Tageszusammenfassung - 28.02.2024

End-of-Day report

Timeframe: Dienstag 27-02-2024 18:00 - Mittwoch 28-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Ivanti: Enhanced External Integrity Checking Tool to Provide Additional Visibility and Protection for Customers Against Evolving Threat Actor Techniques in Relation to Previously Disclosed Vulnerabilities

As part of our exhaustive investigation into the recent attack against our customers, Ivanti and Mandiant released findings today regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that we are monitoring, even though to date they have not been deployed successfully in the wild.

https://www.ivanti.com/blog/enhanced-external-integrity-checking-tool-to-provide-additional-visibility-and-protection-for-customers-against-evolving-threat-actor-techniques-in-relation-to-previously-disclosed-vulnerabilities

Savvy Seahorse gang uses DNS CNAME records to power investor scams

A threat actor named Savvy Seahorse is abusing CNAME DNS records Domain Name System to create a traffic distribution system that powers financial scam campaigns.

https://www.bleepingcomputer.com/news/security/savvy-seahorse-gang-uses-dns-cname-records-to-power-investor-scams/

Take Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th)

Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federations Main Intelligence Directorate of the General Staff (GRU)". The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials. Why do nation-state actors go after "simple" home devices?

https://isc.sans.edu/diary/rss/30694

European diplomats targeted by SPIKEDWINE with WINELOADER

Zscalers ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain.

https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader

Hacker-Gruppe fordert Bitcoins: Erpresserische E-Mails enthalten Wohnadresse als Druckmittel

-Es freut uns sehr dir mitteilen zu können, das du keine Ahnung von Cyber Security Hast und wir dein Handy infizieren konnten- beginnt ein E-Mail von einer angeblichen Hacker-Gruppe mit dem Namen -Russian Blakmail Army-. Angeblich wurden private Fotos und Inhalte von Ihnen gesammelt. Wenn Sie nicht wollen, dass diese veröffentlicht werden, sollten Sie 1000 Euro an eine Bitcoin-Wallet senden. Ignorieren Sie dieses E-Mail, es handelt sich um Fake.

https://www.watchlist-internet.at/news/hacker-gruppe-fordert-bitcoins-erpresserische-e-mails-enthalten-wohnadresse-als-druckmittel/

Navigating the Cloud: Exploring Lateral Movement Techniques

We illuminate lateral movement techniques observed in the wild within cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure.

https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/

Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day

Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. Thanks to Avast-s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update. The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by ESET and AhnLab.

https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/

Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations

This advisory provides observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters.

https://www.ic3.gov/Media/News/2024/240227.pdf

Vulnerabilities

Security updates for Wednesday

Security updates have been issued by Debian (knot-resolver and wpa), Fedora (chromium, kernel, thunderbird, and yarnpkg), Mageia (c-ares), Oracle (firefox, kernel, opensc, postgresql:13, postgresql:15, and thunderbird), Red Hat (edk2, gimp:2.8, and kernel), SUSE (bind, bluez, container-suseconnect, dnsdist, freerdp, gcc12, gcc7, glib2, gnutls, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libqt5-qtbase, libqt5-qtsvg, nodejs18, nodejs20, openssl, openssl-1_0_0, poppler, python-crcmod, python-cryptography, python-cryptography- vectors, python-pip, python-requests, python3-requests, python311, python39, rabbitmq-c, samba, sccache, shim, SUSE Manager 4.2, SUSE Manager Server 4.2, the Linux-RT Kernel, and thunderbird), and Ubuntu (less, openssl, php7.0, php7.2, php7.4, and tiff).

https://lwn.net/Articles/963957/

TeamViewer Passwort-Schwachstelle CVE-2024-0819

Der Client für Windows sollte dringend auf die Version 15.51.5 aktualisiert werden. Der Hersteller hat einen Sicherheitshinweis veröffentlicht, aus dem hervorgeht, dass ältere Software-Versionen nur einen unvollständigen Schutz der persönlichen Kennworteinstellungen bieten.

https://www.borncity.com/blog/2024/02/28/teamviewer-passwort-schwachstelle-cve-2024-0819/

Cisco Security Advisories 2024-02-28

Security Impact Rating: 2x High, 3x Medium

https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2024%2F02%2F28&firstPublishedEndDate=2024%2F02%2F28&pageNum=1&isRenderingBugList=false