Tageszusammenfassung - 11.09.2024

End-of-Day report

Timeframe: Dienstag 10-09-2024 18:00 - Mittwoch 11-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

New PIXHELL acoustic attack leaks secrets from LCD screen noise

A novel acoustic attack named PIXHELL can leak secrets from air-gapped and audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to.

https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-leaks-secrets-from-lcd-screen-noise/

Air-Gapped-Systeme: Malware nutzt LCD-Pixelmuster für Datenausleitung per Schall

Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter.

https://www.golem.de/news/air-gapped-systeme-malware-nutzt-lcd-pixelmuster-fuer-datenausleitung-per-schall-2409-188883.html

Python Libraries Used for Malicious Purposes

Since I'm interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don't want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities.

https://isc.sans.edu/forums/diary/Python+Libraries+Used+for+Malicious+Purposes/31248/

Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments."The new samples were tracked to GitHub projects that ..

https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html

Microsoft says it broke some Windows 10 patching - as it fixes flaws under attack

CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address.

https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/

So you paid a ransom demand - and now the decryptor doesnt work

A really big oh sh*t moment, for sure For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life.

https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/

Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin

On August 14th, 2024, we received a submission for a Privilege Escalation vulnerability in Post Grid and Gutenberg Blocks, a WordPress plugin with over 40,000 active installations. This vulnerability can be leveraged by attackers with minimal authenticated access to set their role to administrator utilizing the form submission functionality.

https://www.wordfence.com/blog/2024/09/over-40000-wordpress-sites-affected-by-privilege-escalation-vulnerability-patched-in-post-grid-and-gutenberg-blocks-plugin/

ADCS Attack Paths in BloodHound - Part 3

In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates ..

https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb00856ac

Phishing Pages Delivered Through Refresh HTTP Response Header

We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors.

https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refresh/

The September 2024 Security Update Review

We-ve reached September and the pumpkin spice floats in the air. While they aren-t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches - including some zesty 0-days. Take a break from ..

https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-review

SBOMs and the importance of inventory

Can a Software Bill of Materials (SBOM) provide organisations with better insight into their supply chains?

https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory

We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI

Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.SummaryWhat started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel ..

https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/

Vulnerabilities

Security updates for Wednesday

Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311).

https://lwn.net/Articles/989772/

Cisco Releases Security Updates for Cisco Smart Licensing Utility

https://www.cisa.gov/news-events/alerts/2024/09/10/cisco-releases-security-updates-cisco-smart-licensing-utility