Tageszusammenfassung - 25.09.2024

End-of-Day report

Timeframe: Dienstag 24-09-2024 18:00 - Mittwoch 25-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer

News

ChatGPT macOS Flaw Couldve Enabled Long-Term Spyware via Memory Function

A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger said.

https://thehackernews.com/2024/09/chatgpt-macos-flaw-couldve-enabled-long.html

Schon wieder: Offizielles Twitter-Konto OpenAIs von Krypto-Betrügern übernommen

Der offizielle Twitter-Account der Pressestelle von ChatGPT-Anbieter OpenAI wurde von Betrügern übernommen und genutzt, um eine Fake-Kryptowährung zu promoten.

https://heise.de/-9953073

AI-Generated Malware Found in the Wild

HP has intercepted an email campaign comprising a standard malware payload delivered by an AI-generated dropper.

https://www.securityweek.com/ai-generated-malware-found-in-the-wild/

Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz

Delve into the infrastructure and tactics of phishing platform Sniper Dz, which targets popular brands and social media. We discuss its unique aspects and more.

https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/

LummaC2: Obfuscation Through Indirect Control Flow

This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the malware now leverages customized control flow indirection to manipulate the execution of the malware.

https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscation-through-indirect-control-flow/

Modified LockBit and Conti ransomware shows up in DragonForce gang-s attacks

The manufacturing, real estate and transportation industries are recent targets of the cybercrime operation known as DragonForce. Researchers say its serving up versions of LockBit and Conti to affiliates.

https://therecord.media/lockbit-conti-dragonforce-ransomware-cybercrime

Shedding Light on Election Deepfakes

Contrary to popular belief, deepfakes - AI-crafted audio files, images, or videos that depict events and statements that never occurred; a portmanteau of -deep learning- and -fake- - are not all intrinsically malicious. [..] Let-s take a look at the state of deepfakes during the 2020 elections, how it-s currently making waves in the 2024 election cycle, and how voters can tell truth from digital deception.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/shedding-light-on-election-deepfakes/

Vulnerabilities

20,000 WordPress Sites Affected by Privilege Escalation Vulnerability in WCFM - WooCommerce Frontend Manager WordPress Plugin

This vulnerability makes it possible for an authenticated attacker to change the email of any user, including an administrator, which allows them to reset the password and take over the account and website. [..] After providing full disclosure details, the developer released a patch on September 23, 2024. [..] CVE ID: CVE-2024-8290

https://www.wordfence.com/blog/2024/09/20000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-wcfm-woocommerce-frontend-manager-wordpress-plugin/

Security updates for Wednesday

Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma).

https://lwn.net/Articles/991701/

WatchGuard SSO and Moodle

rt-sa-2024-008: WatchGuard SSO Client Denial-of-Service, rt-sa-2024-007: WatchGuard SSO Agent Telnet Authentication Bypass, rt-sa-2024-006: WatchGuard SSO Protocol is Unencrypted and Unauthenticated, rt-sa-2024-009: Moodle: Remote Code Execution via Calculated Questions

https://www.redteam-pentesting.de/en/advisories/

Teamviewer: Hochriskante Lücken ermöglichen Rechteausweitung

In den Teamviewer-Remote-Clients können Angreifer eine unzureichende kryptografische Prüfung von Treiberinstallationen missbrauchen, um ihre Rechte auszuweiten und Treiber zu installieren (CVE-2024-7479, CVE-2024-7481; beide CVSS 8.8, Risiko "hoch"). [..] Die seit Dienstag dieser Woche verfügbare Version 15.58.4 oder neuere schließen diese Sicherheitslücken.

https://heise.de/-9953034

XenServer and Citrix Hypervisor Security Update for CVE-2024-45817

https://support.citrix.com/s/article/CTX691646-xenserver-and-citrix-hypervisor-security-update-for-cve202445817?language=en_US

Schwachstelle in BlackBerry CylanceOPTICS Windows Installer Package

https://sec-consult.com/de/vulnerability-lab/advisory/schwachstelle-in-blackberry-cylanceoptics-windows-installer-package/