[CERT-daily] Tageszusammenfassung - 10.01.2023

Tue Jan 10 19:07:34 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 09-01-2023 18:00 − Dienstag 10-01-2023 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels ∗∗∗
---------------------------------------------
Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist.
---------------------------------------------
https://heise.de/-7447684


∗∗∗ Meeting-Client Zoom unter Android, macOS und Windows angreifbar ∗∗∗
---------------------------------------------
Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-7453606


∗∗∗ Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen ∗∗∗
---------------------------------------------
Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte.
---------------------------------------------
https://heise.de/-7453534


∗∗∗ Patchday: SAP behandelt vier kritische Schwachstellen ∗∗∗
---------------------------------------------
SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren.
---------------------------------------------
https://heise.de/-7454402


∗∗∗ Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges ∗∗∗
---------------------------------------------
On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention.
---------------------------------------------
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/


∗∗∗ New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th) ∗∗∗
---------------------------------------------
I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper.
---------------------------------------------
https://isc.sans.edu/diary/rss/29416


∗∗∗ ChatGPT-Written Malware ∗∗∗
---------------------------------------------
I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.…within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.
---------------------------------------------
https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html


∗∗∗ Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL ∗∗∗
---------------------------------------------
The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week.
---------------------------------------------
https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html


∗∗∗ The Dark Side of Gmail ∗∗∗
---------------------------------------------
Behind one of Gmail’s lesser-known features lies a potential threat to websites and platforms managers.
---------------------------------------------
https://osintmatter.com/the-dark-side-of-gmail/


∗∗∗ Crypto-inspired Magecart skimmer surfaces via digital crime haven ∗∗∗
---------------------------------------------
One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven


∗∗∗ Malware-based attacks on ATMs - A summary ∗∗∗
---------------------------------------------
Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics.
---------------------------------------------
https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Securepoint UTM: Hotfix schließt kritische Sicherheitslücke ∗∗∗
---------------------------------------------
In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet.
---------------------------------------------
https://heise.de/-7453560


∗∗∗ UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface ∗∗∗
---------------------------------------------
Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen.
---------------------------------------------
https://heise.de/-7454141


∗∗∗ Eleven Vulnerabilities Patched in Royal Elementor Addons ∗∗∗
---------------------------------------------
On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.
---------------------------------------------
https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/919543/


∗∗∗ 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider ∗∗∗
---------------------------------------------
The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advisories-siemens-schneider


∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A)
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two-industrial-control-systems-advisories


∗∗∗ Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered ∗∗∗
---------------------------------------------
Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-access-information-disclosure-denial-of-service-vulnerabilities-discovered/


∗∗∗ IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗
---------------------------------------------
CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Siemens Security Advisories (7 new, 15 updated) ∗∗∗
---------------------------------------------
SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1 
SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge 
SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products 
SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products 
SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products 
SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices 
SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products 
SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products 
SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client 
SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module 
SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices 
SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products 
SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers 
SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager 
SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices 
SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack 
SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families 
SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products 
SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices 
SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1 
SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module 
SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs
---------------------------------------------
https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#SecurityPublications

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily