[CERT-daily] Tageszusammenfassung - 01.08.2022

Mon Aug 1 18:22:05 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 29-07-2022 18:00 − Montag 01-08-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Sicherheitslücken als Türöffner in Nuki Smart Lock entdeckt und geschlossen ∗∗∗
---------------------------------------------
Angreifer könnten an zahlreichen Schwachstellen in verschiedenen smarten Türschlössern Nuki Smart Lock ansetzen. Die WLAN Bridge Nuki Bridge ist auch betroffen.
---------------------------------------------
https://heise.de/-7194709


∗∗∗ Adware-Apps aus Google Play tarnen sich auf Android-Geräten als Gestaltenwandler ∗∗∗
---------------------------------------------
Werbung auf Facebook für Fake-Apps zur Android-Systemoptimierung führt zu rund 7 Millionen Installationen. Opfer werden mit Werbeanzeigen belästigt.
---------------------------------------------
https://heise.de/-7194655


∗∗∗ Post-Quanten-Kryptographie: Verschlüsselung mit Isogenien ist unsicher ∗∗∗
---------------------------------------------
Ein Angriff auf den Schlüsselaustausch SIDH zeigt erneut, wie riskant experimentelle kryptographische Algorithmen sein können.
---------------------------------------------
https://www.golem.de/news/post-quanten-kryptographie-verschluesselung-mit-isogenien-ist-unsicher-2207-167267.html


∗∗∗ BlackCat ransomware claims attack on European gas pipeline ∗∗∗
---------------------------------------------
The ransomware group known as ALPHV (aka BlackCat) has assumed over the weekend responsibility for the cyberattack that hit Creos Luxembourg last week, a natural gas pipeline and electricity network operator in the central European country.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-attack-on-european-gas-pipeline/


∗∗∗ A Detailed Analysis of the RedLine Stealer ∗∗∗
---------------------------------------------
RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc.
---------------------------------------------
https://securityscorecard.com/research/detailed-analysis-redline-stealer


∗∗∗ Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys ∗∗∗
---------------------------------------------
Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.html


∗∗∗ A Little DDoS In the Morning, (Mon, Aug 1st) ∗∗∗
---------------------------------------------
Friday morning (at least it wasn't Friday afternoon), we got an alert that our database and web servers exceeded the expected load. Sometimes, this "happens." Often it is just some user innocently flooding our API with requests. We do use quite a bit of caching and such for requests, but it can happen that things pile up at the wrong time. So I took a look at the logs. In these cases, I first look at the top IPs sending requests to our API.
---------------------------------------------
https://isc.sans.edu/diary/rss/28900


∗∗∗ Month of PowerShell - PowerShell Remoting, Part 2 ∗∗∗
---------------------------------------------
In this article we finish up our look at PowerShell remoting by examining several options to run PowerShell commands on multiple remote systems.
---------------------------------------------
https://www.sans.org/blog/powershell-remoting-part-2/


∗∗∗ Month of PowerShell - Offensive PowerShell with Metasploit Meterpreter ∗∗∗
---------------------------------------------
In this article we look at how Metasploit Meterpreter can integrate PowerShell for extensible attacks in a red team or pen test engagement.
---------------------------------------------
https://www.sans.org/blog/offensive-powershell-metasploit-meterpreter/


∗∗∗ Month of PowerShell - Keyboard Shortcuts Like a Boss ∗∗∗
---------------------------------------------
In this article we look at several keyboard shortcuts to speed up your PowerShell sessions.
---------------------------------------------
https://www.sans.org/blog/keyboard-shortcuts-boss/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ WordPress Vulnerabilities & Patch Roundup — July 2022 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-july-2022.html


∗∗∗ Arris / Arris-variant DSL/Fiber router critical vulnerability exposure ∗∗∗
---------------------------------------------
Multiple vulnerabilities exist in the MIT-licensed muhttpd web server. This web server is widely used in ISP customer premise equipment (CPE), most notably in Arris firmware used in router models (at least, possibly other) NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320 (Arris has declined to confirm affected models).
---------------------------------------------
https://derekabdine.com/blog/2022-arris-advisory


∗∗∗ IBM Security Bulletins 2022-07-29 ∗∗∗
---------------------------------------------
IBM CICS TX Advanced, IBM CICS TX Standard, IBM PowerVM Novalink, IBM Sterling Secure Proxy, IBM DataPower Gateway, Rational Performance Tester, Rational Service Tester, Urbancode Deploy, IBM Robotic Process Automation, Cloud Pak System, IBM PowerVM Novalink, IBM Secure External Authentication Server.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Thunderbird vorstellbar ∗∗∗
---------------------------------------------
Die Entwickler von Mozilla haben im E-Mail-Client Thunderbird mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-7194671


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, [...]
---------------------------------------------
https://lwn.net/Articles/903455/


∗∗∗ HPE ProLiant und HP Integrated Lights-Out: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein lokaler Angreifer oder ein Angreifer aus dem angrenzenden Netzwerk kann mehrere Schwachstellen in HPE ProLiant und HPE Integrated Lights-Out ausnutzen, um beliebigen Programmcode auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0870


∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0867


∗∗∗ HCL Commerce: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
Ein lokaler Angreifer kann eine Schwachstelle in HCL Commerce ausnutzen, um Informationen offenzulegen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0866


∗∗∗ Multiple Vulnerabilities in BF-OS ∗∗∗
---------------------------------------------
BOSCH-SA-013924-BT: Multiple vulnerabilities were identified in BF-OS version 3.x up to and including 3.83 used by Bigfish V3 and PR21 (Energy Platform) devices and Bigfish VM image, which are part of the data collection infrastructure of the Energy Platform solution. The most critical vulnerability may allow an unauthenticated remote attacker to gain administrative privileges to the device by brute-forcing a weak password.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html


∗∗∗ K21192332: Apache HTTP Server vulnerability CVE-2022-31813 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K21192332

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily