Tageszusammenfassung - 08.10.2024

End-of-Day report

Timeframe: Montag 07-10-2024 18:00 - Dienstag 08-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner

News

ADT discloses second breach in 2 months, hacked via stolen credentials

Home and small business security company ADT disclosed it suffered a breach after threat actors gained access to its systems using stolen credentials and exfiltrated employee account data.

https://www.bleepingcomputer.com/news/security/adt-discloses-second-breach-in-2-months-hacked-via-stolen-credentials/

Casio reports IT systems failure after weekend network breach

Japanese tech giant Casio has suffered a cyberattack after an unauthorized actor accessed its networks on October 5, causing system disruption that impacted some of its services.

https://www.bleepingcomputer.com/news/security/casio-reports-it-systems-failure-after-weekend-network-breach/

New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that draws its inspiration from the leaked Mirai botnet source code.Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024.

https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html

Feds reach for sliver of crypto-cash nicked by North Koreas notorious Lazarus Group

The US government is attempting to claw back more than $2.67 million stolen by North Koreas Lazarus Group, filing two lawsuits to force the forfeiture of millions in Tether and Bitcoin.-

https://go.theregister.com/feed/www.theregister.com/2024/10/08/us_lazarus_group_crypto_seizure/

Shining Light on the Dark Angels Ransomware Group

The Dark Angels ransomware threat group launched attacks beginning in April 2022, and has since been quietly executing highly targeted attacks. Dark Angels operate with more stealthy and sophisticated strategies than many other ransomware groups. Instead of outsourcing breaches to third-party initial access brokers that target a wide range of victims, Dark Angels launch their own attacks that focus on a limited number of large companies.

https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-ransomware-group

7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin

On September 17, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for two critical vulnerabilities in the LatePoint plugin, which is estimated to be actively installed on more than 7,000 WordPress websites.

https://www.wordfence.com/blog/2024/10/7000-wordpress-sites-affected-by-unauthenticated-critical-vulnerabilities-in-latepoint-wordpress-plugin/

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions.

https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/

Ukrainian pleads guilty to running Raccoon Infostealer malware, agrees to pay nearly $1 million

A Ukrainian national pleaded guilty in U.S. federal court to running the Raccoon Infostealer malware, and agreed to pay victims more than $900,000 as part of the plea deal.

https://therecord.media/raccoon-stealer-operator-pleads-guilty

TAG Bulletin: Q3 2024

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on October 7, 2024.

https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/

Crypto-Stealing Code Lurking in Python Package Dependencies

On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like -AtomicDecoderss,- -TrustDecoderss,- -WalletDecoderss,- and -ExodusDecodes,- masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets.

https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-dependencies/

Okta Fixes Critical Vulnerability Allowing Sign-On Policy Bypass

Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an -unknown- device. Affected users should review system logs.

https://hackread.com/okta-fixes-sign-on-policy-bypass-vulnerability/

Cyberattack on American Water Shuts Down Customer Portal, Halts Billing

American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services remain unaffected while cybersecurity experts manage the incident.

https://hackread.com/american-water-cyberattack-shuts-down-portal-billing/

Storm-1575 Threat Actor Deploys New Login Panels for Phishing Infrastructure

The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of new login panels, which are part of the threat actor-s ongoing efforts to compromise users- Microsoft and Google accounts.

https://hackread.com/storm-1575-threat-actor-new-login-panels-phishing-infrastructure/

Lua Malware Targeting Student Gamers via Fake Game Cheats

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected.

https://hackread.com/lua-malware-hit-student-gamers-fake-game-cheats/

Vulnerabilities

Qualcomm patches high-severity zero-day exploited in attacks

Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets.

https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/

TYPO3-CORE-SA-2024-012: Information Disclosure in TYPO3 Page Tree

It has been discovered that TYPO3 CMS is susceptible to information disclosure.

https://typo3.org/security/advisory/typo3-core-sa-2024-012

TYPO3-CORE-SA-2024-011: Denial of Service in TYPO3 Bookmark Toolbar

It has been discovered that TYPO3 CMS is susceptible to denial of service.

https://typo3.org/security/advisory/typo3-core-sa-2024-011

Security updates for Tuesday

Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters).

https://lwn.net/Articles/993276/

Kritische Sicherheitslücken in Draytek-Geräten erlauben Systemübernahme

Forscher fanden im Betriebssystem der Vigor-Router vierzehn neue Lücken, betroffen sind zwei Dutzend teilweise veraltete Typen. Patches stehen bereit.

https://heise.de/-9973906