End-of-Day report
Timeframe: Freitag 12-07-2024 18:00 - Montag 15-07-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Neue Absenderadresse für unsere täglichen Mails an Netzbetreiber
Wir versenden jeden Tag zwischen 150 und 250 Mails an unsere Kontakte bei Netzbetreibern in Österreich, um diese über Probleme in ihren Netzen zu informieren, die wir (bzw. unsere Datenquellen) dort gefunden haben. [..] Jetzt haben wir uns dazu entschlossen, den gleichen Weg zu nehmen, den schon viele andere Firmen beschritten haben: Wir senden ab sofort diese Mails nicht mehr von team@cert.at als Absender, sondern von noreply@cert.at aus. [..] Echte Rückfragen sollten weiterhin an team@cert.at gerichtet werden.
https://www.cert.at/de/blog/2024/7/neuer-absender-fuer-notifications
Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
On patch Tuesday last week, Microsoft released an update for CVE-2024-38112, which they said was being exploited in the wild. We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that-s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft. However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice any coordination regarding the fix. This lack of transparency from vendors often leaves researchers who practice CVD with more questions than answers.
https://www.thezdi.com/blog/2024/7/15/uncoordinated-vulnerability-disclosure-the-continuing-issues-with-cvd
Microsoft Says Windows Not Impacted by regreSSHion as Second OpenSSH Bug Is Found
Microsoft confirmed last week that Windows is not affected by the vulnerability.
https://www.securityweek.com/microsoft-says-windows-not-impacted-by-regresshion-as-second-openssh-bug-is-found/
ClickFix Deception: A Social Engineering Tactic to Deploy Malware
The HTML file masquerades as a Word document, displaying an error prompt to deceive users. [..] In a nutshell, clicking on the -How to fix- button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. [..] Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim-s system, potentially leading to data theft, system compromise, or further propagation of the malware.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/
DNS hijacks target crypto platforms registered with Squarespace
A wave of coordinated DNS hijacking attacks targets decentralized finance (DeFi) cryptocurrency domains using the Squarespace registrar, redirecting visitors to phishing sites hosting wallet drainers.
https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-platforms-registered-with-squarespace/
June Windows Server updates break Microsoft 365 Defender features
Microsoft has confirmed that Windows Server updates from last months Patch Tuesday break some Microsoft 365 Defender features that use the network data reporting service.
https://www.bleepingcomputer.com/news/microsoft/june-windows-server-updates-break-microsoft-365-defender-features/
Facebook ads for Windows desktop themes push info-stealing malware
Cybercriminals use Facebook business pages and advertisements to promote fake Windows themes that infect unsuspecting users with the SYS01 password-stealing malware. [..] While using Facebook advertisements to push information-stealing malware is not new, the social media platform's massive reach makes these campaigns a significant threat.
https://www.bleepingcomputer.com/news/security/facebook-ads-for-windows-themes-push-sys01-info-stealing-malware/
Knot Resolver 6 News: DoS protection - operator-s overview
The team behind Knot Resolver, the scalable caching DNS resolver, is hard at work developing a complex solution for protecting DNS servers and other participants on the Internet alike against denial-of-service attacks. This effort is a part of the ongoing DNS4EU project, co-funded by the European Union1, which we are a proud part of. [..] As usual with projects from CZ.NIC, all of this code is also free and open source under the GPL license, so everyone is free to study and adapt it for their own exciting purposes.
https://en.blog.nic.cz/2024/07/15/knot-resolver-6-news-dos-protection-operators-overview/
16-bit Hash Collisions in .xls Spreadsheets, (Sat, Jul 13th)
Since the hashing algorithm used for the protection of .xls files produces a 16-bit integer with its highest bit set, there are 32768 (0x8000) possible hash values (called verifier), and thus ample chance to generate hash collisions. I generated such a list, and included it in an update of my oledump plugin plugin_biff.py.
https://isc.sans.edu/diary/rss/31066
Protected OOXML Spreadsheets, (Mon, Jul 15th)
I was asked a question about the protection of an .xlsm spreadsheet [..]
https://isc.sans.edu/diary/rss/31070
CRYSTALRAY Hackers Infect Over 1,500 Victims Using Network Mapping Tool
A threat actor that was previously observed using an open-source network mapping tool has greatly expanded their operations to infect over 1,500 victims. Sysdig, which is tracking the cluster under the name CRYSTALRAY, said the activities have witnessed a tenfold surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source software] security tools."
https://thehackernews.com/2024/07/crystalray-hackers-infect-over-1500.html
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Vulnerabilities
Security updates for Monday
Security updates have been issued by Fedora (cups, krb5, pgadmin4, python3.6, and yarnpkg), Mageia (freeradius, kernel, kmod-xtables-addons, kmod-virtualbox, and dwarves, kernel-linus, and squid), Red Hat (ghostscript, kernel, and less), SUSE (avahi, c-ares, cairo, cups, fdo-client, gdk-pixbuf, git, libarchive, openvswitch3, podman, polkit, python-black, python-Jinja2, python-urllib3, skopeo, squashfs, tiff, traceroute, and wget), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm).
https://lwn.net/Articles/982029/
Admin-Lücke bedroht Palo Alto Networks Migration-Tool Expedition
Verschiedene Cybersicherheitsprodukte von Palo Alto Networks sind verwundbar. Sicherheitsupdates sind verfügbar.
https://heise.de/-9800845
Wireshark 4.2.6 Released, (Sun, Jul 14th)
https://isc.sans.edu/diary/rss/31068
2024-07-15: Cyber Security Advisory -Mint Workbench I Unquoted Service Path Enumeration
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7912&LanguageCode=en&DocumentPartId=1&Action=Launch