End-of-Day report
Timeframe: Freitag 19-07-2024 18:00 - Montag 22-07-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
Attackers Abuse Swap File to Steal Credit Cards
Bad actors exploited the humble swap file to maintain a persistent credit card skimmer on a Magento e-commerce site. This clever tactic allowed the malware to survive multiple cleanup attempts.
https://blog.sucuri.net/2024/07/attackers-abuse-swap-file-to-steal-credit-cards.html
Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware
Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix.
https://thehackernews.com/2024/07/cybercriminals-exploit-crowdstrike.html
SocGholish Malware Exploits BOINC Project for Covert Cyberattacks
The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC.
https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html
PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing
A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes.
https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html
From RA Group to RA World: Evolution of a Ransomware Group
Ransomware gang RA World rebranded from RA Group. We discuss their updated tactics from leak site changes to an analysis of their operational tools.
https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/
Addressing CrowdStrike on Cloud VMs in AWS with Automated Remediation
Published guidance instructs administrators to reboot the machine in Safe Mode, delete a specific file, and reboot back to normal mode. Obviously, this isn-t a viable resolution on virtual machines hosted in the public cloud as there is no way to get to Safe Mode.
https://orca.security/resources/blog/crowdstrike-cloud-vm-automated-remediation/
Crowdstrike-Ausfälle: Microsoft veröffentlicht Wiederherstellungstool
Microsoft hat ein Image für USB-Sticks veröffentlicht, mit dem sich betroffene Systeme wiederherstellen lassen. Vorausgesetzt, man hat den BitLocker-Key.
https://heise.de/-9808481
Vulnerabilities
Telegram zero-day allowed sending malicious Android APKs as videos
A Telegram for Android zero-day vulnerability dubbed EvilVideo allowed attackers to send malicious Android APK payloads disguised as video files.
https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-sending-malicious-android-apks-as-videos/
Security updates for Monday
Security updates have been issued by Fedora (botan2, chromium, ffmpeg, fluent-bit, gtk3, httpd, suricata, tcpreplay, and thunderbird), Mageia (apache, chromium-browser-stable, libfm & libfm-qt, and thunderbird), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libndp, qt5-qtbase, ruby, skopeo, thunderbird, and virt:ol and virt-devel:rhel), Red Hat (containernetworking-plugins, firefox, libndp, qt5-qtbase, and thunderbird), SUSE (caddy,[...]
https://lwn.net/Articles/982845/
Sicherheitsupdates: Angreifer können Sonicwall-Firewalls lahmlegen
Einige Firewalls von Sonicwall sind verwundbar. Attacken könnten bevorstehen.
https://heise.de/-9808904
BIOS-Sicherheitslücke gefährdet unzählige HP-PCs
Angreifer können viele Desktopcomputer von HP mit Schadcode attackieren.
https://heise.de/-9809134
SSA-071402 V1.0: Multiple Vulnerabilities in SICAM Products
https://cert-portal.siemens.com/productcert/html/ssa-071402.html