Tageszusammenfassung - 08.11.2024

End-of-Day report

Timeframe: Donnerstag 07-11-2024 18:00 - Freitag 08-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer

News

Google To Make MFA Mandatory for Google Cloud in 2025

Google has recently announced that it plans to implement mandatory multi-factor authentication (MFA) on all Cloud accounts by the end of 2025. [..] The implementation will affect both admins and users with access to Google Cloud. General consumer Google accounts will not be affected.

https://heimdalsecurity.com/blog/google-cloud-mfa/

2024 Credit Card Theft Season Arrives

In today-s post we-re going to perform a malware analysis of the most common MageCart injections identified so that eCommerce website owners can better understand the risks, and (hopefully) protect themselves, their websites, and their customers from attackers.

https://blog.sucuri.net/2024/11/2024-credit-card-theft-season-arrives.html

ESET APT Activity Report Q2 2024-Q3 2024

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024

https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2024-q3-2024/

Helldown Ransomware Group - A New Emerging Ransomware Threat

As of November 2024, the online resources available related to the Helldown ransomware group-s Tactics Techniques and Procedures (TTP-s) were effectively none-existent - this blogpost aims to address that and will be updated continuously as more investigations are completed.

https://www.truesec.com/hub/blog/helldown-ransomware-group

TLPT & ME: Everything you need to know about Threat-Led Penetration Testing (TLPT) in a TIBER world.

While the TLPT RTS does come with some additional requirements or nuances compared to the TIBER framework, we can all be certain that adopting TIBER is indeed the way to fulfill DORA-s TLPT requirements. As mentioned in our initial post, we expect many more European countries to publish a TIBER implementation guide and/or a TIBER-EU 2.0 to be published for additional convergence.

https://blog.nviso.eu/2024/11/08/tlpt-me-everything-you-need-to-know-about-threat-led-penetration-testing-tlpt-in-a-tiber-world/

Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations

Discover how Earth Estries employs a diverse set of tactics, techniques, and tools, including malware such as Zingdoor and Snappybee, for its campaigns.

https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html

Defending Your Directory: An Expert Guide to Securing Active Directory Against DCSync Attacks

Last time we took a dive deep into Kerberoasting. Up next, let's unravel the sinister secrets of DCSync attacks - a stealthy technique that can bring your entire Active Directory to its knees.

https://www.nccgroup.com/us/research-blog/defending-your-directory-an-expert-guide-to-securing-active-directory-against-dcsync-attacks/

Nameless and shameless: Ransomware Encryption via BitLocker

This post will delve into a recent incident response engagement handled by NCC Group-s Digital Forensics and Incident Response (DFIR) team, involving an unknown ransomware strain but known TTPs.

https://www.nccgroup.com/us/research-blog/nameless-and-shameless-ransomware-encryption-via-bitlocker/

Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

Wiz Research looks at phishing tactics, along with how to trace and investigate these campaigns.

https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains

Vulnerabilities

Max-Critical Cisco Bug Enables Command-Injection Attacks

Though Cisco reports of no known malicious exploitation attempts, but thanks to a CVSS 10 out of 10 security vulnerability (CVE-2024-20418) three of its wireless access points are vulnerable to remote, unauthenticated cyberattacks.

https://www.darkreading.com/vulnerabilities-threats/cisco-bug-command-injection-attacks

Security updates for Friday

Security updates have been issued by AlmaLinux (edk2), Debian (webkit2gtk), Fedora (thunderbird), Oracle (bzip2, container-tools:ol8, edk2, go-toolset:ol8, libtiff, python-idna, python3.11, and python3.12), Slackware (expat), and SUSE (apache2, govulncheck-vulndb, grub2, java-1_8_0-openjdk, python3, python39, qemu, xorg-x11-server, and xwayland).

https://lwn.net/Articles/997480/

Delta Electronics DIAScreen

https://www.cisa.gov/news-events/ics-advisories/icsa-24-312-02