Tageszusammenfassung - 04.10.2024

End-of-Day report

Timeframe: Donnerstag 03-10-2024 18:00 - Freitag 04-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps

During a distributed denial-of-service campaign targeting organizations in the financial services, internet, and telecommunications sectors, volumetric attacks peaked at 3.8 terabits per second, the largest publicly recorded to date. The assault consisted of a "month-long" barrage of more than 100 hyper-volumetric DDoS attacks flood. [..] Many of the attacks aimed at the target-s network infrastructure (network and transport layers L3/4) exceeded two billion packets per second (pps) and three terabits per second (Tbps). [..] The threat actor behind the campaign leveraged multiple types of compromised devices, which included a large number of Asus home routers, Mikrotik systems, DVRs, and web servers.

https://www.bleepingcomputer.com/news/security/cloudflare-blocks-largest-recorded-ddos-attack-peaking-at-38tbps/

Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks

Approximately 5% of all Adobe Commerce and Magento online stores, or 4,275 in absolute numbers, have been hacked in "CosmicSting" attacks. [..] The CosmicSting vulnerability (CVE-2024-34102) is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc's iconv function, an attacker can achieve remote code execution on the target server. [..] Sansec says that multiple threat actors are now conducting attacks as patching speed is not matching the critical nature of the situation.

https://www.bleepingcomputer.com/news/security/over-4-000-adobe-commerce-magento-shops-hacked-in-cosmicsting-attacks/

Survey of CUPS exploit attempts, (Fri, Oct 4th)

It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.

https://isc.sans.edu/diary/rss/31326

Apple fixes bug that let VoiceOver shout your passwords

Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update.

https://go.theregister.com/feed/www.theregister.com/2024/10/04/apple_voiceover_password_bug/

Sicherheitsupdates: Cisco patcht Lücken in Produkten quer durch die Bank

Neben einem kritischen Fehler kümmert sich der Netzwerkausrüster auch um einige Lücken mit mittlerem und hohem Risikograd. Patches stehen bereit.

https://heise.de/-9961998

DRAY:BREAK Breaking Into DreyTek Routers Before Threat Actors Do It Again

In 2024, routers are a primary target for cybercriminals and state-sponsored attackers - and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks. Our latest research discovered 14 new vulnerabilities in DrayTek routers.

https://www.forescout.com/resources/draybreak-draytek-research/

Threat actor believed to be spreading new MedusaLocker variant since 2022

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as -BabyLockerKZ.- The distinguishable techniques - including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string -paid_memes,- and the use of a lateral movement tool named -checker- - used in the attack led us to take a deeper look to try to understand more about this threat actor.

https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/

Ransomware Groups Demystified: CyberVolk Ransomware

As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024.

https://www.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/

Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks

Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks.

https://thehackernews.com/2024/10/android-14-adds-new-security-features.html

Portable Hacking Lab: Control The Smallest Kali Linux With a Smartphone

Running Kali Linux on a Raspberry Pi Zero is a fantastic way to create a portable, powerful testing device. This guide will walk you through setting up Kali Linux Pi-Tail on a headless Raspberry Pi Zero 2 W that is powered and controlled from a smartphone via SSH or VNC that provides a graphical interface to your Pi-Tail.

https://www.mobile-hacker.com/2024/10/04/portable-hacking-lab-control-the-smallest-kali-linux-with-a-smartphone/

Vulnerabilities

Security updates for Friday

Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip).

https://lwn.net/Articles/992936/

Keycloak 26.0.0 released

CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core, CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect , CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak, CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java

https://www.keycloak.org/2024/10/keycloak-2600-released

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024)

https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-september-23-2024-to-september-29-2024/