[CERT-daily] Tageszusammenfassung - 08.09.2022

Thu Sep 8 18:25:16 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 07-09-2022 18:00 − Donnerstag 08-09-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ RAID-Manager von Hitachi könnte Ansatzpunkt für Schadcode-Attacken sein ∗∗∗
---------------------------------------------
Für einige Versionen von Hitachi RAID Manager SRA sind Sicherheitsupdates erschienen. Für einige Ausgaben gibt es jedoch keinen Support mehr.
---------------------------------------------
https://heise.de/-7257664


∗∗∗ Threat landscape for industrial automation systems for H1 2022 ∗∗∗
---------------------------------------------
This report is based on an analysis of statistical data collected through the Kaspersky Security Network (KSN), a distributed antivirus network.
---------------------------------------------
https://securelist.com/threat-landscape-for-industrial-automation-systems-for-h1-2022/107373/


∗∗∗ Profiling DEV-0270: PHOSPHORUS’ ransomware operations ∗∗∗
---------------------------------------------
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. 
---------------------------------------------
https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/


∗∗∗ Analyzing Obfuscated VBS with CyberChef, (Thu, Sep 8th) ∗∗∗
---------------------------------------------
I took a closer look at this sample on MalwareBazaar, because it had no tags (now it has a VBS tag).
---------------------------------------------
https://isc.sans.edu/diary/rss/29028


∗∗∗ HTTPS-Zertifikate: Die Rückkehr der Sperrlisten ∗∗∗
---------------------------------------------
Zukünftig soll es endlich wieder möglich sein, kompromittierte Zertifikate einfach zu sperren. Apple und Mozilla preschen vor und Lets Encrypt zieht mit.
---------------------------------------------
https://heise.de/-7257554


∗∗∗ Tensel-markt.de ist Fake! ∗∗∗
---------------------------------------------
Vorsicht vor Fake-Elektronik und Technik-Shops! Tensel-markt.de, gohlke-shop.de und Techno-max.de locken mit ihrem professionellen Design zahlreiche Konsument:innen in die Falle. Bestellen Sie nicht bei diesen Shops, Sie verlieren Ihr Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/tensel-marktde-ist-fake/


∗∗∗ Lazarus and the tale of three RATs ∗∗∗
---------------------------------------------
Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
---------------------------------------------
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html


∗∗∗ How Malicious Actors Abuse Native Linux Tools in Attacks ∗∗∗
---------------------------------------------
Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ HP fixes severe bug in pre-installed Support Assistant tool ∗∗∗
---------------------------------------------
HP issued a security advisory alerting users about a newly discovered vulnerability in HP Support Assistant, a software tool that comes pre-installed on all HP laptops and desktop computers, including the Omen sub-brand.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-installed-support-assistant-tool/


∗∗∗ Cisco Security Advisories 2022-09-07 ∗∗∗
---------------------------------------------
Cisco published 4 security advisories (2 high, 2 medium severity)
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F09%2F07&firstPublishedEndDate=2022%2F09%2F07


∗∗∗ VPN-Lücke in älteren Cisco-Routern wird nicht mehr geschlossen ∗∗∗
---------------------------------------------
Für einige Cisco-Router ist der Support ausgelaufen. Es gibt wichtige Sicherheitsupdates für unter anderem Webex.
---------------------------------------------
https://heise.de/-7257206


∗∗∗ IBM Security Bulletins 2022-09-07 ∗∗∗
---------------------------------------------
IBM Java 8, IBM Aspera Faspex, IBM WebSphere Application Server, IBM WebSphere Application Server Liberty, Enterprise Content Management System Monitor, IBM DB2, IBM Semeru Runtime, IBM Robotic Process Automation for Cloud Pak, IBM Intelligent Operations Center
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libgoogle-gson-java), Fedora (autotrace, insight, and open-vm-tools), Oracle (open-vm-tools), Red Hat (open-vm-tools, openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, ovirt-host, and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), Scientific Linux (open-vm-tools), Slackware (python3), SUSE (clamav, gdk-pixbuf, gpg2, icu, ImageMagick, java-1_8_0-ibm, libyajl, mariadb, udisks2, webkit2gtk3, and yast2-samba-provision), and Ubuntu (dnsmasq).
---------------------------------------------
https://lwn.net/Articles/907508/


∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Nagios Enterprises Nagios XI ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Daten zu manipulieren.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1338


∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1335


∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Drupal ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1341


∗∗∗ Aruba ClearPass Policy Manager: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein Angreifer kann mehrere Schwachstellen in Aruba ClearPass Policy Manager ausnutzen, um Daten zu manipulieren oder offenzulegen, seine Rechte zu erweitern, Code auszuführen oder einen Denial of Service zu verursachen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1340


∗∗∗ MZ Automation libIEC61850 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-251-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily