware Roundup - Abyss Locker

FortiGuard Labs highlights the Abyss Locker ransomware group that steals information from victims and encrypts files for financial gain.

https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-locker

Ransomware: LockBit gibt Fehler zu, plant Angriffe auf staatliche Einrichtungen

Die Ransomware-Gruppe LockBit gesteht Fehler aus Faulheit ein, macht sich über das FBI lustig und will Angriffe auf staatliche Einrichtungen intensivieren.

https://heise.de/-9638063

Vulnerabilities

Security updates for Monday

Security updates have been issued by Debian (gnutls28, iwd, libjwt, and thunderbird), Fedora (chromium, expat, mingw-expat, mingw-openexr, mingw-python3, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtquickcontrols2, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebchannel, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, and thunderbird), Gentoo (btrbk, Glances, and GNU Aspell), Mageia (clamav and xen, qemu and libvirt), Oracle (firefox and postgresql), Red Hat (firefox, opensc, postgresql:10, postgresql:12, postgresql:13, postgresql:15, thunderbird, and unbound), SUSE (firefox, java-1_8_0-ibm, libxml2, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-oem-6.1, and roundcube).

https://lwn.net/Articles/963725/

Critical Flaw in Popular -Ultimate Member- WordPress Plugin

The vulnerability carries a CVSS severity score of 9.8/10 and affects web sites running the Ultimate Member WordPress membership plugin.

https://www.securityweek.com/critical-flaw-in-popular-ultimate-member-wordpress-plugin/