End-of-Day report
Timeframe: Donnerstag 23-01-2025 18:00 - Freitag 24-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
Hacker infects 18,000 "script kiddies" with fake malware builder
A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers.
https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script-kiddies-with-fake-malware-builder/
Malware Redirects WordPress Traffic to Harmful Sites
Recently, a customer approached us after noticing their website was redirecting visitors to a suspicious URL. They suspected their site had been compromised and sought assistance in identifying and resolving the issue. This ..
https://blog.sucuri.net/2025/01/malware-redirects-wordpress-traffic-to-harmful-sites.html
North Korean dev who renamed himself Bane accused of IT worker fraud scheme
5 indicted as FBI warns North Korea dials up aggression, plus Russian devs allegedly get in on the act The US is indicting yet another five suspects it believes were involved in North Koreas long-running, fraudulent remote IT worker scheme - including one who changed their last name to "Bane" and scored a gig at a tech biz in San Francisco.
https://www.theregister.com/2025/01/24/north_korean_devs_and_their/
Dont want your Kubernetes Windows nodes hijacked? Patch this hole now
SYSTEM-level command injection via API parameter *chefs kiss* A now-fixed command-injection bug in Kubernetes can be exploited by a remote attacker to gain code execution with SYSTEM privileges on all Windows endpoints in a cluster, and thus fully take over those systems, according to Akamai researcher Tomer Peled.
https://www.theregister.com/2025/01/24/kubernetes_windows_nodes_bug/
Subaru Security Flaws Exposed Its System for Tracking Millions of Cars
Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars- location histories-and Subaru employees still can.
https://www.wired.com/story/subaru-location-tracking-vulnerabilities/
Mehrere Staaten desinfizieren Botnetz, Deutschland nicht
Während Behörden in Frankreich und den USA die Schadsoftware Plug-X auf betroffenen Computern abschalten, wird in Deutschland über Infektionen nur informiert.
https://www.heise.de/news/Botnetz-Plug-X-Reinemachen-geht-nicht-10252309.html
Jetzt patchen: Cross-Site-Scripting und Denial of Service in GitLab möglich
GitLab warnt vor drei Schwachstellen, von denen eine den Bedrohungsgrad "hoch" trägt. Patches stehen für die jüngeren Versionen bereit.
https://www.heise.de/news/Jetzt-patchen-Cross-Site-Scripting-und-Denial-of-Service-in-GitLab-moeglich-10254924.html
Malvertising: Mac-Homebrew-User im Visier
Kriminelle haben bösartige Werbeanzeigen auf Google geschaltet, die anstatt auf die Homebrew-Webseite auf eine echt wirkende Malware-Seite leitet.
https://www.heise.de/news/Malvertising-Mac-Homebrew-User-im-Visier-10255909.html
Cyber security guidance for small fleet operators
Introduction Cyber threats aren-t just a problem for large shipping organizations, small maritime fleet operators are also at risk. Anything from phishing emails to ransomware attacks, these threats can disrupt ..
https://www.pentestpartners.com/security-blog/cyber-security-guidance-for-small-fleet-operators/
Private Keys in the Fortigate Leak
A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. It appears that the data was collected in 2022 due to a security vulnerability known as CVE-2022-40684. According to a blog post by Fortinet in 2022, they were already aware of active exploitation of the issue back then. It was first ..
https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.html
Exchange Server 2016 / 2019 erreichen im Oktober 2025 ihr EOL
Kleiner Nachtrag von dieser Woche zu einem Thema, welches eigentlich alle Exchange-Administratoren auf dem Radar haben sollten und auch dürften. Im Oktober 2025 fallen sowohl Microsoft Exchange Server 2016 als auch Microsoft Exchange ..
https://www.borncity.com/blog/2025/01/24/exchange-server-2016-2019-erreichen-im-oktober-2025-ihr-eol/
Seasoning email threats with hidden text salting
Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting.
https://blog.talosintelligence.com/seasoning-email-threats-with-hidden-text-salting/
SUSCTL (CVE-2024-54507) A particularly sus sysctl in the XNU Kernel
Every time Apple releases a new version of XNU, I run a custom suite of tests under an address sanitizer to see if I can spot any regressions, or even possibly new bugs. When I was messing around with macOS 15.0, I was shocked to see a very simple command was causing the sanitizer to report an invalid load.
https://jprx.io/cve-2024-54507/
The J-Magic Show: Magic Packets and Where to find them
The Black Lotus Labs team at Lumen Technologies has been tracking the use of a backdoor attack tailored for use against enterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a -magic packet,- sent by ..
https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/
cURL Project and Go Security Teams Reject CVSS as Broken
The CVSS (Common Vulnerability Scoring System) is facing significant pushback as both the cURL project and Go security teams are publicly distance themselves from the framework. While CVSS is designed to assign a severity score to vulnerabilities, its one-size-fits-all approach often produces misleading results, particularly for projects like cURL, which ..
https://socket.dev/blog/curl-project-and-go-security-teams-reject-cvss-as-broken
FalconFeedsio X Account Hacked, Promoting Fraudulent Crypto Scams
FalconFeedsios official X (formerly Twitter) account has been compromised, leading to the promotion of fraudulent cryptocurrency posts and scams. This hacking of FalconFeed has shocked the cybersecurity community as the platform was renowned for dark web news alerts. With this hacking of FalconFeed x account, many users and cybersecurity experts are advising ..
https://thecyberexpress.com/hacking-of-falconfeed/
Vulnerabilities
Security updates for Friday
Security updates have been issued by Debian (chromium and python-django), Fedora (git-lfs and pam-u2f), Mageia (golang), Red Hat (java-11-openjdk with Extended Lifecycle Support, java-17-openjdk, and java-21-openjdk), SUSE (cheat, dante, docker-stable, grafana, and kernel), and Ubuntu (cacti, cyrus-imapd, HTMLDOC, and PCL).
https://lwn.net/Articles/1006103/