End-of-Day report
Timeframe: Mittwoch 28-02-2024 18:00 - Donnerstag 29-02-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
LockBit ransomware returns to attacks with new encryptors, servers
The LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new servers after last weeks law enforcement disruption.
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/
Neue Ransomwaregruppe: Angeblicher Cyberangriff auf Epic Games bleibt zweifelhaft
Die Hackergruppe Mogilevich bietet im Darknet Daten von Epic Games im Umfang von 189 GByte zum Verkauf an. Zweifel an dem Angebot sind jedoch angebracht.
https://www.golem.de/news/daten-stehen-zum-verkauf-neue-ransomwaregruppe-hat-angeblich-epic-games-gehackt-2402-182672.html
GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks
Threat hunters have discovered a new Linux malware called GTPDOOR that-s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX). The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications.
https://thehackernews.com/2024/02/gtpdoor-linux-malware-targets-telecoms.html
New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems
Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks.
https://thehackernews.com/2024/02/new-silver-saml-attack-evades-golden.html
#StopRansomware: Phobos Ransomware
This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
ALPHV is singling out healthcare sector, say FBI and CISA
CISA, FBI and HHS are warning about the ALPHV/ Blackcat ransomware group targeting the healthcare industry.
https://www.malwarebytes.com/blog/news/2024/02/alphv-is-singling-out-healthcare-sector-say-fbi-and-cisa
GUloader Unmasked: Decrypting the Threat of Malicious SVG Files
This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decrypting-the-threat-of-malicious-svg-files/
Amazon-Vishing: Vorsicht vor Fake-Amazon-Anrufen!
Am Telefon geben sich Kriminelle als Amazon-Mitarbeiter:innen aus. Unter verschiedenen Vorwänden bringen sie Sie dazu, TeamViewer oder AnyDesk zu installieren und räumen Ihr Konto leer! Sollten Sie so einen Anruf erhalten, legen Sie auf und blockieren Sie die Nummer.
https://www.watchlist-internet.at/news/amazon-vishing-vorsicht-vor-fake-amazon-anrufen/
ADCS ESC14 Abuse Technique
In this blog post, we will explore the variations of abuse of explicit certificate mapping in AD, what the requirements are, and how you can protect your environment against it.
https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9
The Art of Domain Deception: Bifrosts New Tactic to Deceive Users
The RAT Bifrost has a new Linux variant that leverages a deceptive domain in order to compromise systems. We analyze this expanded attack surface.
https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/
Vulnerabilities in business VPNs under the spotlight
As adversaries increasingly set their sights on vulnerable enterprise VPN software to infiltrate corporate networks, concerns mount about VPNs themselves being a source of cyber risk.
https://www.welivesecurity.com/en/business-security/vulnerabilities-business-vpns-spotlight/
IT-Sicherheitsprodukte von Sophos verschlucken sich am Schaltjahr
Aufgrund eines Fehlers können Sophos Endpoint, Home und Server vor dem Besucht legitimer Websites warnen. Erste Lösungen sind bereits verfügbar.
https://heise.de/-9642801
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (chromium), Fedora (moodle), Red Hat (kernel, kernel-rt, and postgresql:15), Slackware (wpa_supplicant), SUSE (Java and rear27a), and Ubuntu (libcpanel-json-xs-perl, libuv1, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.4, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, python-openstackclient, and unbound).
https://lwn.net/Articles/964039/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved-in-JSA-Applications
On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF05
https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vulnerabilities-resolved-in-Juniper-Secure-Analytics-in-7-5-0-UP7-IF05
Delta Electronics CNCSoft-B
https://www.cisa.gov/news-events/ics-advisories/icsa-24-060-01
MicroDicom DICOM Viewer
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-060-01