- Daily - CERT.at

Tageszusammenfassung - 11.05.2022
by Daily end-of-shift report 11 May '22

11 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-05-2022 18:00 − Mittwoch 11-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New IceApple exploit toolset deployed on Microsoft Exchange servers ∗∗∗ --------------------------------------------- Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-iceapple-exploit-toolset… ∗∗∗ New stealthy Nerbian RAT malware spotted in ongoing attacks ∗∗∗ --------------------------------------------- A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-mal… ∗∗∗ TA578 using thread-hijacked emails to push ISO files for Bumblebee malware, (Wed, May 11th) ∗∗∗ --------------------------------------------- Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. --------------------------------------------- https://isc.sans.edu/diary/rss/28636 ∗∗∗ Vorsicht vor aktuellen BAWAG-Phishing-Mails! ∗∗∗ --------------------------------------------- Auch aktuell kursieren unzählige Phishing-Nachrichten und landen in den E-Mail-Postfächern potenzieller Opfer. Bei neuen Betrugs-Mails im Namen der BAWAG P.S.K. haben sich die Kriminellen wieder etwas Neues einfallen lassen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-aktuellen-bawag-phishin… ∗∗∗ From Project File to Code Execution: Exploiting Vulnerabilities in XINJE PLC Program Tool ∗∗∗ --------------------------------------------- Team82 has uncovered two vulnerabilities in XINJE’s PLC Program Tool, an engineering workstation. --------------------------------------------- https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-exec… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft May 2022 Patch Tuesday fixes 3 zero-days, 75 flaws ∗∗∗ --------------------------------------------- Today is Microsofts May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tu… ∗∗∗ HP fixes bug letting attackers overwrite firmware in over 200 models ∗∗∗ --------------------------------------------- HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which might allow arbitrary code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-fixes-bug-letting-attacke… ∗∗∗ Patchday Adobe: Schadcode-Lücken bedrohen ColdFusion, InDesign & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Anwendungen von Adobe. Den Großteil der Lücken stuft der Software-Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-7081357 ∗∗∗ Patchday: SAP behebt acht neu entdeckte Sicherheitsprobleme ∗∗∗ --------------------------------------------- Zum Mai-Patchday meldet SAP acht neue Sicherheitslücken und aktualisiert Artikel zu vier Schwachstellen, die das Unternehmen bereits früher abgedichtet hat. --------------------------------------------- https://heise.de/-7081276 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mutt), Fedora (blender, freerdp, kernel, kernel-headers, kernel-tools, mingw-freetype, and vim), Oracle (kernel and kernel-container), Red Hat (aspell, bind, bluez, c-ares, cairo and pixman, cockpit, compat-exiv2-026, container-tools:3.0, container-tools:rhel8, cpio, dovecot, exiv2, fapolicyd, fetchmail, flatpak, gfbgraph, gnome-shell, go-toolset:rhel8, grafana, grub2, httpd:2.4, keepalived, kernel, kernel-rt, libpq, libreoffice, libsndfile, libssh, [...] --------------------------------------------- https://lwn.net/Articles/894802/ ∗∗∗ Intel: May 2022 Patchday ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/default.html ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS). (CVE-2021-39059) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Security Bulletin: Vulnerability in remote support authentication affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-remote-s… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) (CVE-2022-22345) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 43 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-018/ ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0567 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/11/google-releases-s… ∗∗∗ Intel Boot Guard and Intel TXT Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500488-INTEL-BOOT-GUARD-AND-IN… ∗∗∗ Intel SSD Firmware Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500487-INTEL-SSD-FIRMWARE-ADVI… ∗∗∗ Lenovo Smart Standby Driver Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500486-LENOVO-SMART-STANDBY-DR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2022
by Daily end-of-shift report 10 May '22

10 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 09-05-2022 18:00 − Dienstag 10-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Experts Detail Saintstealer and Prynt Stealer Info-Stealing Malware Families ∗∗∗ --------------------------------------------- Cybersecurity researchers have dissected the inner workings of an information-stealing malware called Saintstealer thats designed to siphon credentials and system information. --------------------------------------------- https://thehackernews.com/2022/05/experts-detail-saintstealer-and-prynt.html ∗∗∗ SEO Poisoning – A Gootloader Story ∗∗∗ --------------------------------------------- Gootloader was the name assigned to the multi-staged payload distribution by Sophos in March 2021. The threat actors utilize SEO (search engine optimization) poisoning tactics to move compromised websites hosting malware to the top of certain search requests such as “what is the difference between a grand agreement and a contract?” or “freddie mac shared driveway agreement?” --------------------------------------------- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ ∗∗∗ Hilfe, Kriminelle bestellen Produkte in meinem Namen! ∗∗∗ --------------------------------------------- Erhalten Sie Rechnungen, Mahnungen, ja vielleicht sogar Inkasso-Schreiben für Bestellungen, die Sie nie getätigt haben? Dann kann es sein, dass Verbrecher:innen Ihre Daten für Bestellbetrug missbrauchen. --------------------------------------------- https://www.watchlist-internet.at/news/hilfe-kriminelle-bestellen-produkte-… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Actively Exploit F5 BIG-IP Bug ∗∗∗ --------------------------------------------- The bug has a severe rating of 9.8, public exploits are released. --------------------------------------------- https://threatpost.com/exploit-f5-big-ip-bug/179563/ ∗∗∗ Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972) ∗∗∗ --------------------------------------------- Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. --------------------------------------------- https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-t… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kicad and qemu), Fedora (thunderbird), Oracle (expat), Red Hat (samba), Slackware (kernel), and SUSE (firefox, ldb, and rsyslog). --------------------------------------------- https://lwn.net/Articles/894499/ ∗∗∗ GENEREX RCCMD vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60801132/ ∗∗∗ SSA-285795 V1.0: Denial of Service in OPC-UA in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-285795.txt ∗∗∗ SSA-321292 V1.0: Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-321292.txt ∗∗∗ SSA-363107 V1.0: An Improper Initialization Vulnerability Affects SIMATIC WinCC Kiosk Mode ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-363107.txt ∗∗∗ SSA-480937 V1.0: Denial of Service Vulnerability in CP 44x-1 RNA before V1.5.18 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-480937.txt ∗∗∗ SSA-553086 V1.0: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-553086.txt ∗∗∗ SSA-626968 V1.0: Multiple Webserver Vulnerabilities in Desigo PXC and DXR Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-626968.txt ∗∗∗ SSA-662649 V1.0: Denial of Service Vulnerability in Desigo DXR and PXC Controllers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-662649.txt ∗∗∗ SSA-732250 V1.0: Libcurl Vulnerabilities in Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-732250.txt ∗∗∗ SSA-736385 V1.0: Memory Corruption Vulnerability in OpenV2G ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-736385.txt ∗∗∗ SSA-789162 V1.0: Vulnerabilities in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-789162.txt ∗∗∗ SSA-165073: Multiple Vulnerabilities in the Webinterface of SICAM P850 and SICAM P855 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-165073.txt ∗∗∗ SSA-162616: File Parsing Vulnerabilities in Simcenter Femap before V2022.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-162616.txt ∗∗∗ [CA8268] Local privilege escalation vulnerabilities in installers for ESET products for Windows fixed ∗∗∗ --------------------------------------------- https://support.eset.com/en/ca8268-local-privilege-escalation-vulnerabiliti… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to string injection vulnerability due to Node.js (CVE-2021-44532, CVE-2021-44532 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: Cúram Social Program Management is vulnerable to arbitrary code execution and SQL injection issues due to Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23806 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to OS command injection (CVE-2022-22454) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39024 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Adminer in Industrial Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-01 ∗∗∗ Eaton Intelligent Power Protector ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-02 ∗∗∗ Eaton Intelligent Power Manager Infrastructure ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-03 ∗∗∗ Eaton Intelligent Power Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-04 ∗∗∗ AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-05 ∗∗∗ Mitsubishi Electric MELSOFT GT OPC UA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2022
by Daily end-of-shift report 09 May '22

09 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-05-2022 18:00 − Montag 09-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hilfestellung für die Analyse schadbringender Dokumente ∗∗∗ --------------------------------------------- Das SANS-Institut veröffentlicht einen neuen "Spickzettel", der bei der Malware-Analyse verschiedener Dokumenttypen helfen soll. --------------------------------------------- https://heise.de/-7079601 ∗∗∗ Utimaco, der Krypto-Miner und ein Disclosure-Desaster ∗∗∗ --------------------------------------------- Auch Anbieter von Hochsicherheitslösungen sind vor Securityproblemen nicht gefeit. Man sollte sich vorbereiten, bevor man davon erfährt, sagt Jürgen Schmidt. --------------------------------------------- https://heise.de/-7079962 ∗∗∗ Jetzt patchen! Attacken auf F5 BIG-IP-Systeme könnten bevorstehen ∗∗∗ --------------------------------------------- Sicherheitsforscher habe in vergleichsweise kurzer Zeit Exploit-Code entwickelt. Das könnten Angreifer auch. Admins sollten BIP-IP-Produkte aktualisieren. --------------------------------------------- https://heise.de/-7079049 ∗∗∗ Kaufen Sie keine Schuhe vom Instagram-Account „wesleyroberts375“ ∗∗∗ --------------------------------------------- Auf der Instagram-Seite „wesleyroberts375“ finden sich zahlreiche Fotos von Nike-Schuhen, meist Modelle, die sonst überall ausverkauft sind. Wer einen Schuh kaufen oder den Preis erfahren möchte, muss dem Instagram-Nutzer eine private Nachricht senden. Achtung: Hinter dem Profil von „wesleyroberts375“ steckt kein echter Online-Shop. Sie werden betrogen. Schicken Sie kein Geld oder Gutscheincodes! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-schuhe-vom-instagra… ∗∗∗ Bedrohungen in der Cloud ∗∗∗ --------------------------------------------- Die größten Sicherheitsrisiken bei der Cloud-Nutzung und wie Hacker zu mehr Sicherheit beitragen, schildert Laurie Mercer, Security Engineer bei HackerOne, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88401108/bedrohungen-in-der-cloud/ ∗∗∗ Gehärteter Online-Banking-Browser S-Protect, ein Totalausfall ∗∗∗ --------------------------------------------- Es klingt gut, was der Deutsche Sparkassen- und Giroverband da angestoßen hat. Mit S-Protect legt man einen "gehärteten" Browser vor, der Online-Banking-Kunden vor den Risiken bei Bankgeschäften auf Windows PCs oder Macs besser schützen soll. Der Haken an der Geschichte: [...] --------------------------------------------- https://www.borncity.com/blog/2022/05/09/gehrteter-online-banking-browser-s… ∗∗∗ Caramel credit card stealing service is growing in popularity ∗∗∗ --------------------------------------------- A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing… ∗∗∗ Constrained environment breakout. .NET Assembly exfiltration via Internet Options ∗∗∗ --------------------------------------------- It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/constrained-environment-break… ∗∗∗ Beware: This cheap and homemade malware is surprisingly effective ∗∗∗ --------------------------------------------- DCRat malware targets Windows devices. And its cheap and popular, which makes it a problem. --------------------------------------------- https://www.zdnet.com/article/beware-this-cheap-and-homemade-malware-is-sur… ∗∗∗ Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound ∗∗∗ --------------------------------------------- During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, [...] --------------------------------------------- https://blog.nviso.eu/2022/05/09/introducing-pycobalthound/ ∗∗∗ Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application ∗∗∗ --------------------------------------------- The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases. --------------------------------------------- https://asec.ahnlab.com/en/34010/ ∗∗∗ BPFDoor - an active Chinese global surveillance tool ∗∗∗ --------------------------------------------- Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to [...] --------------------------------------------- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool… ∗∗∗ [Infographic] Cloud Misconfigurations: Dont Become a Breach Statistic ∗∗∗ --------------------------------------------- Our latest infographic highlights some key commonalities uncovered in our 2022 Cloud Misconfigurations Report. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/09/infographic-cloud-misconfigurat… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: New installations fail with HTTP Error 403 from https://sus.sophosupd.com/ in Sophos Intercept X for Windows ∗∗∗ --------------------------------------------- Overview: New installation and/or device updates fail with HTTP Error 403 from https://sus.sophosupd.com/. This error is seen in C:\ProramData\Sophos\AutoUpdate\SophosUpdate.log. --------------------------------------------- https://support.sophos.com/support/s/article/KB-000043980?language=en_US ∗∗∗ Patchday: Fortinet schützt IP-Telefone vor Schadcode-Attacken ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem FortiClient, FortiFone und FortiOS. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-7079563 ∗∗∗ Freifunk: Einschleusen schädlicher Firmware durch kritische Lücke möglich ∗∗∗ --------------------------------------------- Freifunk aktualisiert seine Router-Firmware und schließt eine kritische Sicherheitslücke, durch die Angreifer eigene Firmware auf die Geräte aufspielen könnten. --------------------------------------------- https://heise.de/-7079644 ∗∗∗ Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) ∗∗∗ --------------------------------------------- Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in [...] --------------------------------------------- https://research.nccgroup.com/2022/05/06/technical-advisory-ruby-on-rails-p… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (ecdsautils and libz-mingw-w64), Fedora (cifs-utils, firefox, galera, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, mariadb, maven-shared-utils, mingw-freetype, redis, and seamonkey), Mageia (dcraw, firefox, lighttpd, rsyslog, ruby-nokogiri, and thunderbird), Scientific Linux (thunderbird), SUSE (giflib, kernel, and libwmf), and Ubuntu (dbus and rsyslog). --------------------------------------------- https://lwn.net/Articles/894353/ ∗∗∗ RubyGems Fixes Critical Gem Takeover Vulnerability ∗∗∗ --------------------------------------------- RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems. A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager. --------------------------------------------- https://www.securityweek.com/rubygems-fixes-critical-gem-takeover-vulnerabi… ∗∗∗ SonicWall SSL-VPN NetExtender Windows Client Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system. CVE: CVE-2022-22281 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0008 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ K12492858: Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12492858 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0549 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2022
by Daily end-of-shift report 06 May '22

06 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-05-2022 18:00 − Freitag 06-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Raspberry Robin worm uses Windows Installer to drop malware ∗∗∗ --------------------------------------------- Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-raspberry-robin-worm-use… ∗∗∗ Tipps zur Passwortsicherheit am World Password Day ∗∗∗ --------------------------------------------- Heute jährt sich der Welt-Passwort-Tag. Was können Sie tun, um sich online bestmöglich zu schützen? Hier finden Sie Tipps und Tricks für den sicheren Umgang mit Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/tipps-zur-passwortsicherheit-am-worl… ===================== = Vulnerabilities = ===================== ∗∗∗ ClamAV 0.105.0, 0.104.3, 0.103.6 released ∗∗∗ --------------------------------------------- Today, were also publishing the 0.104.3 and 0.103.6 security patch versions, including several CVE fixes. --------------------------------------------- https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html ∗∗∗ Schadcode-Attacken auf Videoüberwachungssystem und NAS von Qnap möglich ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehreren Lücken in Netzwerkprodukten von Qnap. --------------------------------------------- https://heise.de/-7077449 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, mruby, openjdk-11, and smarty3), Oracle (thunderbird), Red Hat (thunderbird), SUSE (chromium, libvirt, python-Twisted, and tar), and Ubuntu (cron and jbig2dec). --------------------------------------------- https://lwn.net/Articles/894141/ ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23772 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: TS3000 (TSSC/IMC) is vulnerable to privilege escalation vulnerability due to polkit ( CVE-2021-4034 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ts3000-tssc-imc-is-vulner… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution with IBM WebSphere Application Server (CVE-2021-23450). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2021-44716 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability (CVE-2022-22310). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect Rational Asset Analyzer (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39023 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote attack due to Go CVE-2021-44717 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to missing data encoding issue (CVE-2021-39027) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ affects Rational Asset Analyzer (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to attack under error due to Go CVE-2022-23773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-v10-is-vulner… ∗∗∗ K52379673: Linux kernel vulnerability for CVE-2021-4083 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52379673 ∗∗∗ K50899356: file vulnerability CVE-2018-10360 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50899356 ∗∗∗ poppler: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0545 ∗∗∗ Foxit Reader: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0544 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-125-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2022
by Daily end-of-shift report 05 May '22

05 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-05-2022 18:00 − Donnerstag 05-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New NetDooka malware spreads via poisoned search results ∗∗∗ --------------------------------------------- A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads… ∗∗∗ The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vatet ∗∗∗ --------------------------------------------- Cluster25 researchers, during a comparative analysis performed at the beginning of March 2022, found evidence that suggests a possible relationships between a piece of malware belonging to the Sprite Spider arsenal (or some elements that are or were part of it) and Vavet Loader. --------------------------------------------- https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malwar… ∗∗∗ The curious case of mavinject.exe ∗∗∗ --------------------------------------------- Mavinject is a LOLBIN currently employed by the infamous adversary group Lazarus successfully evades detection by various security products because the execution is masked under a legitimate process. --------------------------------------------- https://fourcore.io/blogs/mavinject-curious-process-injection ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-05-04 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 8 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Angreifer könnten die volle Kontrolle über F5 BIG-IP-Systeme erlangen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen unter anderem eine kritische Lücke in BIG-IP-Systemen. Admins sollten jetzt handeln. --------------------------------------------- https://heise.de/-7075530 ∗∗∗ Sicherheitsupdates: Cisco schließt VM-Ausbruch-Lücken mit Root-Zugriff ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat unter anderem in Enterprise NFV Infrastrucutre Software eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-7075725 ∗∗∗ Sicherheitsupdate schützt IBMs Datenbanksystem Informix Dynamic Server ∗∗∗ --------------------------------------------- Ein wichtiger Sicherheitspatch schließt eine Schwachstelle in IBMs Informix Dynamic Server. --------------------------------------------- https://heise.de/-7076231 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, recutils, suricata, and zchunk), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox), Slackware (mozilla, openssl, and seamonkey), SUSE (apache2-mod_auth_mellon, libvirt, and pgadmin4), and Ubuntu (dpdk, mysql-5.7, networkd-dispatcher, openssl, openssl1.0, sqlite3, and twisted). --------------------------------------------- https://lwn.net/Articles/894036/ ∗∗∗ 10 Jahre alte Schwachstellen in Avast und AVG gefährden Millionen Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher von Sentinel One haben in den Sicherheitsprodukten von Avast und AVG zwei seit 10 Jahren bestehende, schwerwiegende Schwachstellen entdeckt, die Millionen von Nutzern gefährden. --------------------------------------------- https://www.borncity.com/blog/2022/05/05/10-jahre-alte-schwachstellen-in-av… ∗∗∗ Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-036 ∗∗∗ Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-035 ∗∗∗ Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-034 ∗∗∗ Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-039 ∗∗∗ Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-038 ∗∗∗ Security Bulletin: Cross-site scripting vulnerabilities in jQuery may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to an issue where an API could be used to perform a DNS lookup via a third party provider. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may allow regular users to view some admin pages. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Data Encryption has vulnerability ( CVE-2021-39020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-dat… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2022
by Daily end-of-shift report 04 May '22

04 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-05-2022 18:00 − Mittwoch 04-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti, REvil, LockBit ransomware bugs exploited to block encryption ∗∗∗ --------------------------------------------- Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomwa… ∗∗∗ A new secret stash for “fileless” malware ∗∗∗ --------------------------------------------- We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. --------------------------------------------- https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/ ∗∗∗ Compromising Read-Only Containers with Fileless Malware ∗∗∗ --------------------------------------------- Many people see read-only filesystems as a catch-all to stop malicious activity and container drift in containerized environments. This blog will explore the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments. --------------------------------------------- https://sysdig.com/blog/containers-read-only-fileless-malware/ ∗∗∗ Update on cyber activity in Eastern Europe ∗∗∗ --------------------------------------------- Google’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. --------------------------------------------- https://blog.google/threat-analysis-group/update-on-cyber-activity-in-easte… ∗∗∗ Spyware blieb in Unternehmen bis zu 18 Monate lang unentdeckt ∗∗∗ --------------------------------------------- Die "Quietexit" genannte Backdoor blieb teilweise 18 Monate unentdeckt. Sicherheitsforscher vermuten, dass dahinter eine staatliche Gruppe steckt. --------------------------------------------- https://heise.de/-7074066 ∗∗∗ „Vorsicht, Falle!“: Wir brauchen Ihre Hilfe für ein neues Projekt! ∗∗∗ --------------------------------------------- Wir arbeiten derzeit an einem neuen Projekt: Bei „Vorsicht, Falle!“ entwickeln wir einen „Internetfallen-Generator“. Das heißt wir ahmen betrügerische Webseiten nach. Aber nicht mit dem Ziel, an Daten oder Geld zu kommen. Im Gegenteil: Allen, die in unsere Falle tappen, zeigen wir am Beispiel der Betrugsmasche, wie sie diese erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-falle-wir-brauchen-ihre-hil… ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/04/cisa-adds-five-kn… ∗∗∗ XSS in JSON: Old-School Attacks for Modern Applications ∗∗∗ --------------------------------------------- This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON). --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/04/xss-in-json-old-school-attacks-… ===================== = Vulnerabilities = ===================== ∗∗∗ Uclibc: Alte DNS-Lücke betrifft viele IoT-Geräte ∗∗∗ --------------------------------------------- Eine in Embedded-Geräten eingesetzte Bibliothek ist von Kaminskys DNS-Angriff betroffen, doch die Auswirkungen dürften sich in Grenzen halten. --------------------------------------------- https://www.golem.de/news/uclibc-alte-dns-luecke-betrifft-viele-iot-geraete… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (chromium and suricata), Oracle (mariadb:10.5), SUSE (amazon-ssm-agent, containerd, docker, java-11-openjdk, libcaca, libwmf, pcp, ruby2.5, rubygem-puma, webkit2gtk3, and xen), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/893839/ ∗∗∗ Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to FasterXML Jackson Databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-requireme… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is affected to denial of service due to FasterXML jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Intel Processors affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified… ∗∗∗ K55879220: Overview of F5 vulnerabilities (May 2022) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55879220 ∗∗∗ 2022-11 Multiple vulnerabilities in Provize Basic Frontend ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14299&mediaformat… ∗∗∗ 2022-05 Multiple vulnerabilities in Provize Basic Backend ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14298&mediaformat… ∗∗∗ 2022-01 Vulnerability in ‘axios’ HTTP client in Provize Basic ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14297&mediaformat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2022
by Daily end-of-shift report 03 May '22

03 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 02-05-2022 18:00 − Dienstag 03-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cyberspies use IP cameras to deploy backdoors, steal Exchange emails ∗∗∗ --------------------------------------------- A newly discovered and uncommonly stealthy Advanced Persistent Threat (APT) group is breaching corporate networks to steal Exchange (on-premise and online) emails from employees involved in corporate transactions such as mergers and acquisitions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to… ∗∗∗ AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. --------------------------------------------- https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.h… ∗∗∗ Zyxel firmware extraction and password analysis ∗∗∗ --------------------------------------------- In this first article of our Zyxel audit series we will cover firmware extraction and password decryption against Zyxel ZyWALL Unified Security Gateway (USG) appliances. --------------------------------------------- https://security.humanativaspa.it/zyxel-firmware-extraction-and-password-an… ∗∗∗ Trend Micros Apex One meldet Trojaner im Webbrowser Microsoft Edge ∗∗∗ --------------------------------------------- Es mehren sich Beschwerden von Nutzern in den Internetforen, dass der Virenscanner Apex One bei Ihnen einen Trojaner-Befall in Microsofts Edge-Browser meldet. --------------------------------------------- https://heise.de/-7073156 ∗∗∗ Vorsicht vor Betrug auf BlaBlaCar ∗∗∗ --------------------------------------------- BlaBlaCar, eine Plattform für Mitfahrgelegenheiten, gerät ins Visier von Kriminellen. Kriminelle erstellen bei BlaBlaCar Fake-Profile und bieten Fahrten an. Mitfahrer:innen, die diese Fahrt buchen, werden dann auf WhatsApp kontaktiert und auf eine betrügerische Zahlungsplattform gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betrug-auf-blablacar/ ∗∗∗ Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks ∗∗∗ --------------------------------------------- Malicious packages in multiple programming languages that went undetected for years were revealed by the Checkmarx Supply Chain Security team using advanced threat hunting techniques. --------------------------------------------- https://checkmarx.com/blog/attackers-target-packages-in-multiple-programmin… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched DNS bug affects millions of routers and IoT devices ∗∗∗ --------------------------------------------- A vulnerability in the domain name system (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at DNS poisoning attack risk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-dns-bug-affects-mi… ∗∗∗ Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information. --------------------------------------------- https://thehackernews.com/2022/05/critical-tlstorm-20-bugs-affect-widely.ht… ∗∗∗ Fortinet Security Advisories (FortiClient, FortiSOAR, FortiIsolator, FortiOS, FortiProxy, PJSIP Library, FortiNAC) ∗∗∗ --------------------------------------------- * FortiClient (Windows) - Privilege escalation in FortiClient installer * FortiSOAR - Improper access control on gateway API * FortiIsolator - Unauthorized user able to regenerate CA certificate * FortiOS - Improper Inter-VDOM access control * FortiOS - Lack of certificate verification when establishing secure connections to some external end-points * FortiProxy & FortiOS - XSS vulnerability in Web Filter Block Override Form * Multiple vulnerabilities in PJSIP library * FortiNAC - SQL --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=05-2022 ∗∗∗ Patchday: Wichtige Sicherheitsupdates für Android 10, 11 und 12 erschienen ∗∗∗ --------------------------------------------- Google hat sein mobiles Betriebssystem gegen mehrere mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-7072491 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jackson-databind, kernel, openvpn, and twisted), Fedora (xz), Mageia (chromium-browser-stable and curl), Oracle (vim and xmlrpc-c), Red Hat (gzip), Slackware (libxml2), SUSE (git, python39, and subversion), and Ubuntu (libvirt and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/893681/ ∗∗∗ Tenda HG6 v3.3.0 Remote Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender Configuration Utility and Mobile Enterprise Gateway have vulnerability (CVE-2021-43797) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… ∗∗∗ Security Bulletin: Vulnerability in IBM JAVA JDK affects IBM Spectrum Scale (CVE-2022-21291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host Header Injection (CVE-2021-29854) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a denial of service in Spring Framework (CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ OpenSSL Security Advisory (CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473) ∗∗∗ --------------------------------------------- https://openssl.org/news/secadv/20220503.txt ∗∗∗ Security Vulnerabilities fixed in Firefox 100 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-16/ ∗∗∗ Yokogawa CENTUM and ProSafe-RS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-123-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2022
by Daily end-of-shift report 02 May '22

02 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-04-2022 18:00 − Montag 02-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake Windows 10 updates infect you with Magniber ransomware ∗∗∗ --------------------------------------------- Fake Windows 10 updates on crack sites are being used to distribute the Magniber ransomware in a massive campaign that started earlier this month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infe… ∗∗∗ REvil ransomware returns: New malware sample confirms gang is back ∗∗∗ --------------------------------------------- The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new… ∗∗∗ Fake-YouTube-Videos mit Elon Musk führen zu Betrug mit Kryptowährung ∗∗∗ --------------------------------------------- Kriminelle fälschen Videos mit Elon Musk. In diesen Videos erhalten Zuseher:innen angeblich ein Geschenk von Musk. Er bietet die Möglichkeit, Bitcoins oder Ethereum zu verdoppeln. Und das ganz einfach: Sie überweisen Kryptowährung an ein bestimmtes Wallet und erhalten das Doppelte zurück. Achtung: Sie überweisen an Kriminelle und verlieren Geld! --------------------------------------------- https://www.watchlist-internet.at/news/fake-youtube-videos-mit-elon-musk-fu… ∗∗∗ Analysis on recent wiper attacks: examples and how wiper malware works ∗∗∗ --------------------------------------------- This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libarchive, and tinyxml), Fedora (CuraEngine, epiphany, gzip, usd, vim, xen, and xz), Oracle (maven-shared-utils and qemu), Red Hat (gzip, python27-python and python27-python-pip, rh-maven36-maven-shared-utils, rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip, and zlib), Slackware (pidgin), SUSE (jasper, java-11-openjdk, libcaca, libslirp, mariadb, mutt, nodejs12, opera, and python-Twisted), [...] --------------------------------------------- https://lwn.net/Articles/893440/ ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to stack-based buffer overflow in GNU C Library (CVE-2022-23219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a stack-based buffer overflow in GNU C Library (CVE-2022-23218) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow and underflow in GNU C Library (CVE-2021-3999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 91.8.0ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K24207649: GNU C Library (glibc) vulnerability CVE-2021-3999 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24207649 ∗∗∗ K52308021: GNU C Library (glibc) vulnerabilities CVE-2022-23218 and CVE-2022-23219 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52308021 ∗∗∗ K19473898: Multiple Expat vulnerabilities CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, and CVE-2022-23515 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19473898 ∗∗∗ K91589041: Expat vulnerabilities CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, and CVE-2022-22827 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91589041 ∗∗∗ K23421535: Expat vulnerabilities CVE-2022-22822, CVE-2022-22823, and CVE-2022-22824 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23421535 ∗∗∗ K23231802: Expat vulnerability CVE-2021-46143 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23231802 ∗∗∗ TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-016/ ∗∗∗ Vulnerabilities in the communication protocol of the PLC runtime ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-577411.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2022
by Daily end-of-shift report 29 Apr '22

29 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-04-2022 18:00 − Freitag 29-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware und Wiper: Cyberangriffe auf deutsche Windenergieunternehmen ∗∗∗ --------------------------------------------- Seit Beginn des Ukrainekrieges sind Windkraftanlagen-Hersteller Opfer von Cyberangriffen geworden. Besonders schwer hatten es die Angreifer wohl nicht. --------------------------------------------- https://www.golem.de/news/ransomware-und-wiper-cyberangriffe-auf-deutsche-w… ∗∗∗ Sicherheitsupdates: Angreifer könnten Firewalls von Cisco neu starten lassen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Cisco Firepower Threat Defense und Adaptive Security Appliance. --------------------------------------------- https://heise.de/-7069408 ∗∗∗ Angreifer könnten in Installationsprozess von Sonicwall Global VPN einsteigen ∗∗∗ --------------------------------------------- Sicherheitslücken gefährden Sonicwall Global VPN Client und Sonicos. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-7069729 ∗∗∗ Videokonferenzen: Schwachstellen in Zoom ermöglichen Rechteausweitung und mehr ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in der Zoom-Software könnten Angreifern ermöglichen, ihre Rechte im System auszuweiten oder unbefugt Informationen abzugreifen. --------------------------------------------- https://heise.de/-7069420 ∗∗∗ Studie: Active Directory je nach Branche unterschiedlich angreifbar ∗∗∗ --------------------------------------------- Einer Befragung von IT-Verantwortlichen zufolge spielt bei der Absicherung des Active Directory die Branche eine Rolle. Auch ist die Unternehmensgröße relevant. --------------------------------------------- https://heise.de/-7069098 ∗∗∗ EmoCheck now detects new 64-bit versions of Emotet malware ∗∗∗ --------------------------------------------- The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-… ∗∗∗ Colibri Loaders Unique Persistence Technique Using Get-Variable Cmdlet ∗∗∗ --------------------------------------------- Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console. In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run. --------------------------------------------- https://fourcore.io/blogs/colibri-loader-powershell-get-variable-persistence ∗∗∗ Using Passive DNS sources for Reconnaissance and Enumeration, (Fri, Apr 29th) ∗∗∗ --------------------------------------------- In so many penetration tests or assessments, the client gives you a set of subnets and says "go for it". This all seems reasonable, until you realize that if you have a website, there might be dozens or hundreds of websites hosted there, each only accessible by their DNS name. --------------------------------------------- https://isc.sans.edu/diary/rss/28596 ∗∗∗ Don’t expect to get your data back from the Onyx ransomware group ∗∗∗ --------------------------------------------- Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/04/29/onyx-ransomw… ∗∗∗ Bypassing LDAP Channel Binding with StartTLS ∗∗∗ --------------------------------------------- Active Directory LDAP implements StartTLS and it can be used to bypass the Channel Binding requirement of LDAPS for some relay attacks such as the creation of a machine account if LDAP signing is not required by the domain controller. --------------------------------------------- https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-startt… ∗∗∗ New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware ∗∗∗ --------------------------------------------- We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet). --------------------------------------------- https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberok… ∗∗∗ The Package Analysis Project: Scalable detection of malicious open source packages ∗∗∗ --------------------------------------------- Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. --------------------------------------------- http://security.googleblog.com/2022/04/the-package-analysis-project-scalabl… ∗∗∗ Analyzing VSTO Office Files ∗∗∗ --------------------------------------------- VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for [...] --------------------------------------------- https://blog.nviso.eu/2022/04/29/analyzing-vsto-office-files/ ∗∗∗ Trello From the Other Side: Tracking APT29 Phishing Campaigns ∗∗∗ --------------------------------------------- Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29’s efforts to evade detection through retooling and abuse of Atlassian's Trello service. --------------------------------------------- https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall Global VPN Client DLL Search Order Hijacking via Application Installer ∗∗∗ --------------------------------------------- SonicWall Global VPN Client 4.10.7 installer (32-bit and 64-bit) and earlier have a DLL Search Order Hijacking vulnerability in one of the installer components. Successful exploitation via a local attacker could result in command execution in the target system. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0036 ∗∗∗ AC500 V3 CODESYS VULNERABILITIES ∗∗∗ --------------------------------------------- All AC500 V3 products with firmware version smaller than 3.6.0 are affected by these vulnerabilities: CVE-2022-22513, CVE-2022-22514, CVE-2022-22515, CVE-2022-22517, CVE-2022-22518 and CVE-2022-22519. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR010997&Language… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/893102/ ∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-006/ ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0521 ∗∗∗ Mattermost security updates 6.6.1, 6.5.1, 6.4.3, 6.3.8 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-6-6-1-released/ ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to directory traversal due to CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-0155, CVE-2022-0536, CVE-2021-3749 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1233 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1243 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM QRadar SIEM (CVE-2021-22543, CVE-2021-3653, CVE-2021-3656, CVE-2021-37576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to CVE-2022-25645 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Denial of Service Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-24921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-uc-deploy-container-image… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2022
by Daily end-of-shift report 28 Apr '22

28 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-04-2022 18:00 − Donnerstag 28-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ security.txt: Kontaktinfos für IT-Sicherheitsmeldungen standardisiert ∗∗∗ --------------------------------------------- Ein RFC beschreibt, wie Webseiten über die Datei security.txt Kontaktinformationen für Sicherheitsforscher bereitstellen können. --------------------------------------------- https://www.golem.de/news/security-txt-kontaktinfos-fuer-it-sicherheitsmeld… ∗∗∗ Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution ∗∗∗ --------------------------------------------- MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. [...] This was mitigated within 48 hours (on January 13, 2022). --------------------------------------------- https://msrc-blog.microsoft.com/2022/04/28/azure-database-for-postgresql-fl… ∗∗∗ A Day of SMB: What does our SMB/RPC Honeypot see? CVE-2022-26809, (Thu, Apr 28th) ∗∗∗ --------------------------------------------- After Microsoft patched and went public with CVE-2022-26809, the recent RPC vulnerability, we set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. And to keep things more interesting, we are forwarding traffic from a subset of our honeypots to the system. This gives us a pretty nice cross-section and keeps the system pretty busy. Other than not applying the April patches, the system isn't particularly vulnerable and is left in the default configuration (firewall disabled, of course). So what did we get? --------------------------------------------- https://isc.sans.edu/diary/rss/28594 ∗∗∗ This isnt Optimus Primes Bumblebee but its Still Transforming ∗∗∗ --------------------------------------------- Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transf… ∗∗∗ Nimbuspwn detector ∗∗∗ --------------------------------------------- This tool performs several tests to determine whether the system is possibly vulnerable to Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team. --------------------------------------------- https://github.com/jfrog/nimbuspwn-tools ∗∗∗ QNAP customers urged to disable AFP to protect against severe vulnerabilities ∗∗∗ --------------------------------------------- MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/qnap-cus… ∗∗∗ LAPSUS$: Recent techniques, tactics and procedures ∗∗∗ --------------------------------------------- This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents. --------------------------------------------- https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-a… ∗∗∗ Neue Cyberspionage‑Kampagnen der TA410 Gruppe ∗∗∗ --------------------------------------------- ESET-Forscher enthüllen ein detailliertes Profil der APT-Gruppe TA410: Wir glauben, dass diese Cyberspionage-Dachgruppe aus drei verschiedenen Teams besteht, die unterschiedliche Tools verwenden, darunter eine neue Version der von ESET entdeckten FlowCloud-Spionage-Backdoor. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/04/27/cyberspionage-unter-dem-t… ∗∗∗ CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have updated joint Cybersecurity Advisory AA22-057A: Destructive Malware Targeting Organizations in Ukraine, originally released February 26, 2022. The advisory has been updated to include additional indicators of compromise for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/28/cisa-and-fbi-upda… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#730007: Tychon is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/730007 ∗∗∗ VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value ∗∗∗ --------------------------------------------- Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt. --------------------------------------------- https://kb.cert.org/vuls/id/411271 ∗∗∗ IBM Security Bulletins 2022-04-27 ∗∗∗ --------------------------------------------- IBM InfoSphere Information Server, IBM Watson for IBM Cloud Pak, Liberty for Java for IBM Cloud, IBM Cloud Transformation Advisor, WebSphere Application Server, IBM Spectrum Discover, IBM Integration Bus, IBM App Connect Enterprise, IBM Netezza Platform Server, IBM PowerVM Novalink, IBM Spectrum Scale SMB protocol --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-04-27 ∗∗∗ --------------------------------------------- Cisco released 17 Security Advisories (11 High, 6 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ PHP Object Injection Vulnerability in Booking Calendar Plugin ∗∗∗ --------------------------------------------- On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations. We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-cale… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, golang-1.7, and golang-1.8), Fedora (bettercap, chisel, containerd, doctl, gobuster, golang-contrib-opencensus-resource, golang-github-appc-docker2aci, golang-github-appc-spec, golang-github-containerd-continuity, golang-github-containerd-stargz-snapshotter, golang-github-coredns-corefile-migration, golang-github-envoyproxy-protoc-gen-validate, golang-github-francoispqt-gojay, golang-github-gogo-googleapis, golang-github-gohugoio-testmodbuilder, golang-github-google-containerregistry, golang-github-google-slothfs, golang-github-googleapis-gnostic, golang-github-googlecloudplatform-cloudsql-proxy, golang-github-grpc-ecosystem-gateway-2, golang-github-haproxytech-client-native, golang-github-haproxytech-dataplaneapi, golang-github-instrumenta-kubeval, golang-github-intel-goresctrl, golang-github-oklog, golang-github-pact-foundation, golang-github-prometheus, golang-github-prometheus-alertmanager, golang-github-prometheus-node-exporter, golang-github-prometheus-tsdb, golang-github-redteampentesting-monsoon, golang-github-spf13-cobra, golang-github-xordataexchange-crypt, golang-gopkg-src-d-git-4, golang-k8s-apiextensions-apiserver, golang-k8s-code-generator, golang-k8s-kube-aggregator, golang-k8s-sample-apiserver, golang-k8s-sample-controller, golang-mongodb-mongo-driver, golang-storj-drpc, golang-x-perf, gopass, grpcurl, onionscan, shellz, shhgit, snowcrash, stb, thunderbird, and xq), Oracle (gzip, kernel, and polkit), Slackware (curl), SUSE (buildah, cifs-utils, firewalld, golang-github-prometheus-prometheus, libaom, and webkit2gtk3), and Ubuntu (nginx and thunderbird). --------------------------------------------- https://lwn.net/Articles/893001/ ∗∗∗ Synology-SA-22:06 Netatalk ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_06 ∗∗∗ CVE-2022-23812: NPM Package node-ipc With Malicious Code Found in Russia and Belarus ∗∗∗ --------------------------------------------- Malicious code, also known as protestware, within certain versions of the package was causing chaos among Russia and Belarus based developers—overwriting their entire file system with a heart emoji. These versions (10.1.0 and 10.1.2) are now tracked under CVE-2022-23812. --------------------------------------------- https://orca.security/resources/blog/cve-2022-23812-protestware-malicious-c… ∗∗∗ ZDI-22-622: Sante DICOM Viewer Pro J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-622/ ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-118-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2022
by Daily end-of-shift report 27 Apr '22

27 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-04-2022 18:00 − Mittwoch 27-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet malware now installs via PowerShell in Windows shortcut files ∗∗∗ --------------------------------------------- The Emotet botnet is now using Windows shortcut files (.LNK) containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-… ∗∗∗ RIG Exploit Kit drops RedLine malware via Internet Explorer bug ∗∗∗ --------------------------------------------- Threat analysts have uncovered yet another large-scale campaign delivering the RedLine stealer malware onto worldwide targets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rig-exploit-kit-drops-redlin… ∗∗∗ MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering, (Wed, Apr 27th) ∗∗∗ --------------------------------------------- On Monday, a new version of the framework was released, which (among other changes) extends its content a little in order to make its use more straightforward when it comes to mapping of existing detections and for implementation of new ones. --------------------------------------------- https://isc.sans.edu/diary/rss/28590 ∗∗∗ Encrypting our way to SSRF in VMWare Workspace One UEM (CVE-2021-22054) ∗∗∗ --------------------------------------------- We discovered a pre-authentication vulnerability that allowed us to make arbitrary HTTP requests, including requests with any HTTP method and request body. --------------------------------------------- https://blog.assetnote.io/2022/04/27/vmware-workspace-one-uem-ssrf/ ∗∗∗ Npm-Schwachstelle "Package Planting": Vertrauen ist gut, Kontrolle ist besser ∗∗∗ --------------------------------------------- Eine als Package Planting bezeichnete Sicherheitslücke im Paketmanager npm erlaubte laut Aquasec, die Vertrauenswürdigkeit bekannter Maintainer zu missbrauchen. --------------------------------------------- https://heise.de/-7066873 ∗∗∗ Knapp die Hälfte der Ransomware-Opfer zahlt Lösegeld ∗∗∗ --------------------------------------------- Die Zahl der von Erpressungstrojanern angegriffenen Mittelständler weltweit steigt. Und viele von ihnen zahlen Lösegeld - oft in siebenstelliger Höhe. --------------------------------------------- https://heise.de/-7067219 ∗∗∗ Webinar: Sicher bezahlen im Internet ∗∗∗ --------------------------------------------- Am Dienstag, den 3. Mai 2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Sicher bezahlen im Internet" statt. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-bezahlen-im-internet/ ∗∗∗ Betrügerische Anrufe zu Investitionsmöglichkeiten und Bitcoin ∗∗∗ --------------------------------------------- Vermehrt werden der Watchlist Internet aktuell betrügerische Anrufe gemeldet. Kriminelle versuchen durch diese Anrufe Opfer für Investment-Betrugsmaschen zu gewinnen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-anrufe-zu-investition… ∗∗∗ AA22-117A: 2021 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-117a ===================== = Vulnerabilities = ===================== ∗∗∗ New Nimbuspwn Linux vulnerability gives hackers root privileges ∗∗∗ --------------------------------------------- A new set of vulnerabilities collectively tracked as Nimbuspwn could let local attackers escalate privileges on Linux systems to deploy malware ranging from backdoors to ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nimbuspwn-linux-vulnerab… ∗∗∗ CVE-2022-26148 Grafana Vulnerability in NetApp Products ∗∗∗ --------------------------------------------- Multiple NetApp products incorporate Grafana. Grafana versions through 7.3.4 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). --------------------------------------------- https://security.netapp.com/advisory/ntap-20220425-0005/ ∗∗∗ Schadcode könnte Nvidias Embedded-System Jetson gefährlich werden ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen Lücken in verschiedenen Jetson-Systemen von Nvidia. --------------------------------------------- https://heise.de/-7067304 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (virtualbox), Red Hat (container-tools:2.0, container-tools:3.0, gzip, kernel, kernel-rt, kpatch-patch, mariadb:10.3, mariadb:10.5, maven-shared-utils, polkit, vim, xmlrpc-c, and zlib), Scientific Linux (maven-shared-utils), SUSE (ant, go1.17, go1.18, kernel, and xen), and Ubuntu (fribidi, git, libcroco, libsepol, linux, linux-gcp, linux-ibm, linux-lowlatency, openjdk-17, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/892802/ ∗∗∗ Chrome 101.0.4951.41 fixt 30 Schwachstellen ∗∗∗ --------------------------------------------- Google hat zum 26. April 2022 Updates des Google Chrome 101.0.4951.41 für Windows und Mac auf dem Desktop im Stable Channel freigegeben. Das ist der neue 101-Entwicklungszweig, wobei das Update 30, zum Teil als Hoch eingestufte Schwachstellen schließt. --------------------------------------------- https://www.borncity.com/blog/2022/04/27/chrome-101-0-4951-41-fixt-30-schwa… ∗∗∗ Security Advisory - Buffer Overflow Vulnerabilities In Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220427-… ∗∗∗ Security Bulletin: UrbanCode Deploy users with create-resource permission for the standard resource type may create child resources inheriting custom types (CVE-2022-22315). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urbancode-deploy-users-wi… ∗∗∗ Security Bulletin: Dojo vulnerability in WebSphere Liberty affects SPSS Collaboration and Deployment Services (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dojo-vulnerability-in-web… ∗∗∗ K51975973: Eclipse Jetty vulnerability CVE-2021-34428 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51975973 ∗∗∗ PILZ: PMC programming tool 2.x.x affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-055/ ∗∗∗ PILZ: PMC programming tool 3.x.x affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-061/ ∗∗∗ PILZ: Multiple vulnerabilities in CODESYS V2 and V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-054/ ∗∗∗ BENDER/EBEE: Multiple Charge Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-047/ ∗∗∗ Miele: Security vulnerability in Benchmark Programming Tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-015/ ∗∗∗ Improper Control of Generation of Code in Bosch MATRIX ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-309239-bt.html ∗∗∗ Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-982696.html ∗∗∗ SonicOS Content Filtering Service and SNMP feature affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2022
by Daily end-of-shift report 26 Apr '22

26 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 25-04-2022 18:00 − Dienstag 26-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet war kaputt, infiziert jetzt aber wieder vermehrt Windows-Computer ∗∗∗ --------------------------------------------- Die hoch entwickelte Schadsoftware Emotet baut nach einem Fehler seine Attacken weltweit weiter aus. --------------------------------------------- https://heise.de/-7064903 ∗∗∗ Virustotal: Einbrecher führen eigenen Code auf Googles Servern aus ∗∗∗ --------------------------------------------- Update 26.04.2022 16:00 Uhr: Der Virustotal-Gründer Bernardo Quintero twitterte, dass keine VT-Maschinen direkt betroffen waren. Es handelte sich um Dritthersteller-und Partner-Maschinen etwa bei Antivirus-Herstellern, die die Daten von Virustotal für ihre Zwecke analysieren, erläutert Quintero dort. --------------------------------------------- https://heise.de/-7065048 ∗∗∗ Welpen kaufen im Internet: bulldogge-franzosische-welpen.com ist Betrug ∗∗∗ --------------------------------------------- Wer im Internet nach Welpen sucht, stößt höchstwahrscheinlich auf betrügerische Online-Shops für Welpen. „bulldogge-franzosische-welpen.com“ ist ein solcher Shop. Dort werden bezaubernde Welpen geboten, sogar mit Papieren. 900 Euro kostet eine französische Bulldogge. Doch Vorsicht: Sie erhalten trotz Bezahlung keinen Welpen. --------------------------------------------- https://www.watchlist-internet.at/news/welpen-kaufen-im-internet-bulldogge-… ∗∗∗ Hackers exploit critical VMware RCE flaw to install backdoors ∗∗∗ --------------------------------------------- Advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2022-22954, that affects in VMware Workspace ONE Access (formerly called VMware Identity Manager). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmw… ∗∗∗ Phishing goes KISS: Don’t let plain and simple messages catch you out! ∗∗∗ --------------------------------------------- Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because theyre uncomplicated. --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/25/phishing-goes-kiss-dont-let-pla… ∗∗∗ WSO2 RCE exploited in the wild, (Tue, Apr 26th) ∗∗∗ --------------------------------------------- While investigating a malicious crypto-mining case, I discovered that attackers implanted the payload exploiting a recently patched RCE vulnerability (CVE-2022-29464) affecting multiple WSO2 products, including API Manager. The vulnerability was discovered by Orange Tsai and responsibly disclosed to WSO2. --------------------------------------------- https://isc.sans.edu/diary/rss/28586 ∗∗∗ Over 18.8 million IPs vulnerable to Middlebox TCP reflection DDoS attacks ∗∗∗ --------------------------------------------- We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks. Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000! --------------------------------------------- https://www.shadowserver.org/news/over-18-8-million-ips-vulnerable-to-middl… ∗∗∗ Conti Ransomware Activity Surges Despite Exposure of Groups Operations ∗∗∗ --------------------------------------------- Conti ransomware activity has surged in the past weeks despite the recent exposure of the group’s operations by a pro-Ukraine hacktivist. --------------------------------------------- https://www.securityweek.com/conti-ransomware-activity-surges-despite-expos… ∗∗∗ Lapsus$: The script kiddies are alright ∗∗∗ --------------------------------------------- One afternoon last month, the regional head of security for the identity management platform Okta, an Australian named Brett Winterford, was in the middle of a client meeting when his phone sprang to life. “The first message said, ‘It looks like you’re going to have a bad day,’” he recently recalled. “And the second message [...] --------------------------------------------- https://therecord.media/lapsus-the-script-kiddies-are-alright/ ∗∗∗ New Malware of Lazarus Threat Actor Group Exploiting INITECH Process ∗∗∗ --------------------------------------------- The AhnLab ASEC analysis team has discovered that there are 47 companies and institutions—including defense companies—infected with the malware distributed by the Lazarus group in the first quarter of 2022. Considering the severity of the situation, the team has been monitoring the infection cases. In systems of the organizations infected with the malware, it was found that malicious behaviors stemmed from the process of INITECH (inisafecrosswebexsvc.exe), [...] --------------------------------------------- https://asec.ahnlab.com/en/33801/ ∗∗∗ Evasive Phishing Techniques Threat Actors Use to Circumvent Defense Mechanisms ∗∗∗ --------------------------------------------- Phishing continues to be the number one threat faced by companies of all sizes, and one of the main entry points threat actors use to infiltrate networks. As defenses continue to evolve, so do the tactics threat actors use to circumvent those defenses. In this article, the GoSecure Titan® Inbox Detection & Response (IDR) team shares examples of tactics threat actors have used to bypass anti-phishing defenses. --------------------------------------------- https://www.gosecure.net/blog/2022/04/26/evasive-phishing-techniques-threat… ∗∗∗ Attacker Adds Evasive Technique to Their Ongoing Attacks on NPM ∗∗∗ --------------------------------------------- A few weeks ago, we wrote about a new threat actor we called RED-LILI and described their capabilities, including an in-depth walkthrough of the automated system for publishing malicious NPM packages from automatically created user accounts. After our publication, we [...] --------------------------------------------- https://checkmarx.com/blog/attacker-adds-evasive-technique-to-their-ongoing… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg), Fedora (htmldoc, moby-engine, plantuml, and zchunk), Oracle (java-1.8.0-openjdk, java-17-openjdk, and kernel), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (freerdp), SUSE (kernel, mutt, SUSE Manager Client Tools, and xen), and Ubuntu (barbican and git). --------------------------------------------- https://lwn.net/Articles/892674/ ∗∗∗ Hitachi Energy System Data Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Integer Overflow or Wraparound, Reachable Assertion, Type Confusion, Uncontrolled Recursion, and Observable Discrepancy vulnerabilities in Hitachi Energy System Data Manager products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-116-01 ∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series (Update B) ∗∗∗ --------------------------------------------- This updated advisory is a follow up to the advisory update titled ICSA-21-334-02 Mitsubishi Electric MELSEC and MELIPC Series (Update A) that was published January 27, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Uncontrolled Resource Consumption, Improper Handling of Length Parameter Inconsistency, and Improper Input Validation vulnerabilities in Mitsubishi Electric MELSEC and MELIPC Series software management platforms. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02 ∗∗∗ CISA Adds Seven Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/25/cisa-adds-seven-k… ∗∗∗ K53648360: Linux kernel vulnerability CVE-2022-27666 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53648360 ∗∗∗ Pepperl+Fuchs: Vulnerability in multiple VisuNet devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-012/ ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0499 ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD is vulnerable to a denial of service vulnerability (CVE-2022-22323, CVE-2022-22312) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initializ… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may be vulnerable to an exposure of sensitive information by an aunauthorized actor through follow-redirects (CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM Process Mining (CVE-2022-23181) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-22345, CVE-2020-8022, CVE-2021-33813, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2022
by Daily end-of-shift report 25 Apr '22

25 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-04-2022 18:00 − Montag 25-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Einbruch in kritische Infrastrukturen: Experten zeigen, wie einfach es ist ∗∗∗ --------------------------------------------- Niederländische Forscher haben beim Hackerwettbewerb Pwn2Own demonstriert, wie leicht sich Industriesoftware übernehmen lässt, die zentrale Dienste steuert. --------------------------------------------- https://heise.de/-7062641 ∗∗∗ Netzwerkspeicher: Apple-Protokolle reißen Sicherheitslücken in Qnap-NAS ∗∗∗ --------------------------------------------- Die Unterstützung von Apples Netzwerkprotokollen durch netatalk in Qnap-NAS-Systemen bringt teils kritische Sicherheitslücken mit. Erste Updates stehen bereit. --------------------------------------------- https://heise.de/-7064336 ∗∗∗ Hacker-Gruppe Lapsus$ soll Sourcecode von T-Mobile kopiert haben ∗∗∗ --------------------------------------------- Angreifer sind mit erbeuteten Zugangsdaten in Computer-Systeme von T-Mobile eingebrochen. Kundendaten sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-7063836 ∗∗∗ Fake-E-Mail von Spotify: Kriminelle versuchen Ihr Konto zu übernehmen ∗∗∗ --------------------------------------------- Kriminelle versenden momentan gefälschte Spotify-E-Mails, um Ihr Konto zu übernehmen und Kreditkartendaten zu stehlen. Nutzer:innen erhalten vom Absender „Spotify-Rechnung“ ein Schreiben, in dem ein Problem mit Ihrer Zahlung vorgetäuscht wird. Im E-Mail werden Sie gebeten, auf einen Button zu klicken. Dieser führt dann auf eine gefälschte Spotify-Login-Seite. Daten, die dort eingetippt werden, landen direkt bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-e-mail-von-spotify-kriminelle-v… ∗∗∗ New powerful Prynt Stealer malware sells for just $100 per month ∗∗∗ --------------------------------------------- Threat analysts have spotted yet another addition to the growing space of info-stealer malware infections, named Prynt Stealer, which offers powerful capabilities and extra keylogger and clipper modules. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-powerful-prynt-stealer-m… ∗∗∗ DDoS attacks in Q1 2022 ∗∗∗ --------------------------------------------- Against the backdrop of the conflict between Russia and Ukraine, the number of DDoS attacks in Q1 2022 increased by 4.5 times against Q1 2021. A significant proportion of them were by hacktivists. --------------------------------------------- https://securelist.com/ddos-attacks-in-q1-2022/106358/ ∗∗∗ Are Roku Streaming Devices Safe from Exploitation?, (Sat, Apr 23rd) ∗∗∗ --------------------------------------------- I have noticed in the past several weeks random scans specifically for Roku streaming devices (and likely other types) captured by my honeypot. If they can be compromised, what can be gain? Settings like stored payment information, personal information (email/password), subscription, App selected, etc. Like any other devices, it is important to keep the OS and Apps up-to-date. --------------------------------------------- https://isc.sans.edu/diary/rss/28578 ∗∗∗ Simple PDF Linking to Malicious Content, (Mon, Apr 25th) ∗∗∗ --------------------------------------------- Last week, I found an interesting piece of phishing based on a PDF file. Today, most of the PDF files that are delivered to end-user are not malicious, I mean that they dont contain an exploit to trigger a vulnerability and infect the victims computer. They are just used as a transport mechanism to deliver more malicious content. Yesterday, Didier analyzed the same kind of Word document[1]. They are more and more common because they are (usually) not blocked by common filters at the perimeter. --------------------------------------------- https://isc.sans.edu/diary/rss/28582 ∗∗∗ Researcher Releases PoC for Recent Java Cryptographic Vulnerability ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been shared online. The high-severity flaw in question, CVE-2022-21449 (CVSS score: 7.5), impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition - [...] --------------------------------------------- https://thehackernews.com/2022/04/researcher-releases-poc-for-recent-java.h… ∗∗∗ Defeating BazarLoader Anti-Analysis Techniques ∗∗∗ --------------------------------------------- Anti-analysis techniques make it harder for malware analysts to do their work. We cover BazarLoader anti-analysis techniques and how to defeat them. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/ ∗∗∗ Webcam hacking: How to know if someone may be spying on you through your webcam ∗∗∗ --------------------------------------------- Camfecting doesn’t ‘just’ invade your privacy – it could seriously impact your mental health and wellbeing. Here’s how to keep an eye on your laptop camera. --------------------------------------------- https://www.welivesecurity.com/2022/04/25/webcam-hacking-how-know-someone-s… ∗∗∗ Quantum Ransomware ∗∗∗ --------------------------------------------- In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for [...] --------------------------------------------- https://thedfirreport.com/2022/04/25/quantum-ransomware/ ∗∗∗ FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/22/fbi-releases-iocs… ∗∗∗ Malware analysis report on SparrowDoor malware ∗∗∗ --------------------------------------------- A technical analysis of a new variant of the SparrowDoor malware. --------------------------------------------- https://www.ncsc.gov.uk/report/mar-sparrowdoor ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Bug in Everscale Wallet Couldve Let Attackers Steal Cryptocurrencies ∗∗∗ --------------------------------------------- A security vulnerability has been disclosed in the web version of the Ever Surf wallet that, if successfully weaponized, could allow an attacker to gain full control over a victims wallet. --------------------------------------------- https://thehackernews.com/2022/04/critical-bug-in-everscale-wallet.html ∗∗∗ IBM Security Bulletins 2022-04-22 ∗∗∗ --------------------------------------------- IBM Cloud Private, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Sterling File Gateway, IBM Watson Explorer, IBM Planning Analytics, IBM App Connect Enterprise --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ IBM schließt kritische Sicherheitslücken in Cognos Analytics ∗∗∗ --------------------------------------------- In der Business-Intelligence-Software IBM Cognos Analytics könnten Angreifer unter anderem Schadcode einschleusen. Aktualisierte Software behebt die Probleme. --------------------------------------------- https://heise.de/-7063645 ∗∗∗ Sicherheitsupdates Atlassian Jira: Angreifer könnten Authentifizierung umgehen ∗∗∗ --------------------------------------------- Die Entwickler haben eine kritische Sicherheitslücke im Projektmanagement-Tool Jira geschlossen. --------------------------------------------- https://heise.de/-7063649 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, kernel-headers, kernel-tools, libinput, podman-tui, and vim), Mageia (git, gzip/xz, libdxfrw, libinput, librecad, and openscad), and SUSE (dnsmasq, git, libinput, libslirp, libxml2, netty, podofo, SDL, SDL2, and tomcat). --------------------------------------------- https://lwn.net/Articles/892536/ ∗∗∗ Opportunistic Exploitation of WSO2 CVE-2022-29464 ∗∗∗ --------------------------------------------- On April 18, 2022, MITRE published CVE-2022-29464, an unrestricted file upload vulnerability affecting various WSO2 products. --------------------------------------------- https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-w… ∗∗∗ FreeRADIUS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0496 ∗∗∗ Multiple Vulnerabilities in Netatalk ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2022
by Daily end-of-shift report 22 Apr '22

22 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-04-2022 18:00 − Freitag 22-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Apple-Codec sorgt für Lücke in Android-Smartphones ∗∗∗ --------------------------------------------- Mit päparierten Audiodateien haben sich etliche Android-Smartphones mit Qualcomm- oder Mediatek-Chip hacken lassen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-apple-codec-sorgt-fuer-luecke-i… ∗∗∗ LemonDuck zielt auf Docker ∗∗∗ --------------------------------------------- LemonDuck, ein Kryptomining-Botnet, hat es auf Docker abgesehen, um Kryptowährung auf Linux-Systemen zu schürfen. Diese Kampagne ist derzeit aktiv. --------------------------------------------- https://www.zdnet.de/88400783/lemonduck-zielt-auf-docker/ ∗∗∗ Kritische Lücken in XML Parser Expat gefährden IBM Db2 ∗∗∗ --------------------------------------------- Updates sichern die Datenbank-Software Db2 von IBM ab. Angreifer könnten Systeme mit Schadcode attackieren. --------------------------------------------- https://heise.de/-7062152 ∗∗∗ Vorsicht Fake-SMS: „Sie haben eine neue Sprachnachricht erhalten“ ∗∗∗ --------------------------------------------- Leser:innen der Watchlist Internet melden derzeit wieder vermehrt betrügerische SMS. Kriminelle behaupten dabei, dass Sie eine neue Sprachnachricht hätten. Um mehr zu erfahren, sollen Sie auf einen Link klicken. Wer diesem Link folgt, landet auf einer betrügerischen Webseite, auf der eine App heruntergeladen werden soll. Installieren Sie die App auf keinen Fall! Es handelt sich um gefährliche Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-fake-sms-sie-haben-eine-neu… ∗∗∗ QNAP warns of new bugs in its Network Attached Storage devices ∗∗∗ --------------------------------------------- Heres what you need to know - plus some sensible advice for all the devices on your home or small biz network! --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/22/qnap-warns-of-new-bugs-in-its-n… ∗∗∗ Threat Assessment: BlackByte Ransomware ∗∗∗ --------------------------------------------- BlackByte is ransomware as a service that emerged in July 2021. Read our overview and recommended courses of action for mitigation. --------------------------------------------- https://unit42.paloaltonetworks.com/blackbyte-ransomware/ ∗∗∗ Atlassian fixes critical Jira authentication bypass vulnerability ∗∗∗ --------------------------------------------- Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the companys web application security framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-jir… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (composer, golang-x-crypto, rubygem-nokogiri, wavpack, xen, and xz) and SUSE (dnsmasq, openjpeg, swtpm, tomcat, and xen). --------------------------------------------- https://lwn.net/Articles/892372/ ∗∗∗ Multiple vulnerabilities found in Mitsubishi controllers ∗∗∗ --------------------------------------------- Mitsubishi recommends using encryption and firewalls. This will help minimize the risk of the detected vulnerabilities being exploited. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/multiple-vulnerabilities-found-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – nginx (CVE-2018-16844, CVE-2018-16845, CVE-2018-16843, CVE-2019-7401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in Node.js affects IBM Process Mining (CVE-2019-5484) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Lodash affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lodash-a… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44532) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2020-27223,CVE-2021-28169) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Node.js Color-String affects IBM Process Mining (CVE-2021-29060) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – curl (CVE-2020-8231) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Node.js lodash affects IBM Process Mining (CVE-2021-23337,CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-a… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44533) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in http2-common affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-http2-co… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – NGINX (CVE-2019-20372) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Node.js normalize-url affects IBM Process Mining (CVE-2021-33502) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Node.js IS-SVG affects IBM Process Mining (CVE-2021-29059, CVE-2021-28092) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: The Apache Log4j (CVE-2021-4104) vulnerability affects TPF Operations Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-apache-log4j-cve-2021… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Due to WebSphere Liberty is vulnerable, PowerVM Novalink could allow a remote attacker to hijack the clicking action of the victim. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-websphere-liberty-… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-39031 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to a denial of service through node.js lodash ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons IO affects IBM Process Mining (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Vulnerability in nth-check affects IBM Process Mining (CVE-2021-3803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nth-chec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2022
by Daily end-of-shift report 21 Apr '22

21 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-04-2022 18:00 − Donnerstag 21-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Exchange servers hacked to deploy Hive ransomware ∗∗∗ --------------------------------------------- A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-h… ∗∗∗ REvils TOR sites come alive to redirect to new ransomware operation ∗∗∗ --------------------------------------------- REvil ransomwares servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-… ∗∗∗ Multi-Cryptocurrency Clipboard Swapper, (Thu, Apr 21st) ∗∗∗ --------------------------------------------- It’s not the first time that I found a piece of code that monitors the clipboard and swap the BTC address found with the attacker's one. This time, the script that I found supports a lot of cryptocurrencies! --------------------------------------------- https://isc.sans.edu/diary/rss/28574 ∗∗∗ Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark ∗∗∗ --------------------------------------------- This time we will take a closer look at what the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments. --------------------------------------------- https://research.nccgroup.com/2022/04/20/mitigating-the-top-10-security-thr… ∗∗∗ Two OpenWrt updates ∗∗∗ --------------------------------------------- The OpenWrt 21.02.3 and 19.07.10 updates have been released. These updates contain some security fixes and improved device support. --------------------------------------------- https://lwn.net/Articles/892161/ ∗∗∗ Willhaben, ebay, Vinted & Co. im Fokus von Kriminellen! ∗∗∗ --------------------------------------------- Egal ob Sie etwas kaufen oder verkaufen wollen – nehmen Sie sich vor der Abzocke auf Kleinanzeigenplattformen in Acht! Wenn Sie dazu aufgefordert werden, die Transaktion mithilfe eines Kurierdienstes abzuwickeln, brechen Sie den Kontakt ab. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-ebay-vinted-co-im-fokus-vo… ∗∗∗ Abusing Azure Container Registry Tasks ∗∗∗ --------------------------------------------- In this post, I will explain how one Azure service supporting DevOps can start in a very solid “secure by default” state, but then quickly descend into a very dangerous configured state. --------------------------------------------- https://posts.specterops.io/abusing-azure-container-registry-tasks-1f407bfa… ∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.6 ∗∗∗ --------------------------------------------- A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.6 --------------------------------------------- https://blog.zsec.uk/cobalt-strike-profiles/ ∗∗∗ TeamTNT targeting AWS, Alibaba ∗∗∗ --------------------------------------------- TeamTNT is actively modifying its scripts after they were made public by security researchers. These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances. --------------------------------------------- http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-04-20 ∗∗∗ --------------------------------------------- Cisco published 12 Security Advisories (3 High, 9 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Statischer SSH-Schlüssel macht Cloudsicherheitssystem Cisco Umbrella zu schaffen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates für Hard- und Software von Cisco schließen mehrere Lücken. Angreifer könnten Admin-Zugangsdaten mitschneiden. --------------------------------------------- https://heise.de/-7061311 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (frr, grafana, gzip, and pdns), Oracle (java-11-openjdk), Red Hat (java-11-openjdk and kernel), Scientific Linux (java-11-openjdk), SUSE (dcraw, GraphicsMagick, gzip, kernel, nbd, netty, qemu, SDL, and xen), and Ubuntu (libinput, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure,[...] --------------------------------------------- https://lwn.net/Articles/892214/ ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-009 ∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-008 ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affect App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-ke… ∗∗∗ Security Bulletin: IBM Emptoris Supplier Lifecycle Management vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-supplier-lif… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-use-case-manag… ∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the included Expat 3rd party library (CVE-2022-23852 and CVE-2022-23990) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-mu… ∗∗∗ Security Bulletin: A Vulnerability in IBM WebSphere Application Server – Liberty affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Jira Security Advisory 2022-04-20 ∗∗∗ --------------------------------------------- https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-111… ∗∗∗ Delta Electronics ASDA-Soft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-01 ∗∗∗ Johnson Controls Metasys SCT Pro ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-02 ∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2022
by Daily end-of-shift report 20 Apr '22

20 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-04-2022 18:00 − Mittwoch 20-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CISA warns of attackers now exploiting Windows Print Spooler bug ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-now-… ∗∗∗ Emotet botnet switches to 64-bit modules, increases activity ∗∗∗ --------------------------------------------- The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64… ∗∗∗ Google: 2021 war Rekordjahr für entdeckte Zero Days ∗∗∗ --------------------------------------------- Laut Google ändert sich die Ursache der Sicherheitslücken selbst aber kaum. Größtes Problem bleiben Speicherfehler. --------------------------------------------- https://www.golem.de/news/google-2021-war-rekordjahr-fuer-entdeckte-zero-da… ∗∗∗ "aa" distribution Qakbot (Qbot) infection with DarkVNC traffic, (Wed, Apr 20th) ∗∗∗ --------------------------------------------- Chain of Events and IOCs of a Qakbot infection. --------------------------------------------- https://isc.sans.edu/diary/rss/28568 ∗∗∗ Phishing-Welle zu Online-Banking rollt durch Postfächer ∗∗∗ --------------------------------------------- Aktuell rollt eine Phishing-Welle durch österreichische E-Mail-Postfächer, mit der es Kriminelle vor allem auf Online-Banking-Daten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-welle-zu-online-banking-rol… ∗∗∗ CISA Releases Secure Cloud Business Applications (SCuBA) Guidance Documents for Public Comment ∗∗∗ --------------------------------------------- CISA has released draft versions of two guidance documents—along with a request for comment (RFC)—that are a part of the recently launched Secure Cloud Business Applications (SCuBA) project. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/19/cisa-releases-sec… ∗∗∗ Investigating an engineering workstation – Part 3 ∗∗∗ --------------------------------------------- In our third blog post we will focus on information we can get from the projects itself. --------------------------------------------- https://blog.nviso.eu/2022/04/20/investigating-an-engineering-workstation-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Elliptische Kurven: Java-Signaturprüfung lässt sich mit Nullen austricksen ∗∗∗ --------------------------------------------- Bei der Prüfung von ECDSA-Signaturen in Java fand sich ein Fehler, der dazu führt, dass man eine immer gültige Signatur erstellen kann. --------------------------------------------- https://www.golem.de/news/elliptische-kurven-java-signaturpruefung-laesst-s… ∗∗∗ Oracle stellt 520 Sicherheitspatches für sein Software-Portfolio bereit ∗∗∗ --------------------------------------------- Admins von Oracle-Anwendungen sollten die verfügbaren Aktualisierungen installieren, um zum Teil kritische Sicherheitslücken zu schließen. --------------------------------------------- https://heise.de/-6746906 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (condor), Red Hat (389-ds:1.4, container-tools:2.0, kernel, kernel-rt, and kpatch-patch), SUSE (chrony, containerd, expat, git, icedtea-web, jsoup, jsr-305, kernel, libeconf, shadow and util-linux, protobuf, python-libxml2-python, python3, slirp4netns, sssd, vim, and wpa_supplicant), and Ubuntu (bash). --------------------------------------------- https://lwn.net/Articles/892047/ ∗∗∗ AWSs Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation ∗∗∗ --------------------------------------------- We identified severe security issues within AWS Log4Shell hot patch solutions. We provide a root cause analysis and overview of fixes and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities/ ∗∗∗ SSA-254054: Spring Framework Vulnerability (Spring4Shell or SpringShell, CVE-2022-22965) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-254054.txt ∗∗∗ Security Bulletin: IBM Emptoris Strategic Supply Management Platform is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-strategic-su… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by Node.js vulnerability (CVE-2021-22939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM Emptoris Sourcing is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-sourcing-is-… ∗∗∗ Security Bulletin: IBM Emptoris Contract Management is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-contract-man… ∗∗∗ Security Bulletin: IBM Emptoris Program Management is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-program-mana… ∗∗∗ April 19, 2022 TNS-2022-09 [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-09 ∗∗∗ Veritas NetBackup: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0474 ∗∗∗ Interlogix Hills ComNav ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-01 ∗∗∗ Automated Logic WebCTRL ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-02 ∗∗∗ FANUC ROBOGUIDE Simulation Platform ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-03 ∗∗∗ Elcomplus SmartPPT SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-04 ∗∗∗ Multiple ctrlX CORE vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-029150.html ∗∗∗ MISP 2.4.158 security fix and general improvement release ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.158 ∗∗∗ Multiple Vulnerabilities in Apache HTTP Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2022
by Daily end-of-shift report 19 Apr '22

19 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-04-2022 18:00 − Dienstag 19-04-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Freier Decryptor für Yanlouwang-Ransomware ∗∗∗ --------------------------------------------- Sicherheitsanbieter Kaspersky hat in der Verschlüsselung der Yanlouwang-Ransomware eine Schwachstelle entdeckt. In Folge dieser Schwachstelle kann die Verschlüsselung von Dateien unter bestimmten Voraussetzungen geknackt werden. Jedenfalls steht ein kostenloser Decryptor für die Yanlouwang-Ransomware zur Verfügung. --------------------------------------------- https://www.borncity.com/blog/2022/04/19/freier-decryptor-fr-yanlouwang-ran… ∗∗∗ Achtung unseriös: hondrox.com, hondrox.eu & hondrox.shop ∗∗∗ --------------------------------------------- Auf der Suche nach Behandlungsmöglichkeiten bei Gelenkschmerzen stoßen Sie möglicherweise auf „Hondrox“. Ein Spray, der die „Wiederherstellung der Knorpel in den Gelenken“ sowie Schmerzlinderung verspricht. Auf hondrox.com, hondrox.eu und hondrox.shop wird dieses vermeintliche Wundermittel angeboten. Doch Vorsicht: Diese Online-Shops sind unseriös. Sie verschwenden Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-unserioes-hondroxcom-hondrox… ∗∗∗ GitHub-Sicherheitslücke: OAuth-Token von Heroku und Travis-CI kompromittiert ∗∗∗ --------------------------------------------- Unauthorisierte Zugriffe auf die npm-Infrastruktur haben kriminelle Aktivitäten enttarnt. Betroffenen sind OAuth-Token von Heroku und Travis-CI. --------------------------------------------- https://heise.de/-6703708 ∗∗∗ Sicherheit fürs Anmelden: Was bei Kennwörtern, FIDO2 und TOTP zu beachten ist ∗∗∗ --------------------------------------------- In der Theorie sind zweite Faktoren einfach. In der praktischen Umsetzung tauchen aber diverse Fragen auf – die häufigsten haben wir zusammengetragen. --------------------------------------------- https://heise.de/-6660829 ∗∗∗ Lenovo System Update könnte Schadcode auf Computer lassen ∗∗∗ --------------------------------------------- Lenovo hat Sicherheitslücken in einer Anwendung und verschiedenen BIOS-Versionen geschlossen und Hintertüren entfernt. --------------------------------------------- https://heise.de/-6740544 ∗∗∗ Studie: Ciscos Webex telefoniert auch stummgeschaltet nach Hause ∗∗∗ --------------------------------------------- Bei einer Untersuchung der Stummschaltefunktion von Videokonferenzsoftware fiel Ciscos Webex negativ auf. --------------------------------------------- https://www.golem.de/news/studie-ciscos-webex-telefoniert-auch-stummgeschal… ∗∗∗ New stealthy BotenaGo malware variant targets DVR devices ∗∗∗ --------------------------------------------- Threat analysts have spotted a new variant of the BotenaGo botnet malware, and its the stealthiest seen so far, running undetected by any anti-virus engine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-botenago-malwar… ∗∗∗ Managing container vulnerability risks: Tools and best practices ∗∗∗ --------------------------------------------- Containers are quickly becoming the de facto form of compute and workload deployments in the cloud-native ecosystem. The latest Cloud Native Computing Foundation (CNCF) Cloud Native Survey shows that 96% of organizations are either actively using containers and Kubernetes or are evaluating them. Containers have well-known benefits such as portability, consistency and efficiency, but they aren’t without security concerns. --------------------------------------------- https://www.csoonline.com/article/3656702/managing-container-vulnerability-… ∗∗∗ Sysmons RegistryEvent (Value Set), (Mon, Apr 18th) ∗∗∗ --------------------------------------------- A colleague asked me about Sysmon's event ID 13 RegistryEvent (Value Set). They wanted to know if binary data could be recorded in event 13. --------------------------------------------- https://isc.sans.edu/diary/rss/28558 ∗∗∗ Why you shouldn’t automate your VirusTotal uploads ∗∗∗ --------------------------------------------- Security teams use VirusTotal as a second opinion scanner, but its not advisable to upload documents to VirusTotal as that may result in a breach of confidence and exposure of confidential data. --------------------------------------------- https://blog.malwarebytes.com/101/2022/04/why-you-shouldnt-automate-your-vi… ∗∗∗ How vx-underground is building a hacker’s dream library ∗∗∗ --------------------------------------------- When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. "I had no success really," said its founder, who goes by the online moniker smelly_vx. --------------------------------------------- https://therecord.media/how-vx-underground-is-building-a-hackers-dream-libr… ∗∗∗ Stories from the SOC - Lateral movement using default accounts ∗∗∗ --------------------------------------------- The Windows ‘Administrator’ account is a highly privileged account that is created during a Windows installation by default. If this account is not properly secured, attackers may leverage it to conduct privilege escalation and lateral movement. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer könnten sich als Admins an Cisco Wireless LAN Controller anmelden ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem Cisco IOS XE, SD-WAN und WLC. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-6737709 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (abcm2ps and chromium), Fedora (cacti, cacti-spine, and fribidi), and Mageia (crun, docker-containerd, libarchive, mediawiki, and ruby). --------------------------------------------- https://lwn.net/Articles/891725/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc). --------------------------------------------- https://lwn.net/Articles/891818/ ∗∗∗ Elcomplus SmartPPT SCADA Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cross-site Scripting, Unauthorized Exposure to Sensitive Information, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Cross-site Request Forgery vulnerabilities in the Elcomplus SmartPPT SCADA Server voice and data dispatch software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-05 ∗∗∗ Multiple RTOS (Update E) ∗∗∗ --------------------------------------------- Update E: Windriver VxWorks – Update in progress The following devices use Windriver VxWorks as their RTOS: Hitachi Energy GMS600 – See public advisory. Hitachi Energy PWC600 – See public advisory. Hitachi Energy REB500 – See public advisory. Hitachi Energy Relion 670, 650 series and SAM600-IO – See public advisory Hitachi Energy RTU500 series CMU – Updates available for some firmware versions – See public advisory. Hitachi Energy Modular Switchgear Monitoring System MSM – Protect your network – See public advisory. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 ∗∗∗ Delta Controls enteliTOUCH 3.40.3935 Cookie User Password Disclosure ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022040067 ∗∗∗ Delta Controls enteliTOUCH 3.40.3935 Cross Site Scripting ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022040065 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ K56105136: BIND vulnerability CVE-2022-0396 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56105136 ∗∗∗ K21054458: Eclipse Jetty vulnerability CVE-2017-7656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21054458 ∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0456 ∗∗∗ 7-Zip: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0459 ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0458 ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0461 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2022
by Daily end-of-shift report 15 Apr '22

15 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-04-2022 18:00 − Freitag 15-04-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheit: Best Practice, zum Updaten von Windows Domain Controllern ∗∗∗ --------------------------------------------- In Unternehmensumgebungen werden oft Windows Server eingesetzt, die als Domain Controller (DC) fungieren. Domänencontroller sind für viele Unternehmen nach wie vor (trotz Trend zur Azure-Coud, so Microsoft) ein zentraler Bestandteil der Infrastruktur. Und die in der Active Directory gespeicherten Identitäten [...] --------------------------------------------- https://www.borncity.com/blog/2022/04/15/sicherheit-best-practice-zum-updat… ∗∗∗ Vorsicht vor ungerechtfertigten Kreditkartenabbuchungen von medianess.co ∗∗∗ --------------------------------------------- Ein QR-Code wird gescannt, ein Programm heruntergeladen oder eine App am Handy installiert. Konsument:innen berichten von ganz alltäglichen Situationen, in denen sie plötzlich auf der Seite medianess.co landen und aufgefordert werden ihre Kreditkartendaten einzugeben. Einige Tage später stellen sie verwundert fest, dass sie ein ungewolltes Abo abgeschlossen haben. Wir erklären Ihnen, wie Sie die ungerechtfertigten Abbuchungen beenden können und Ihr Geld zurückerhalten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-ungerechtfertigten-kred… ∗∗∗ CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers ∗∗∗ --------------------------------------------- This blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the writeup published last week looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to understand the XNU vouchers subsystem. I hope that this writeup serves as the missing documentation for how some of the internals of the voucher subsystem works and its quirks which lead to this vulnerability. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/04/cve-2021-1782-ios-in-wild-vu… ∗∗∗ Gaining Visibility Within Container Clusters ∗∗∗ --------------------------------------------- Service mesh platforms can be used to provide insight into the container processes and their network operations within K8s clusters. --------------------------------------------- https://unit42.paloaltonetworks.com/visibility-k8s-clusters/ ∗∗∗ CISA Adds Nine Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the "Date Added to Catalog" column, which will sort by descending dates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/15/cisa-adds-nine-kn… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- On March 29, 2022, the following critical vulnerability in the Spring Cloud Function Framework affecting releases 3.1.6, 3.2.2, and older unsupported releases was disclosed: CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fribidi and python-django), Fedora (postgresql-jdbc, stargz-snapshotter, and thunderbird), Slackware (git, gzip, and xz), and SUSE (kernel, SDL2, and tomcat). --------------------------------------------- https://lwn.net/Articles/891453/ ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incomplete Cleanup vulnerability in the Johnson Controls Metasys ADS/ADX/OAS servers for building management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-02 ∗∗∗ Red Lion DA50N ∗∗∗ --------------------------------------------- This advisory contains mitigation for Insufficient Verification of Data Authenticity, Weak Password Requirements, Use of Unmaintained Third-Party Components, and Insufficiently Protected Credentials vulnerabilities in the Red Lion DA50N networking gateway. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-03 ∗∗∗ Siemens SCALANCE FragAttacks ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authentication, Injection, Improper Validation of Integrity Check, and Improper Input Validation vulnerabilities in the Siemens SCALANCE FragAttacks. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-04 ∗∗∗ Siemens OpenSSL Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for a NULL Pointer Dereference vulnerability in the Siemens OpenSSL. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-05 ∗∗∗ Delta Electronics DMARS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in the Delta Electronics DMARS program development tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-01 ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/14/juniper-networks-… ∗∗∗ Chrome 100.0.4896.127 fixt 0-day Schwachstelle CVE-2022-1364 ∗∗∗ --------------------------------------------- Google hat zum 14. April 2022 Notfall-Updates des Google Chrome 100.0.4896.127 für Android, sowie für Windows und Mac auf dem Desktop im Stable Channel freigegeben. Das Update schließt die 0-day-Schwachstelle CVE-2022-1364, die bereits Exploits existieren. --------------------------------------------- https://www.borncity.com/blog/2022/04/15/chrome-100-0-4896-127-fixt-ausgenu… ∗∗∗ OpenSSL Infinite loop when parsing certificates CVE-2022-0778 ∗∗∗ --------------------------------------------- A vulnerability CVE-2022-0778 was found in OpenSSL that allows to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate leads to a DoS (Denial of service) attack. SonicWall is investigating its product line to determine which products and cloud services may be affected by this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002 ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Security ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: Due to use of Apache Storm IBM Tivoli Network Manager is vulnerable to arbiraty code execution ( CVE-2021-38294, CVE-2021-40865 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-stor… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities in Plexus-utils affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to a denial of service due to a flaw in the BN_mod_sqrt() function (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2022
by Daily end-of-shift report 14 Apr '22

14 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-04-2022 18:00 − Donnerstag 14-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New EnemyBot DDoS botnet recruits routers and IoTs into its army ∗∗∗ --------------------------------------------- A new Mirai-based botnet malware named Enemybot has been observed growing its army of infected devices through vulnerabilities in modems, routers, and IoT devices, with the threat actor operating it known as Keksec. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-enemybot-ddos-botnet-rec… ∗∗∗ An Update on CVE-2022-26809 - MSRPC Vulnerabliity - PATCH NOW, (Thu, Apr 14th) ∗∗∗ --------------------------------------------- If your main concern is that you do not have time to apply the April update, stop wasting more time reading this (or anything else about CVE-2022-26809) and start patching. --------------------------------------------- https://isc.sans.edu/diary/rss/28550 ∗∗∗ A Primer on Cold Boot Attacks Against Embedded Systems ∗∗∗ --------------------------------------------- A computers main memory is volatile, and its content disappears if it is not regularly refreshed. This enables some attacks that exploit this behavior. One fairly well-known attack is called the "cold boot attack". --------------------------------------------- https://sec-consult.com/blog/detail/a-primer-on-cold-boot-attacks-against-e… ∗∗∗ "Pipedream": US-Warnung vor ausgeklügelten Cyberangriffen auf Energiesektor ∗∗∗ --------------------------------------------- Mit einem Werkzeugkasten hochentwickelter Cyberwaffen sollen unbekannte Angreifer industrielle Steuerungslagen übernehmen können. --------------------------------------------- https://heise.de/-6670554 ∗∗∗ Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet ∗∗∗ --------------------------------------------- Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines. --------------------------------------------- https://www.securityweek.com/microsoft-seizes-control-notorious-zloader-cyb… ∗∗∗ SMS-Werbung für sichernow.com führt in Crypto-Investment-Falle ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle SMS, in denen für eine Crypto-Investment-Falle geworben wird. Der enthaltene Link führt zu einer betrügerischen Investment-Plattform. --------------------------------------------- https://www.watchlist-internet.at/news/sms-werbung-fuer-sichernowcom-fuehrt… ∗∗∗ Blinding Snort: Breaking the Modbus OT Preprocessor ∗∗∗ --------------------------------------------- Team82 discovered a means by which it could blind the popular Snort intrusion detection and prevention system to malicious packets. --------------------------------------------- https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-mo… ∗∗∗ Old Gremlins, new methods ∗∗∗ --------------------------------------------- After a long break, the Russian-speaking ransomware group OldGremlin resumes attacks in Russia --------------------------------------------- https://blog.group-ib.com/oldgremlin_comeback ∗∗∗ Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer ∗∗∗ --------------------------------------------- Cisco Talos recently observed a new information stealer, called "ZingoStealer" that has been released for free by a threat actor known as "Haskers Gang." --------------------------------------------- http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html ∗∗∗ Unfolding the Log4j Security Vulnerability and Log4shell TTPs in AWS ∗∗∗ --------------------------------------------- Orca researcher Lidor Ben Shitrit reveals how Log4 shell TTPs in an AWS cloud environment can be used to open up a Log4j security vulnerability. --------------------------------------------- https://orca.security/resources/blog/log4j-security-vulnerability-log4shell… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-04-13 ∗∗∗ --------------------------------------------- 1 Critical, 13 High, 9 Medium Severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Jetzt patchen! Attacken auf VMware Identity Manager und Workspace One Access ∗∗∗ --------------------------------------------- Angreifer schieben Krypto-Miner durch eine kritische Schadcode-Lücke in VMware Identity Manager und Workspace One Access. Updates stehen zum Download bereit. --------------------------------------------- https://heise.de/-6677723 ∗∗∗ Lücken in mehren Komponente machen Datenmanagement-Software IBM Db2 angreifbar ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für IBM Db2, IBM Db2 On Openshift und IBM Db2 Warehouse on Cloud Pak for Data. --------------------------------------------- https://heise.de/-6677497 ∗∗∗ Sicherheitsupdate: Admin-Tool Grafana ist verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Datenvisualisierungssoftware Grafana attackieren. --------------------------------------------- https://heise.de/-6678300 ∗∗∗ VMSA-2022-0013 ∗∗∗ --------------------------------------------- VMware Cloud Director update addresses remote code execution vulnerability (CVE-2022-22966) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0013.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils). --------------------------------------------- https://lwn.net/Articles/891354/ ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerabilities with libxml2 affect IBM Cloud Object Storage Systems (Apr 2022 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-libx… ∗∗∗ Security Bulletin: IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint are vulnerable to exposing sensitive information (CVE-2022-22391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-high-speed-tra… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.3.0 and earlier (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-imp… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-17530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K11455641: NGINX LDAP Reference Implementation security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11455641 ∗∗∗ Juniper JUNOS (J-Web): Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0444 ∗∗∗ CVE-2022-0023 PAN-OS: Denial-of-Service (DoS) Vulnerability in DNS Proxy (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0023 ∗∗∗ PAN-SA-2022-0002 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0002 ∗∗∗ PAN-SA-2022-0001 Cortex XDR Agent: Supervisor Password Hash Disclosure Vulnerability When Generating Support Files (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0001 ∗∗∗ CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed) ∗∗∗ --------------------------------------------- https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-ads… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2022
by Daily end-of-shift report 13 Apr '22

13 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-04-2022 18:00 − Mittwoch 13-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Emotet modules and recent attacks ∗∗∗ --------------------------------------------- Emotet was disrupted in January 2021 and returned in November. This report provides technical description of its active modules and statistics on the malwares recent attacks. --------------------------------------------- https://securelist.com/emotet-modules-and-recent-attacks/106290/ ∗∗∗ Fodcha, a new DDos botnet ∗∗∗ --------------------------------------------- Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims being targeted on a daily basis. --------------------------------------------- https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/ ∗∗∗ TallGrass - A Python script that enumerates supported antiviruses and their exclusions on Windows hosts within a domain ∗∗∗ --------------------------------------------- Some antiviruses, like Windows Defender, expose their exclusions through the registry. Because of this, it is possible, and somewhat trivial, to enumerate them for potential means of AV evasion. TallGrass queries the domain controller for all domain-joined Windows hosts, then enumerates the AV exclusions for each host. --------------------------------------------- https://github.com/chdav/TallGrass ∗∗∗ PCI DSS 4.0 veröffentlicht: Mehr Sicherheit für Kreditkartendaten ∗∗∗ --------------------------------------------- Die neue Version 4.0 von PCI DSS erweitert den De-facto-Standard der Security für Zahlungssysteme. Vor allem sollen die Ziele flexibler umzusetzen sein. --------------------------------------------- https://heise.de/-6671323 ∗∗∗ Achtung vor unseriösen Urlaubsangeboten wie reisebuero-fuchs.com! ∗∗∗ --------------------------------------------- Die Urlaubsplanungen für Frühling und Sommer sind längst voll in Gang. Das nützen auch Kriminelle und veröffentlichen betrügerische Plattformen zur Urlaubsbuchung. Dort finden Sie tolle Unterkünfte zu top Konditionen. Der Haken: Sie sollen vorab Anzahlungen leisten, die Inhaber:innen der Unterkünfte erfahren aber nichts von Ihren Buchungen und das Geld landet in der Tasche Krimineller! Fazit: Nichts bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-unserioesen-urlaubsangeb… ∗∗∗ Coercing NTLM Authentication from SCCM ∗∗∗ --------------------------------------------- tl;dr: Disable NTLM for Client Push Installation [...] Client push installation accounts require local admin privileges to install software on systems in an SCCM site, so it is often possible to relay the credentials and execute actions in the context of a local admin on other SCCM clients in the site. --------------------------------------------- https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8… ∗∗∗ CVE-2022-26809: All your RPC are belong to us ∗∗∗ --------------------------------------------- Im April 2022 Patchday von Microsoft findet man wieder Updates [...] Spannender ist das Pärchen CVE-2022-26809/CVE-2022-24491 mit RCE: hier kommt zwar der Patch vor der ersten bekannten Ausnutzung der Schwachstelle, dafür sollten bei CVSS 9.8 die Alarmglocken laut läuten. Beim ersten geht es um das generische RPC Service, beim zweiten um den NFS Server. Während NFS nicht überall im Einsatz sein wird, ist Windows RPC auf Port 445 sehr weit verbreitet und innerhalb von Firmennetzen auch zwangsläufig sehr selten durch Firewalls geschützt. --------------------------------------------- https://cert.at/de/aktuelles/2022/4/2022-04-windows-patchday ∗∗∗ [Caution] Virus/XLS Xanpei Infecting Normal Excel Files ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the constant distribution of malware strains that spread the infection when Excel file is opened. Besides infecting normal Excel files, they can also perform additional malicious behaviors such as acting as a downloader and performing DNS Spoofing, therefore, users need to take great caution. --------------------------------------------- https://asec.ahnlab.com/en/33630/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical flaw in Elementor WordPress plugin may affect 500k sites ∗∗∗ --------------------------------------------- The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. [..] The latest version includes a commit that implements an additional check on the nonce access, using the "current_user_can" WordPress function. While this should address the security gap, the researchers haven't validated the fix yet, and the Elementor team hasn't published any details about the patch. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaw-in-elementor-w… ∗∗∗ Sicherheit: Git gibt Sicherheitslücken bekannt und veröffentlicht Patch ∗∗∗ --------------------------------------------- Git hat zwei Sicherheitslücken bekannt gegeben und gleich auch einen Patch bereitgestellt, der diese stopft: Update dringend empfohlen. --------------------------------------------- https://www.golem.de/news/sicherheit-git-gibt-sicherheitsluecken-bekannt-un… ∗∗∗ Patchday: SAP dichtet 30 Sicherheitslücken ab ∗∗∗ --------------------------------------------- SAP hat zu Lücken in diversen Produkten 21 neue Meldungen veröffentlicht und neun ältere aktualisiert. Administratoren sollten die Updates bald installieren. --------------------------------------------- https://heise.de/-6670382 ∗∗∗ Sicherheitspatch für Apache Struts unvollständig – neues Updates soll es richten ∗∗∗ --------------------------------------------- Aufgrund der Gefahr von möglichen Schadcode-Attacken sollten Admins ihre Apache-Struts-Systeme auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-6670584 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion). --------------------------------------------- https://lwn.net/Articles/891182/ ∗∗∗ Apache Subversion: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Apache Subversion ausnutzen, um Informationen offenzulegen oder einen Denial of Service zu verursachen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0436 ∗∗∗ Citrix Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Original release date: April 12, 2022Citrix has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the following Citrix security bulletins and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/12/citrix-releases-s… ∗∗∗ Motorola Android App Vulnerabilities ∗∗∗ --------------------------------------------- Some Motorola Android applications do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker. [..] Update to latest version of the applications in the Product Impact section below. App Name: 'Ready For', 'Device Help' --------------------------------------------- http://support.lenovo.com/product_security/PS500482-MOTOROLA-ANDROID-APP-VU… ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- The following vulnerabilities were reported in ThinkPad BIOS. CVE IDs: CVE-2022-1107, CVE-2022-1108 Update system firmware to the version (or newer) indicated for your model [..] --------------------------------------------- http://support.lenovo.com/product_security/PS500480-THINKPAD-BIOS-VULNERABI… ∗∗∗ Lenovo System Update Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window. --------------------------------------------- http://support.lenovo.com/product_security/PS500483-LENOVO-SYSTEM-UPDATE-PR… ∗∗∗ Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968) ∗∗∗ --------------------------------------------- While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration. --------------------------------------------- https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulne… ∗∗∗ Bentley Security Advisory BE-2022-0006: IFC File Parsing Vulnerabilities in MicroStation and MicroStation-based applications ∗∗∗ --------------------------------------------- https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006 ∗∗∗ Security Bulletin: IBM Security SOAR is affected but not classified as vulnerable to remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-affe… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to arbitrary code exection due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability in GNU binutils affects IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Valmet DNA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-01 ∗∗∗ Mitsubishi Electric MELSEC-Q Series C Controller Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-02 ∗∗∗ Inductive Automation Ignition ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-03 ∗∗∗ Mitsubishi Electric GT25-WLAN ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-04 ∗∗∗ Aethon TUG Home Base Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-05 ∗∗∗ NetApp Active IQ Unified Manager Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500484-NETAPP-ACTIVE-IQ-UNIFIE… ∗∗∗ Post-Auth Arbitrary File Read vulnerability Impacting End-Of-Life SRA Appliances and End-Of-Support SMA100 firmware versions ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2022
by Daily end-of-shift report 12 Apr '22

12 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 11-04-2022 18:00 − Dienstag 12-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qbot malware switches to new Windows Installer infection vector ∗∗∗ --------------------------------------------- The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new… ∗∗∗ Discord-Konten im Visier von Cyberkriminellen ∗∗∗ --------------------------------------------- Seit Jahresanfang sehen GDatas Sicherheitsforscher einen Anstieg an Malware, die Zugangstoken zu Discord stehlen will. Nutzer sollten Maßnahmen ergreifen. --------------------------------------------- https://heise.de/-6669765 ∗∗∗ Terrible cloud security is leaving the door open for hackers. Heres what youre doing wrong ∗∗∗ --------------------------------------------- A rise in hybrid work and a shift to cloud platforms has changed how businesses operate - but its also leaving them vulnerable to cyberattacks. --------------------------------------------- https://www.zdnet.com/article/terrible-cloud-security-is-leaving-the-door-o… ∗∗∗ Industroyer2: Industroyer reloaded ∗∗∗ --------------------------------------------- This ICS-capable malware targets a Ukrainian energy company --------------------------------------------- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ ∗∗∗ F5 investigating reports of NGINX zero day ∗∗∗ --------------------------------------------- UPDATE 4/12: On Monday evening, NGINX released a blog about the issue, writing that it only affects reference implementations and does not affect NGINX Open Source or NGINX Plus. The company said deployments of the LDAP reference implementation are affected by the vulnerabilities if command-line parameters are used to configure the Python daemon, if there are unused, optional configuration parameters and if LDAP authentication depends on specific group membership. --------------------------------------------- https://therecord.media/f5-investigating-reports-of-nginx-zero-day/ ∗∗∗ SystemBC Being Used by Various Attackers ∗∗∗ --------------------------------------------- SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as a passage if the infected system utilizes SystemBC, which acts as a Proxy Bot. --------------------------------------------- https://asec.ahnlab.com/en/33600/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical LFI Vulnerability Reported in Hashnode Blogging Platform ∗∗∗ --------------------------------------------- Researchers have disclosed a previously undocumented local file inclusion (LFI) vulnerability in Hashnode, a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, servers IP address, and other network information. --------------------------------------------- https://thehackernews.com/2022/04/critical-lfi-vulnerability-reported-in.ht… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and usbguard), Fedora (containerd, firefox, golang-github-containerd-imgcrypt, nss, and vim), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (libexif, mozilla-nss, mysql-connector-java, and qemu), and Ubuntu (libarchive and python-django). --------------------------------------------- https://lwn.net/Articles/891048/ ∗∗∗ Amazon RDS Vulnerability Led to Exposure of Credentials ∗∗∗ --------------------------------------------- Amazon Web Services (AWS) on Monday announced that it recently addressed a vulnerability in Amazon Relational Database Service (RDS) that could lead to the exposure of internal credentials. --------------------------------------------- https://www.securityweek.com/amazon-rds-vulnerability-led-exposure-credenti… ∗∗∗ SSA-350757 V1.0: Improper Access Control Vulnerability in TIA Portal Affecting S7-1200 and S7-1500 CPUs Web Server (Incl. Related ET200 CPUs and SIPLUS variants) ∗∗∗ --------------------------------------------- An attacker could achieve privilege escalation on the web server of certain devices configured by SIMATIC STEP 7 (TIA Portal) due to incorrect handling of the webserverâ€™s user management configuration during downloading. This only affects the S7-1200 and S7-1500 CPUsâ€™ (incl.Â related ET200 CPUs and SIPLUS variants) web server, when activated. Siemens has released updates for several affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-350757.txt ∗∗∗ SSA-392912 V1.0: Multiple Denial Of Service Vulnerabilities in SCALANCE W1700 Devices ∗∗∗ --------------------------------------------- Vulnerabilities have been identified in devices of the SCALANCE W-1700 (11ac) family that could allow an attacker to cause various denial of service conditions. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-392912.txt ∗∗∗ SSA-414513 V1.0: Information Disclosure Vulnerability in Mendix ∗∗∗ --------------------------------------------- An information disclosure vulnerability in Mendix applications was discovered. The vulnerability could allow to read sensitive data. Siemens has released an update for the Mendix Applications using Mendix 9 and recommends to update to the latest version. Siemens recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-414513.txt ∗∗∗ SSA-446448 V1.0: Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack ∗∗∗ --------------------------------------------- The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, contains a vulnerability that could allow an attacker to cause a denial of service condition on affected industrial products. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-446448.txt ∗∗∗ SSA-557541 V1.0: Denial-of-Service Vulnerability in SIMATIC S7-400 CPUs ∗∗∗ --------------------------------------------- SIMATIC S7-400 CPU devices contain an input validation vulnerability that could allow an attacker to create a Denial-of-Service condition. A restart is needed to restore normal operations. Siemens has released an update for SIMATIC S7-410 V10 CPU family and SIMATIC S7-400 H V6 CPU family (incl.Â SIPLUS variants for both) and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not yet --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-557541.txt ∗∗∗ SSA-655554 V1.0: Multiple Vulnerabilities in SIMATIC Energy Manager before V7.3 Update 1 ∗∗∗ --------------------------------------------- SIMATIC Energy Manager is affected by multiple vulnerabilities that could allow an attacker to gain local privilege escalation, local code execution or remote code execution. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-655554.txt ∗∗∗ SSA-711829 V1.0: Denial of Service Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- In conjunction with the installation of the affected products listed in the table below, a vulnerability in TIA Administrator occurs that could allow an unauthenticated attacker to perform a denial of service attack. Siemens has released a first update for one of the affected products and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-711829.txt ∗∗∗ SSA-836527 V1.0: Multiple Vulnerabilities in SCALANCE X-300 Switch Family Devices ∗∗∗ --------------------------------------------- Several SCALANCE X-300 switches contain multiple vulnerabilities. An unauthenticated attacker could reboot, cause denial of service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-836527.txt ∗∗∗ SSA-870917 V1.0: Improper Access Control Vulnerability in Mendix ∗∗∗ --------------------------------------------- When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-870917.txt ∗∗∗ SSA-998762 V1.0: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.2 ∗∗∗ --------------------------------------------- Siemens Simcenter Femap versions before V2022.1.2 are affected by vulnerabilities that could be triggered when the application reads files in .NEU format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to leak information or potentially perform remote code execution in the context of the current process. Siemens recommends to update to the latest version line of Simcenter Femap and to avoid opening of untrusted files --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-998762.txt ∗∗∗ SSA-316850: Unauthenticated File Access in SICAM A8000 Devices ∗∗∗ --------------------------------------------- SICAM A8000 CP-8050 and CP-8031 devices contain vulnerabilities that could allow an attacker to access files without authentication. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-316850.txt ∗∗∗ SAP Patchday April 2022 ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0414 ∗∗∗ Citrix SD-WAN Security Bulletin for CVE-2022-27505 and CVE-2022-27506 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX370550 ∗∗∗ Citrix StoreFront Security Bulletin for CVE-2022-27503 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX377814 ∗∗∗ Citrix Gateway Plug-in for Windows Security Bulletin for CVE-2022-21827 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341455 ∗∗∗ PHOENIX CONTACT: Multiple Linux component vulnerabilities fixed in latest AXC F x152 LTS release ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-010/ ∗∗∗ PHOENIX CONTACT: mGuard Device Manager affected by HTTP Request Smuggling of Apache Webserver ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-014/ ∗∗∗ PHOENIX CONTACT: Multiple products affected by possible infinite loop within OpenSSL library ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-013/ ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Framework ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is affected by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Maximo For Civil infrastructure is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-for-civil-infr… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to Prototype Pollution due to json-schema CVE-2021-3918 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: Vulnerabilities in Dojo and dom4j libraries affect Tivoli Netcool/OMNIbus WebGUI (CVE-2020-10683, CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-dojo-a… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Performance Management products (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to arbitrary code execution due to CVE-2021-23555 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple Vulnerabilities affect IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to CKEditor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2022
by Daily end-of-shift report 11 Apr '22

11 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-04-2022 18:00 − Montag 11-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Android banking malware takes over calls to customer support ∗∗∗ --------------------------------------------- A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a banks customer support number and connect the victim directly with the cybercriminals operating the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-banking-malware-take… ∗∗∗ Security: OpenSSH 9.0 veröffentlicht ∗∗∗ --------------------------------------------- Die neue Version von OpenSSH bringt unter anderem eine Härtung gegen Faktorisierungsattacken mit zukünftigen Quantencomputern mit. --------------------------------------------- https://www.golem.de/news/security-openssh-9-0-veroeffentlicht-2204-164550-… ∗∗∗ Method For String Extraction Filtering, (Sat, Apr 9th) ∗∗∗ --------------------------------------------- In diary entry "XLSB Files: Because Binary is Stealthier Than XML", Xavier shows how to extract strings (URLs) from binary files that make up an Excel spreadsheet. This inspired me to make a tool to parse this XLSB file format: "Quickie: Parsing XLSB Documents". Now I'm presenting another method, one that uses string analysis. --------------------------------------------- https://isc.sans.edu/diary/rss/28532 ∗∗∗ Mirai-Botnet missbraucht Spring4Shell-Sicherheitsleck ∗∗∗ --------------------------------------------- Sicherheitsforscher haben beobachtet, dass das Mirai-Botnet die Spring4Shell-Schwachstelle angreift und dadurch die Malware verbreitet. --------------------------------------------- https://heise.de/-6668646 ∗∗∗ Denonia cryptominer is first malware to target AWS Lambda ∗∗∗ --------------------------------------------- There is now malware in serverless environments. Dubbed Denonia, it specifically targets the AWS Lambda to perform cryptojacking. --------------------------------------------- https://blog.malwarebytes.com/business-2/2022/04/denonia-cryptominer-is-fir… ∗∗∗ Octo Android Trojan Allows Cybercrooks to Conduct On-Device Fraud ∗∗∗ --------------------------------------------- Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud. --------------------------------------------- https://www.securityweek.com/octo-android-trojan-allows-cybercrooks-conduct… ∗∗∗ Think Like a Criminal: Knowing Popular Attack Techniques to Stop Bad Actors Faster ∗∗∗ --------------------------------------------- Analyzing the attack goals of adversaries is important to be able to better align defenses against the speed of changing attack techniques. By focusing on a handful of techniques, you can effectively shut down malware’s methods of choice for getting in and making itself at home. To achieve this, you need to know which key areas to be focusing on in the coming months. --------------------------------------------- https://www.securityweek.com/think-criminal-knowing-popular-attack-techniqu… ∗∗∗ Love-Scam - Wie unterstütze ich Betroffene? ∗∗∗ --------------------------------------------- Hilfe! Mein Mutter, mein Onkel, meine Bekannte liebt eine:n Internetbetrüger:in. Für Außenstehende ist der Fall meist klar: Die Internetliebe ist ein:e Betrüger:in. Das Opfer möchte dies aber nicht glauben und überweist immer wieder Geld. Was tun? Wie können Sie Opfer von Liebesbetrüger:innen unterstützen? --------------------------------------------- https://www.watchlist-internet.at/news/love-scam-wie-unterstuetze-ich-betro… ∗∗∗ New SolarMarker (Jupyter) Campaign Demonstrates the Malware's Changing Attack Patterns ∗∗∗ --------------------------------------------- A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve. --------------------------------------------- https://unit42.paloaltonetworks.com/solarmarker-malware/ ∗∗∗ Insider-Bedrohungen greifen nach außen ∗∗∗ --------------------------------------------- Wenn Mitarbeiter auf eigene Faust zum Cyberkrieger werden wollen, kann das die Unternehmenssicherheit ebenso gefährden wie traditionelle Insider- und externe Bedrohungen, berichtet Andreas Riepen, Regional Sales Director Central Europe bei Vectra AI, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88400523/insider-bedrohungen-greifen-nach-aussen/ ∗∗∗ Cyber-Sicherheit im Gesundheitswesen ∗∗∗ --------------------------------------------- Das Gesundheitswesen ist nach wie vor einer der am häufigsten durch Hacker angegriffenen Bereiche. Lieder wurden in der Vergangenheit entsprechende Hausaufgaben lange aufgeschobene. --------------------------------------------- https://www.borncity.com/blog/2022/04/10/cyber-sicherheit-im-gesundheitswes… ===================== = Vulnerabilities = ===================== ∗∗∗ Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now! ∗∗∗ --------------------------------------------- A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it. --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/08/popular-ruby-asciidoc-toolkit-p… ∗∗∗ Spring: It isnt just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too., (Mon, Apr 11th) ∗∗∗ --------------------------------------------- Our "First Seen URL" page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. [...] The scan for /actuator/gateway/routes may be looking for systems that are possibly vulnerable to CVE-2022-22947 or other vulnerabilities in the Spring Cloud function (we had at least three different vulnerabilities recently). --------------------------------------------- https://isc.sans.edu/diary/rss/28538 ∗∗∗ ABB Cyber Security Advisory: ARM600 M2M Gateway NSS library and polkit vulnerabilities ∗∗∗ --------------------------------------------- These vulnerabilities affect cryptographic libraries and privilege handling. Subsequently, a successful exploit could allow attackers to execute code with root user privileges or to elevate a non-privileged user to a privileged user. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001254&Language… ∗∗∗ ABB Cyber Security Advisory: Arctic Wireless Gateway Firewall vulnerability (CVE-2022-0947) ∗∗∗ --------------------------------------------- A vulnerability is found in the ABB Arctic wireless gateways in a specific configuration and when using firmware versions from 2.4.0 or later until version 3.4.10. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001253&Language… ∗∗∗ Verschlüsselungsschwächen in Datenmanagementsoftware Dell EMC PowerScale OneFS ∗∗∗ --------------------------------------------- Admins von Systemen mit Dell EMC PowerScale OneFS sollten die Software aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-6668566 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gzip, libxml2, minidlna, openjpeg2, thunderbird, webkit2gtk, wpewebkit, xen, and xz-utils), Fedora (crun, unrealircd, and vim), Mageia (389-ds-base, busybox, flatpak, fribidi, gdal, python-paramiko, and usbredir), openSUSE (opera and seamonkey), Oracle (kernel and kernel-container), Red Hat (firefox), Scientific Linux (firefox), Slackware (libarchive), SUSE (389-ds, libsolv, libzypp, zypper, and python), and Ubuntu (python-django and tcpdump). --------------------------------------------- https://lwn.net/Articles/890936/ ∗∗∗ XSS vulnerability patched in Directus data engine platform ∗∗∗ --------------------------------------------- The platform is described as a "flexible powerhouse for engineers." --------------------------------------------- https://www.zdnet.com/article/xss-vulnerability-patched-in-directus-data-en… ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0412 ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23806 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to spoofing and clickjacking attacks due to swagger-ui (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Sterling Global Mailbox is vulnerable to denial of service due to Jackson-Databind (217968 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-global-mailb… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to log4js-node CVE-2022-21704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: A cross-site scripting (XSS) vulnerability may impact IBM Cúram Social Program Management(CVE-2021-39068) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xs… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in Google Gson (217225) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-24921 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23772 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to node-request-retry CVE-2022-0654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-5421). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to cross-site Ajax request vulnerability due to Prototype JavaScript (CVE-2008-7220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple CVEs in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2022
by Daily end-of-shift report 08 Apr '22

08 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-04-2022 18:00 − Freitag 08-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious web redirect service infects 16,500 sites to push malware ∗∗∗ --------------------------------------------- A new TDS (Traffic Direction System) operation called Parrot has emerged in the wild, having already infected servers hosting 16,500 websites of universities, local governments, adult content platforms, and personal blogs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-web-redirect-servi… ∗∗∗ Mirai malware now delivered using Spring4Shell exploits ∗∗∗ --------------------------------------------- The Mirai malware is now leveraging the Spring4Shell exploit to infect vulnerable web servers and recruit them for DDoS (distributed denial of service) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mirai-malware-now-delivered-… ∗∗∗ CVE-2021-30737, @xerubs 2021 iOS ASN.1 Vulnerability ∗∗∗ --------------------------------------------- Originally this post was just a series of notes I took last year as I was trying to understand this bug. But the bug itself and the narrative around it are so fascinating that I thought it would be worth writing up these notes into a more coherent form to share with the community. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/04/cve-2021-30737-xerubs-2021-i… ∗∗∗ Public Report – Google Enterprise API Security Assessment ∗∗∗ --------------------------------------------- During the autumn of 2021, Google engaged NCC Group to perform a review of the Android 12 Enterprise API to evaluate its compliance with the Security Technical Implementation Guides (STIG) matrix provided by Google. --------------------------------------------- https://research.nccgroup.com/2022/04/07/public-report-google-enterprise-ap… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libtiff), Debian (chromium), Fedora (buildah and chromium), openSUSE (firefox), SUSE (firefox, libsolv, libzypp, and openjpeg2), and Ubuntu (firefox and python-oslo.utils). --------------------------------------------- https://lwn.net/Articles/890718/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SPSS Analytic Server is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spss-analytic-server-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2021-22931) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to cross-site request forgery (CVE-2020-4668) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: Vulnerability in json4j – CVE-2021-3918 (Publicly disclosed vulnerability) impacts IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json4j-c… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Apache Log4j vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: LDAP vulnerability in WebSphere Liberty Profile can affect IBM InfoSphere Global Name Management ENS (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ldap-vulnerability-in-web… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0004.html ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0405 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0406 ∗∗∗ Microsoft Edge 100.0.1185.36 fixt Schwachstelle ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/04/08/microsoft-edge-100-0-1185-36-fixt-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2022
by Daily end-of-shift report 07 Apr '22

07 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-04-2022 18:00 − Donnerstag 07-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New FFDroider malware steals Facebook, Instagram, Twitter accounts ∗∗∗ --------------------------------------------- A new information stealer named FFDroider has emerged, stealing credentials and cookies stored in browsers to hijack victims social media accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ffdroider-malware-steals… ∗∗∗ A Bad Luck BlackCat ∗∗∗ --------------------------------------------- A new ransomware actor started advertising its services on a Russian underground forum. They presented themselves as ALPHV, but the group is also known as BlackCat. --------------------------------------------- https://securelist.com/a-bad-luck-blackcat/106254/ ∗∗∗ What is BIMI and how is it supposed to help with Phishing., (Thu, Apr 7th) ∗∗∗ --------------------------------------------- Phishing works because it is hard to figure out if an email or a website is authentic. Over the years, many technical solutions have been implemented to make it easier to recognize valid senders or a valid website. --------------------------------------------- https://isc.sans.edu/diary/rss/28528 ∗∗∗ SharkBot Banking Trojan Resurfaces On Google Play Store Hidden Behind 7 New Apps ∗∗∗ --------------------------------------------- As many as seven malicious Android apps discovered on the Google Play Store masqueraded as antivirus solutions to deploy a banking trojan called SharkBot. --------------------------------------------- https://thehackernews.com/2022/04/sharkbot-banking-trojan-resurfaces-on.html ∗∗∗ Whatsapp-Kettenbrief: "Milka" erneut Köder für gefälschte Gewinnspiele ∗∗∗ --------------------------------------------- Kriminelle werden nicht müde, die Schokoladenmarke für ihre Zwecke zu nutzen. Erst recht kurz vor Ostern. --------------------------------------------- https://heise.de/-6665629 ∗∗∗ DSGVO-Verstoß auf Ihrer Webseite? Lassen Sie sich nicht verunsichern! ∗∗∗ --------------------------------------------- Uns wurden zahlreiche E-Mails gemeldet, die auf einen DSGVO-Verstoß auf der Website von Unternehmen hinweisen. Das E-Mail bezieht sich auf die Verwendung von Google Analytics. Es besteht kein Grund zur Sorge, doch langfristig sollten Sie nach Alternativen zu dem Google-Dienst suchen. --------------------------------------------- https://www.watchlist-internet.at/news/dsgvo-verstoss-auf-ihrer-webseite-la… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/06/cisa-adds-three-k… ∗∗∗ CVE-2022-26381: Gone by others! Triggering a UAF in Firefox ∗∗∗ --------------------------------------------- Memory corruption vulnerabilities have been well known for a long time and programmers have developed various methods to prevent them. One type of memory corruption that is very hard to prevent is the use-after-free and the reason is that it has too many faces! --------------------------------------------- https://www.thezdi.com/blog/2022/4/7/cve-2022-26381-gone-by-others-triggeri… ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug ∗∗∗ --------------------------------------------- American cybersecurity company Palo Alto Networks warned customers on Wednesday that some of its firewall, VPN, and XDR products are vulnerable to a high severity OpenSSL infinite loop bug disclosed three weeks ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/palo-alto-networks-firewalls… ∗∗∗ Jetzt aktualisieren: VMware patcht teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere VMware-Produkte sind von teils kritischen Lücken betroffen, durch die Angreifer Schadcode einschleusen könnten. Es gibt Updates und Gegenmaßnahmen. --------------------------------------------- https://heise.de/-6665440 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind), Debian (firefox-esr), Fedora (fribidi, gdal, and mingw-gdal), openSUSE (pdns-recursor and SDL2), Oracle (kernel), Slackware (mozilla), SUSE (glibc and openvpn-openssl1), and Ubuntu (fribidi and linux-azure-5.13, linux-oracle-5.13). --------------------------------------------- https://lwn.net/Articles/890620/ ∗∗∗ Multiple Cisco Security Products Simple Network Management Protocol Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Java Deserialization Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Secure Network Analytics Network Diagrams Application Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: Apache Log4j vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ April 6, 2022 TNS-2022-08 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.20.1: Patch 202204.1 ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-08 ∗∗∗ VMSA-2022-0012 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0012.html ∗∗∗ K51048910: Eclipse Jetty vulnerability CVE-2021-28169 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51048910 ∗∗∗ Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulne… ∗∗∗ WEIDMUELLER: Multiple vulnerabilities in Modbus TCP/RTU Gateways ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-008/ ∗∗∗ Pepperl+Fuchs WirelessHART-Gateway ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-097-01 ∗∗∗ ABB SPIET800 and PNI800 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-097-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2022
by Daily end-of-shift report 06 Apr '22

06 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-04-2022 18:00 − Mittwoch 06-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft detects Spring4Shell attacks across its cloud services ∗∗∗ --------------------------------------------- Microsoft said that its currently tracking a "low volume of exploit attempts" targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability across its cloud services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-detects-spring4she… ∗∗∗ Windows MetaStealer Malware, (Wed, Apr 6th) ∗∗∗ --------------------------------------------- The malware abuses legitimate services by Github and transfer.sh to host these data binaries. All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary. --------------------------------------------- https://isc.sans.edu/diary/rss/28522 ∗∗∗ Zero-Day-Lücken: Ältere macOS- und iOS-Versionen weiter angreifbar ∗∗∗ --------------------------------------------- Aktiv ausgenutzte Lücken hat Apple nur in iOS 15 und macOS 12 gestopft. Sicherheitsforschern zufolge sind aber auch ältere Betriebssystemversionen verwundbar. --------------------------------------------- https://heise.de/-6664730 ∗∗∗ Wenn der PC plötzlich steckenbleibt, nicht bei Microsoft anrufen! ∗∗∗ --------------------------------------------- Die Betrugsmasche, bei der sich Kriminelle als Microsoft-Angestellte ausgeben und ihre Opfer telefonisch kontaktieren, ist weitläufig bekannt. Aktuell erhalten Betroffene vermehrt keinen Anruf, sondern werden durch Pop-ups auf ihren Bildschirmen, die die Nutzung des Computers einschränken, zu Anrufen bewegt. Achtung: Nicht anrufen, sonst drohen Geld- und Datenverluste! --------------------------------------------- https://www.watchlist-internet.at/news/wenn-der-pc-ploetzlich-steckenbleibt… ∗∗∗ Fake e‑shops on the prowl for banking credentials using Android malware ∗∗∗ --------------------------------------------- This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans attributed to this campaign. --------------------------------------------- https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credent… ∗∗∗ Analyzing a “multilayer” Maldoc: A Beginner’s Guide ∗∗∗ --------------------------------------------- In this blog post, we will not only analyze an interesting malicious document, but we will also demonstrate the steps required to get you up and running with the necessary analysis tools. There is also a howto video for this blog post. --------------------------------------------- https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories (FortiClient, FortiEDR, FortiWAN) ∗∗∗ --------------------------------------------- * FortiClient (Linux) - Improper directories permissions * FortiClient (Linux) - external access to confighandler webserver * FortiClient (Windows) - privilege escalation in online installer due to incorrect working directory * FortiEDR - Denial of service due to folder access permission change * FortiEDR - Hardcoded AES key enable disabling local Collector * FortiEDR - Insecure RSA key transport * FortiWAN - Improper cryptographic operations in Dynamic Tunnel Protocol * FortiWAN - Pervasive OS command --------------------------------------------- https://www.fortiguard.com/psirt?date=04-2022 ∗∗∗ VMSA-2022-0011 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-9.8 CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0011.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (rizin), Fedora (fish, gdal, mingw-fribidi, mingw-gdal, mingw-openexr, mingw-python-pillow, mingw-python3, and python-pillow), Mageia (chromium-browser-stable), Oracle (Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel and kernel), Red Hat (kernel, kernel-rt, and Red Hat OpenStack Platform 16.2 (python-waitress)), Scientific Linux (kernel), Slackware (mozilla), SUSE (mozilla-nss), and Ubuntu (h2database). --------------------------------------------- https://lwn.net/Articles/890404/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.8 ∗∗∗ --------------------------------------------- CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, CVE-2022-28289 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/ ∗∗∗ Spring Cloud Data Flow 2.9.4 Released ∗∗∗ --------------------------------------------- On behalf of the team and everyone who has contributed, I’m happy to announce that Spring Cloud Dataflow 2.9.4 has been released and is now available from Maven Central. This release contains an update of the Spring Boot version and addresses a couple of CVEs. Notable Changes in 2.9.4: * Update to Spring Boot 2.5.12 * Resolves CVE-2022-22965 * Resolves CVE-2021-29425 --------------------------------------------- https://spring.io/blog/2022/04/05/spring-cloud-data-flow-2-9-4-released ∗∗∗ Improper Authentication Management Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220406-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Watson Query potentially exposes adminstrator's key under some conditions due to CVE-2022-22410 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-query-potentially-… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Vulnerabilities with Apache HTTP Server affect IBM Cloud Object Storage Systems (Apr 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-apac… ∗∗∗ K49419538: libxml2 vulnerability CVE 2016-4658 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49419538?utm_source=f5support&utm_mediu… ∗∗∗ WAGO: Multiple Products affected by Linux Kernel Vulnerability Dirty Pipe ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-009/ ∗∗∗ LifePoint Informatics Patient Portal ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-095-01 ∗∗∗ Rockwell Automation ISaGRAF ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-095-01 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2022
by Daily end-of-shift report 05 Apr '22

05 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-04-2022 18:00 − Dienstag 05-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ WhatsApp voice message phishing emails push info-stealing malware ∗∗∗ --------------------------------------------- A new WhatsApp phishing campaign impersonating WhatsApps voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whatsapp-voice-message-phish… ∗∗∗ SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 ∗∗∗ --------------------------------------------- Microsoft provides guidance for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability CVE-2022-22965, also known as SpringShell or Spring4Shell. --------------------------------------------- https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerab… ∗∗∗ WebLogic Crypto Miner Malware Disabling Alibaba Cloud Monitoring Tools, (Tue, Apr 5th) ∗∗∗ --------------------------------------------- Looking through my honeypot logs for some Spring4Shell exploits (I didn't find anything interesting), I came across this attempt to exploit an older WebLogic vulnerability (likely %%cve:2020-14882%% or %%cve:2020-14883%%). The exploit itself is "run of the mill," but the script downloaded is going through an excessively long list of competitors to disable and disabled cloud monitoring tools, likely to make detecting and response more difficult. --------------------------------------------- https://isc.sans.edu/diary/rss/28520 ∗∗∗ ZDI-22-547: (0Day) (Pwn2Own) Samsung Galaxy S21 Exposed Dangerous Method Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on affected installations of Samsung Galaxy S21 phones. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-547/ ∗∗∗ Phishing-Angriffe auf Kryptowährungssektor nach Einbruch bei MailChimp ∗∗∗ --------------------------------------------- Nach einem Einbruch beim Marketing-Mail-Anbieter MailChimp haben Cyberkriminelle versucht, per Phishing an Kryptowährungen von Krypto-Wallet-Kunden zu gelangen. --------------------------------------------- https://heise.de/-6662971 ∗∗∗ CISA advises D-Link users to take vulnerable routers offline ∗∗∗ --------------------------------------------- CISA has advised users to take certain vulnerable D-Link routers offline since the existing vulnerabilities are know to be actively exploited and the models have reached EOL and will not get patched. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-adv… ∗∗∗ Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter ∗∗∗ --------------------------------------------- Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.The infections leverage process injection to evade detection by endpoint security software. --------------------------------------------- http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin—April 2022 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-04-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2022-04-01 ∗∗∗ Xen Security Advisory CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 / XSA-400 ∗∗∗ --------------------------------------------- IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues. The precise impact is system specific, but would likely be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-400.html ∗∗∗ Xen Security Advisory CVE-2022-26357 / XSA-399 ∗∗∗ --------------------------------------------- race in VT-d domain ID cleanup. The precise impact is system specific, but would typically be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-399.html ∗∗∗ Xen Security Advisory CVE-2022-26356 / XSA-397 ∗∗∗ --------------------------------------------- Racy interactions between dirty vram tracking and paging log dirty hypercalls. An attacker can cause Xen to leak memory, eventually leading to a Denial of Service (DoS) affecting the entire host. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-397.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (polkit, postgresql, and zlib), openSUSE (389-ds and opera), Red Hat (kpatch-patch), SUSE (389-ds and util-linux), and Ubuntu (waitress). --------------------------------------------- https://lwn.net/Articles/890258/ ∗∗∗ Kyocera Printer: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Kyocera Printer ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0391 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- This issue may allow privileged code in a guest VM to cause the host to crash or become unresponsive. The issue only affects systems with Intel CPUs where the malicious guest VM has had a physical PCI device assigned to it by the host administrator using the PCI passthrough feature. The issue has the following identifier: CVE-2022-26357 Customers who have not assigned a physical PCI device to a guest VM are not affected by this issue. Customers who are running on systems with only AMD CPUs are also not affected by this issue. --------------------------------------------- https://support.citrix.com/article/CTX390511 ∗∗∗ Sicherheitsupdate für Webbrowser Google Chrome ∗∗∗ --------------------------------------------- https://heise.de/-6662814 ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple issues within Red Hat UBI packages and the IBM WebSphere Application Server Liberty shipped with IBM MQ Operator v1.7 CD Release ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Dojo Toolkil shipped with IBM Tivoli Netcool Impact (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by account enumeration and denial of service vulnerabilities (CVE-2022-22356 and CVE-2022-22355) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by gson vulnerability (C2021-0419) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ K29855410: Vim vulnerabilities CVE-2022-0261, CVE-2022-0318, CVE-2022-0361, CVE-2022-0392, and CVE-2022-0413 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29855410?utm_source=f5support&utm_mediu… ∗∗∗ K08827426: Vim vulnerability CVE-2022-0359 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08827426?utm_source=f5support&utm_mediu… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 91.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/ ∗∗∗ Security Vulnerabilities fixed in Firefox 99 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2022
by Daily end-of-shift report 04 Apr '22

04 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-04-2022 18:00 − Montag 04-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Einkauf von Markenware! ∗∗∗ --------------------------------------------- Wer Markenkleidung oder -schuhe online kaufen will, sollte sich vergewissern, dass das Angebot seriös ist. Denn derzeit tauchen zahlreiche Fake-Shops auf, die angeben, beliebte Markenware zu verkaufen. Keine dieser betrügerischen Shops hat ein Impressum auf der Seite, die Webadresse hat außerdem nichts mit den angebotenen Waren zu tun. Das sind typische Merkmale für Fake-Shops und gute Gründe, hier nicht einzukaufen! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Explaining Spring4Shell: The Internet security disaster that wasn’t ∗∗∗ --------------------------------------------- Vulnerability in the Spring Java Framework is important, but its no Log4Shell. --------------------------------------------- https://arstechnica.com/?p=1845362 ∗∗∗ Beastmode botnet boosts DDoS power with new router exploits ∗∗∗ --------------------------------------------- A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos… ∗∗∗ Emptying the Phishtank: Are WordPress sites the Mosquitoes of the Internet?, (Mon, Apr 4th) ∗∗∗ --------------------------------------------- In November, an accountant working for a construction company received an innocent enough-looking email: An update on the terms to submit bills to a local county. Seeing the email, the accountant clicked on the link and quickly downloaded the new document after entering their Outlook 365 credentials. The PDF looked all right but was something the accountant had already downloaded a couple of weeks ago from the county’s official website. [...] This, turns out, was a typical case of “business email compromise.” --------------------------------------------- https://isc.sans.edu/diary/rss/28516 ∗∗∗ WordPress Popunder Malware Redirects to Scam Sites ∗∗∗ --------------------------------------------- Over the last year we’ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected over 3,000 websites infected with this injection this year and over 17,000 in total since we first detected it in March of 2021. The reported behaviour is always the same: After a few seconds of loading, the website will redirect to a dodgy scam site. --------------------------------------------- https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-sca… ∗∗∗ Brokenwire Hack Could Let Remote Attackers Disrupt Charging for Electric Vehicles ∗∗∗ --------------------------------------------- A group of academics from the University of Oxford and Armasuisse S+T has disclosed details of a new attack technique against the popular Combined Charging System (CCS) that could potentially disrupt the ability to charge electric vehicles at scale. Dubbed "Brokenwire," the method interferes with the control communications that transpire between the vehicle and charger to wirelessly abort the abort the charging sessions from a distance of as far as 47m (151ft). --------------------------------------------- https://thehackernews.com/2022/04/brokenwire-hack-could-let-remote.html ∗∗∗ Deep Dive Analysis - Borat RAT ∗∗∗ --------------------------------------------- [...] During our regular OSINT research, Cyble Research Labs came across a new Remote Access Trojan (RAT) named Borat. Unlike other RATs, the Borat provides Ransomware, DDOS services, etc., to Threat Actors along with usual RAT features, further expanding the malware capabilities. --------------------------------------------- https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/ ∗∗∗ FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 ∗∗∗ --------------------------------------------- Recent public research asserts threat groups sharing overlaps with FIN7 transitioned to targeted ransomware operations involving REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware. With the purported shift to ransomware operations, Mandiant is publishing our research on the evolution of FIN7 which we haven’t publicly written about since Mahalo FIN7, published in 2019. --------------------------------------------- https://www.mandiant.com/resources/evolution-of-fin7 ∗∗∗ Hacker accessed 319 crypto- and finance-related Mailchimp accounts, company said ∗∗∗ --------------------------------------------- Email marketing firm Mailchimp announced on Monday that a hacker breached its internal tools and managed to gain access to 319 Mailchimp accounts for companies in the cryptocurrency and finance industries. --------------------------------------------- https://therecord.media/hacker-accessed-319-crypto-and-finance-related-mail… ∗∗∗ Kaseya Full Disclosure ∗∗∗ --------------------------------------------- In honor of our appearance on the Ransomware Files podcast episode #5 we are releasing the full details of the vulnerabilities we found during our research into Kaseya VSA of which some were used by REvil to attack Kaseya’s customers. The details can be found in our CVE entries: [...] --------------------------------------------- https://csirt.divd.nl/2022/04/04/Kaseya-VSA-Full-Disclosure/ ===================== = Vulnerabilities = ===================== ∗∗∗ 15-Year-Old Bug in PEAR PHP Repository Couldve Enabled Supply Chain Attacks ∗∗∗ --------------------------------------------- A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code. --------------------------------------------- https://thehackernews.com/2022/04/15-year-old-bug-in-pear-php-repository.ht… ∗∗∗ FG-IR-22-059: Vulnerability in OpenSSL library ∗∗∗ --------------------------------------------- A security advisory was released affecting the version of OpenSSL library used in some Fortinet products. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-059 ∗∗∗ VMSA-2022-0010 ∗∗∗ --------------------------------------------- A critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0010.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, qemu, and zlib), Fedora (389-ds-base, ghc-cmark-gfm, ghc-hakyll, gitit, libkiwix, openssl, pandoc, pandoc-citeproc, patat, phoronix-test-suite, seamonkey, and skopeo), Mageia (libtiff, openjpeg2, and php-smarty), openSUSE (python), Oracle (httpd), Red Hat (httpd), and SUSE (libreoffice, python, and python36). --------------------------------------------- https://lwn.net/Articles/890187/ ∗∗∗ Microsoft Edge 100.0.1185.29 fixt Schwachstellen ∗∗∗ --------------------------------------------- Microsoft hat zum 1. April 2022 (kein April-Scherz) den Chromium-Edge Browser auf die Version Edge 100.0.1185.29 aktualisiert. Es handelt sich um ein Wartungsupdate, das eine Reihe Schwachstellen schließt und den 100er-Entwicklungszweig einleitet. --------------------------------------------- https://www.borncity.com/blog/2022/04/02/microsoft-edge-100-0-1185-29-fixt-… ∗∗∗ Kaspersky Anti-Virus: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0384 ∗∗∗ Vulnerability in Spring Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Netty – CVE-2021-43797 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-cv… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Cloud Pak for Security contains packages that have multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-co… ∗∗∗ Security Bulletin: Cross-Site Scripting and information disclosure vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2022 (CVE-2021-29835, CVE-39046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server in Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2022
by Daily end-of-shift report 01 Apr '22

01 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-03-2022 18:00 − Freitag 01-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New BlackGuard password-stealing malware sold on hacker forums ∗∗∗ --------------------------------------------- A new information-stealing malware named BlackGuard is winning the attention of the cybercrime community, now sold on numerous darknet markets and forums for a lifetime price of $700 or a subscription of $200 per month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blackguard-password-stea… ∗∗∗ Viasat confirms satellite modems were wiped with AcidRain malware ∗∗∗ --------------------------------------------- A newly discovered data wiper malware that wipes routers and modems has been deployed in the cyberattack that targeted the KA-SAT satellite broadband service to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens of thousands more across Europe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-mo… ∗∗∗ Phishing uses Azure Static Web Pages to impersonate Microsoft ∗∗∗ --------------------------------------------- Phishing attacks are abusing Microsoft Azures Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/phishing-uses-azure-static-… ∗∗∗ FORCEDENTRY: Sandbox Escape ∗∗∗ --------------------------------------------- In this post we'll take a look at that sandbox escape. It's notable for using only logic bugs. In fact it's unclear where the features that it uses end and the vulnerabilities which it abuses begin. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.h… ∗∗∗ iOS-Updates: Automatik braucht mehrere Wochen ∗∗∗ --------------------------------------------- Wer will, dass sein iPhone auf aktuellem Stand ist, sollte händisch aktualisieren. Die automatische Verteilung braucht lange, bestätigt Apples Softwarechef. --------------------------------------------- https://heise.de/-6657879 ∗∗∗ CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) ∗∗∗ --------------------------------------------- CVE-2022-22965, aka SpringShell, is a remote code execution vulnerability in the Spring Framework. We provide a root cause analysis and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/ ∗∗∗ The spectre of Stuxnet: CISA issues alert on Rockwell Automation ICS vulnerabilities ∗∗∗ --------------------------------------------- The flaws can be exploited to execute code on vulnerable controllers and workstations. --------------------------------------------- https://www.zdnet.com/article/cisa-issues-alert-on-critical-ics-vulnerabili… ∗∗∗ Spring Framework RCE, Mitigation Alternative ∗∗∗ --------------------------------------------- Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection. --------------------------------------------- https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternati… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-03-31 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM Sterling Partner Engagement Manager, IBM QRadar Network Security, IBM Security Access Manager for Enterprise, IBM Urbancode Deploy, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Netcool Impact, Watson Knowledge Catalog InstaScan --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Kritische Sicherheitslücke: Gitlab-Update außer der Reihe ∗∗∗ --------------------------------------------- Die Gitlab-Entwickler haben ein Update veröffentlicht, um Sicherheitslücken zu schließen. Eine kritische Lücke könnte Angreifern die Kontoübernahme ermöglichen. --------------------------------------------- https://heise.de/-6660080 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (wireshark), Fedora (389-ds-base), Mageia (golang, wavpack, and zlib), openSUSE (yaml-cpp), SUSE (expat and yaml-cpp), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.13, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-aws-hwe, linux-gcp-4.15, linux-oracle, linux-intel-5.13, and tomcat9). --------------------------------------------- https://lwn.net/Articles/889983/ ∗∗∗ Sicherheitsupdates: iOS 15.4.1 und macOS Monterey 12.3.1 ∗∗∗ --------------------------------------------- Apple hat zum 31. März 2022 zwei Sicherheitsupdates für macOS 12.3.1 (Monterey) und iOS/iPad OS 15.4.1 freigegeben. Diese schließen die Schwachstellen CVE-2022-22675 (in AppleAVD für iOS und macOS) und CVE-2022-22674 im macOS Intel Grafiktreiber. --------------------------------------------- https://www.borncity.com/blog/2022/04/01/sicherheitsupdates-ios-15-4-1-und-… ∗∗∗ K56241216: OpenLDAP vulnerabilities CVE-2020-25709 and CVE-2020-25710 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56241216 ∗∗∗ K44994972: Linux kernel vulnerability CVE-2020-25704 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44994972 ∗∗∗ Schneider Electric SCADAPack Workbench ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-01 ∗∗∗ Hitachi Energy e-mesh EMS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-02 ∗∗∗ Fuji Electric Alpha5 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-03 ∗∗∗ Mitsubishi Electric FA Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-04 ∗∗∗ General Electric Renewable Energy MDS Radios ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-06 ∗∗∗ CISA Adds Seven Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/31/cisa-adds-seven-k… ∗∗∗ Mehrere Schwachstellen in ZA|ARC (SYSS-2021-063/-064/-065/-066/-067) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-zaarc-syss-2021-… ∗∗∗ SA45100 - CVE-2022-0778-OpenSSL-Vulnerability may lead to DoS attack ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-0778… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2022
by Daily end-of-shift report 31 Mar '22

31 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-03-2022 18:00 − Donnerstag 31-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spring patches leaked Spring4Shell zero-day RCE vulnerability ∗∗∗ --------------------------------------------- Spring released emergency updates to fix the Spring4Shell zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring… ∗∗∗ Java: Exploit für RCE-Lücke in Spring geleakt ∗∗∗ --------------------------------------------- Unter Umständen reicht ein HTTP-Request, um Spring-Anwendungen eine Webshell unterzujubeln. Die Lücke wird wohl bereits ausgenutzt. --------------------------------------------- https://www.golem.de/news/java-exploit-fuer-rce-luecke-in-spring-geleakt-22… ∗∗∗ SpringShell Detector - searches compiled code (JAR/WAR binaries) for potentially vulnerable web apps ∗∗∗ --------------------------------------------- The SpringShell vulnerability may affect some web applications using Spring Framework, but requires a number of conditions to be exploitable. One specific condition which may be rather rare (and therefore render most applications non-exploitable in practice) is the existence of Spring endpoints which bind request parameters to a non-primitive (Java Bean) type. This tool can be used to scan compiled code and verify whether such endpoints exist in the codebase. --------------------------------------------- https://github.com/jfrog/jfrog-spring-tools ∗∗∗ Simple local Spring vulnerability scanner ∗∗∗ --------------------------------------------- This is a simple tool that can be used to find instances of Spring vulnerable to CVE-2022-22965 ("SpringShell") in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged. --------------------------------------------- https://github.com/hillu/local-spring-vuln-scanner ∗∗∗ Spring4Shell: Security Analysis of the latest Java RCE 0-day vulnerabilities in Spring ∗∗∗ --------------------------------------------- Weve been taking a look at the new zero-day exploit, dubbed Spring4Shell, supposedly discovered in Spring Core to determine if its a problem or not, as well as explained another RCE vulnerability found in Spring. --------------------------------------------- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities ∗∗∗ Calendly actively abused in Microsoft credentials phishing ∗∗∗ --------------------------------------------- Phishing actors are actively abusing Calendly to kick off a clever sequence to trick targets into entering their email account credentials on the phishing page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/calendly-actively-abused-in-… ∗∗∗ Lazarus Trojanized DeFi app for delivering malware ∗∗∗ --------------------------------------------- We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. --------------------------------------------- https://securelist.com/lazarus-trojanized-defi-app/106195/ ∗∗∗ Conti-nuation: methods and techniques observed in operations post the leaks ∗∗∗ --------------------------------------------- This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks. --------------------------------------------- https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniqu… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns severe OpenSSL bug affects most of its NAS devices ∗∗∗ --------------------------------------------- Taiwan-based network-attached storage (NAS) maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-severe-openssl-bu… ∗∗∗ “VMware Spring Cloud” Java bug gives instant remote code execution – update now! ∗∗∗ --------------------------------------------- Easy unauthenticated remote code execution - PoC code already out --------------------------------------------- https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gi… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgc and pjproject), Fedora (cobbler, mingw-openjpeg2, and openjpeg2), Mageia (openvpn), openSUSE (abcm2ps, fish3, icingaweb2, kernel-firmware, nextcloud, openSUSE-build-key, python2-numpy, salt, and zlib), Slackware (vim), SUSE (kernel-firmware, opensc, python2-numpy, python3, salt, and zlib), and Ubuntu (dosbox, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.13, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/889852/ ∗∗∗ The Old Switcheroo: Hiding Code on Rockwell Automation PLCs ∗∗∗ --------------------------------------------- CVE-2022-1161 affects numerous versions of Rockwell’s Logix Controllers and has a CVSS score of 10, the highest criticality. CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity. --------------------------------------------- https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automa… ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42543427/ ∗∗∗ Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-032 ∗∗∗ Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-web-query-for-i-i… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in NumPy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to HTTP request smuggling due to Netty (CVE-2021-43797) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-omnibu… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by Wget vulnerability (CVE-2021-31879) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Security Verify Access is vulnerable to obtaining sensitive information due to improper validation of JWT tokens. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces… ∗∗∗ CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0778 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2022
by Daily end-of-shift report 30 Mar '22

30 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-03-2022 18:00 − Mittwoch 30-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Mars Stealer malware pushed via OpenOffice ads on Google ∗∗∗ --------------------------------------------- A newly launched information-stealing malware variant called Mars Stealer is rising in popularity, and threat analysts are now spotting the first notable large-scale campaigns employing it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mars-stealer-malware-pushed-… ∗∗∗ Viasat shares details on KA-SAT satellite service cyberattack ∗∗∗ --------------------------------------------- US satellite communications provider Viasat has shared an incident report regarding the cyberattack that affected its KA-SAT consumer-oriented satellite broadband service on February 24, the day Russia invaded Ukraine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/viasat-shares-details-on-ka-… ∗∗∗ Angriff auf Schnellllader: Forscher können Ladevorgänge per Funk unterbrechen ∗∗∗ --------------------------------------------- CCS hat sich als Standard beim Schnellladen von Elektroautos etabliert. Doch der Ladevorgang lässt sich durch Funksignale zum Absturz bringen. --------------------------------------------- https://www.golem.de/news/schnelllladen-forscher-bringen-ccs-ladevorgaenge-… ∗∗∗ Threat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks ∗∗∗ --------------------------------------------- Team Nautilus has uncovered a Python-based ransomware attack that, for the first time, was targeting Jupyter Notebook, a popular tool used by data practitioners. The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack. --------------------------------------------- https://blog.aquasec.com/python-ransomware-jupyter-notebook ∗∗∗ Kostenlose Webinar-Reihe: So schützen Sie sich im Internet ∗∗∗ --------------------------------------------- Mit Unterstützung der Arbeiterkammer Burgenland veranstalten unsere KollegInnen von saferinternet.at ab 5. April eine Webinar-Reihe. Die kostenlosen Webinare sind für alle interessierten Erwachsenen offen und beschäftigen sich mit dem sicheren und verantwortungsvollen Umgang mit digitalen Medien. Mit dabei sind auch ExpertInnen der Watchlist Internet. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-so-schuetze… ∗∗∗ Investigating an engineering workstation – Part 2 ∗∗∗ --------------------------------------------- In this second post we will focus on specific evidence written by the TIA Portal. As you might remember, in the first part we covered standard Windows-based artefacts regarding execution of the TIA Portal and usage of projects. --------------------------------------------- https://blog.nviso.eu/2022/03/30/investigating-an-engineering-workstation-p… ∗∗∗ Advanced warning: probable remote code execution (RCE) in Spring, an extremely popular Java framework ∗∗∗ --------------------------------------------- This notice is intended to alert you that there may be a significant issue with Spring which, if confirmed, would require immediate attention.In the morning (New York time) on Wednesday, March 29th, 2022, a member of the security research team KnownSec posted a now-removed screenshot to Twitter purporting to show a trivially-exploited remote code execution vulnerability against Spring core, the most popular Java framework in use on the Internet. The researcher did not provide a proof-of-concept or public details. --------------------------------------------- https://bugalert.org/content/notices/2022-03-29-spring.html ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Angriffe auf Sicherheitslücke in Trend Micro Apex Central ∗∗∗ --------------------------------------------- Trend Micro warnt vor Angriffen auf eine Sicherheitslücke in zentralen Verwaltungssoftware Apex Central. Zum Abdichten des Lecks stehen Updates bereit. --------------------------------------------- https://heise.de/-6656849 ∗∗∗ VMSA-2022-0009 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.5 CVE(s): CVE-2022-22948 Synopsis: VMware vCenter Server updates address an information disclosure vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0009.html ∗∗∗ Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk ∗∗∗ --------------------------------------------- On February 15, 2022, the Wordfence Threat Intelligence team finished research on two separate vulnerabilities in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin with over 100,000 installations. [...] A patched version, 5.174.1, was made available on March 25, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/03/reflected-xss-in-spam-protection-ant… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (expat, firefox, httpd, openssl, and thunderbird), Debian (cacti), Fedora (kernel, rsh, unrealircd, and xen), Mageia (kernel and kernel-linus), openSUSE (apache2, java-1_8_0-ibm, kernel, openvpn, and protobuf), Oracle (openssl), Red Hat (httpd:2.4, kernel, kpatch-patch, and openssl), SUSE (apache2, java-1_7_1-ibm, java-1_8_0-ibm, kernel, openvpn, protobuf, and zlib), and Ubuntu (chromium-browser and paramiko). --------------------------------------------- https://lwn.net/Articles/889682/ ∗∗∗ SaltStack Salt: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SaltStack Salt ausnutzen, um Dateien zu manipulieren, einen Denial of Service Zustand herbeizuführen, Privilegien zu erweitern oder beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0371 ∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro AntiVirus für Mac ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0370 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 100.0.4896.60 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/30/google-releases-s… ∗∗∗ Password-Hash-Preisgabe im CMS Statamic (SYSS-2022-022) ∗∗∗ --------------------------------------------- Im CMS Statamic können in der REST-API Passwort-Hash-Werte aller Benutzer:innen ausgelesen werden. Dies kann zur Übernahme der Website führen. --------------------------------------------- https://www.syss.de/pentest-blog/password-hash-preisgabe-in-statamic-cms-sy… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021and Jan 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ PHOENIX CONTACT: Vulnerabilities in XML parser library Expat (libexpat) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-005/ ∗∗∗ Buffer Overflow Vulnerability in Recovery Image ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-446276-bt.html ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2022
by Daily end-of-shift report 29 Mar '22

29 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-03-2022 18:00 − Dienstag 29-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sophos warns critical firewall bug is being actively exploited ∗∗∗ --------------------------------------------- British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/sophos-warns-critical-firewall-… ∗∗∗ Triton Malware Still Targeting Energy Firms ∗∗∗ --------------------------------------------- The FBIs latest Private Industry Notification warns the energy sector that the group behind Triton is still up to no good. --------------------------------------------- https://www.darkreading.com/attacks-breaches/triton-malware-still-targeting… ∗∗∗ Linux-Kernel: Netfilter-Bug gibt Nutzern Root-Rechte ∗∗∗ --------------------------------------------- Im Linux-Kernel sind mehrere Fehler im Netfilter-Code gefunden worden, die es einem Nutzer ermöglichen, Root-Rechte zu erlangen. Das Kernel-Team hat für alle unterstützten Versionszweige Updates veröffentlicht. CVE-2022-1015, CVE-2022-1016). --------------------------------------------- https://www.golem.de/news/linux-kernel-netfilter-bug-gibt-nutzern-root-rech… ∗∗∗ A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages ∗∗∗ --------------------------------------------- A threat actor dubbed "RED-LILI" has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules. --------------------------------------------- https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.h… ∗∗∗ Betrügerische SMS im Namen der Volksbank ∗∗∗ --------------------------------------------- Aktuell kursieren betrügerische SMS im Namen der Volksbank. EmpfängerInnen werden dringlich aufgefordert, auf einen Link zu klicken – angeblich, weil das Konto gesperrt wurde. Achtung: Dabei handelt es sich um Betrug. Wer den Link anklickt, landet auf einer gefälschten Login-Seite der Volksbank. Dort werden Zugangsdaten gestohlen! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-sms-im-namen-der-volk… ∗∗∗ Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners ∗∗∗ --------------------------------------------- A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated. According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. --------------------------------------------- https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-… ∗∗∗ Verblecon: Sophisticated New Loader Used in Low-level Attacks ∗∗∗ --------------------------------------------- Indications the attacker may not realize the potential capabilities of the malware they are using. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ve… ∗∗∗ Mitigating Attacks Against Uninterruptable Power Supply Devices ∗∗∗ --------------------------------------------- CISA and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/29/mitigating-attack… ===================== = Vulnerabilities = ===================== ∗∗∗ Wyze Cam flaw lets hackers remotely access your saved videos ∗∗∗ --------------------------------------------- The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019. The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery. The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-r… ∗∗∗ ZDI-22-545: (0Day) Siemens Simcenter Femap NEU File Parsing Out-Of-Bounds Write Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Siemens Simcenter Femap. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-545/ ∗∗∗ Kritische Schadcode-Lücke in In-Memory-Datenbank Redis geschlossen ∗∗∗ --------------------------------------------- Das Zusammenspiel von Debian-Systemen und Redis kann zu ernsten Sicherheitsproblemen führen. Dagegen abgesicherte Versionen schaffen Abhilfe. --------------------------------------------- https://heise.de/-6655726 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl, pjproject, and tzdata), Mageia (chromium-browser-stable, docker, graphicsmagick, and libtiff), Oracle (expat), Red Hat (expat, httpd:2.4, openssl, and screen), Scientific Linux (expat and openssl), and Ubuntu (libtasn1-6, linux-oem-5.14, openjdk-lts, and paramiko). --------------------------------------------- https://lwn.net/Articles/889571/ ∗∗∗ Sicherheitswarnung: Authentifizierungsschwachstelle CVE-2022-0342 in Zyxel USG/ZyWALL ∗∗∗ --------------------------------------------- In verschiedenen Zyxel Firewall-Produkten gibt es eine kritische Authentifizierungs-Schwachstelle (CVE-2022-0342). Durch diese Sicherheitslücke wird eine Übernahme der Firewall möglich. Zyxel stellt zwar für Geräte, die noch im Support sind, Firmware-Updates bereits. --------------------------------------------- https://www.borncity.com/blog/2022/03/29/sicherheitswarnung-authentifizieru… ∗∗∗ CVE-2018-25032: Zlib Memory Corruption Vulnerability ∗∗∗ --------------------------------------------- You may be thinking: ‘Wait, this new CVE starts with 2018.., this must be a mistake?’. In fact, it is not a mistake. This is about a CVE that everyone thought was patched years ago but now appears to be alive and well. [...] Linux distributions such as Ubuntu and Alpine have already implemented the fix in their latest releases, so you may want to update Zlib to your platform’s release of version 1.2.12, and re-compile any programs with the updated library. --------------------------------------------- https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-c… ∗∗∗ Security Bulletin: CVE-2021-44228 log4j affects MAS Monitor 8.4, 8.5 and 8.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-44228-log4j-affe… ∗∗∗ Security Bulletin: MAS Monitor 8.4, 8.5, and 8.6 log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mas-monitor-8-4-8-5-and-8… ∗∗∗ Security Bulletin: Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-critical-vulnerabilities-… ∗∗∗ K33548065: Eclipse Jetty vulnerability CVE-2018-12536 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33548065?utm_source=f5support&utm_mediu… ∗∗∗ K03674368: Linux kernel vulnerability CVE-2021-3715 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03674368?utm_source=f5support&utm_mediu… ∗∗∗ Philips e-Alert ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-088-01 ∗∗∗ Rockwell Automation ISaGRAF ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-01 ∗∗∗ Omron CX-Position ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-02 ∗∗∗ Hitachi Energy LinkOne WebView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-03 ∗∗∗ Modbus Tools Modbus Slave ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2022
by Daily end-of-shift report 28 Mar '22

28 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-03-2022 18:00 − Montag 28-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Webbrowser: Notfallupdate für Google Chrome ∗∗∗ --------------------------------------------- Google hat neue Versionen vom Webbrowser Chrome veröffentlicht, die eine Sicherheitslücke schließen, für die bereits Exploit-Code existiert. --------------------------------------------- https://heise.de/-6638415 ∗∗∗ PayPal Funktion „Geld an Freunde senden“ nicht als Zahlungsmittel auf Online-Marktplätzen verwenden ∗∗∗ --------------------------------------------- Momentan melden uns Facebook-NutzerInnen betrügerische Inserate im Facebook Marketplace. Darin werden beispielsweise Gaming-Stühle zum Verschenken angeboten. Die Person verlangt nur 15 Euro für den Versand. Der Betrag sollte mit der PayPal-Funktion „Geld an Freunde senden“ übermittelt werden. Achtung: Dabei handelt es sich um Betrug! Sie verlieren Ihr Geld und erhalten kein Produkt! --------------------------------------------- https://www.watchlist-internet.at/news/paypal-funktion-geld-an-freunde-send… ∗∗∗ Public Redis exploit used by malware gang to grow botnet ∗∗∗ --------------------------------------------- Threat analysts report having spotted a change in the operations of the Muhstik threat group, which has now switched to actively exploiting a Lua sandbox escape flaw in Redis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/public-redis-exploit-used-by… ∗∗∗ Hive ransomware ports its Linux VMware ESXi encryptor to Rust ∗∗∗ --------------------------------------------- The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victims ransom negotiations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-li… ∗∗∗ The Mystery Admin User ∗∗∗ --------------------------------------------- One of our clients recently submitted a malware removal request with a curious problem: A mystery admin user kept getting re-created on their website. Try as they might, nothing they did would get rid of this user; it just kept coming back. --------------------------------------------- https://blog.sucuri.net/2022/03/the-mystery-admin-user.html ∗∗∗ Purple Fox Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks ∗∗∗ --------------------------------------------- The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software. "Users machines are targeted via trojanized software packages masquerading as legitimate application installers," Trend Micro researchers said in a report [...] --------------------------------------------- https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html ∗∗∗ Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware ∗∗∗ --------------------------------------------- A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report [...] --------------------------------------------- https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html ∗∗∗ Under the hood of Wslink’s multilayered virtual machine ∗∗∗ --------------------------------------------- ESET researchers describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through its obfuscation techniques --------------------------------------------- https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-vi… ∗∗∗ Vulnerability Management in a nutshell ∗∗∗ --------------------------------------------- Vulnerability Management plays an important role in an organization’s line of defense. However, setting up a Vulnerability Management process can be very time consuming. This blogpost will briefly cover the core principles of Vulnerability Management and how it can help protect your organization against threats and adversaries looking to abuse weaknesses. --------------------------------------------- https://blog.nviso.eu/2022/03/28/vulnerability-management-in-a-nutshell/ ∗∗∗ Ransomware profile: RansomExx ∗∗∗ --------------------------------------------- A comprehensive profile of the RansomExx ransomware strain. --------------------------------------------- https://blog.emsisoft.com/en/41027/ransomware-profile-ransomexx/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Sophos Firewall könnte Schadcode passieren lassen ∗∗∗ --------------------------------------------- Die Firewall von Sophos ist löchrig. Aktualisierte Versionen lösen das Sicherheitsproblem. --------------------------------------------- https://heise.de/-6653493 ∗∗∗ Whitepaper – Double Fetch Vulnerabilities in C and C++ ∗∗∗ --------------------------------------------- Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes. As much of this information is spread across various sources, this whitepaper, draws the knowledge together into a single place, in order to better describe the different [...] --------------------------------------------- https://research.nccgroup.com/2022/03/28/whitepaper-double-fetch-vulnerabil… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and faad2), Fedora (dotnet3.1, libass, linux-firmware, python-paramiko, seamonkey, and xen), openSUSE (perl-DBD-SQLite and wavpack), Slackware (seamonkey), SUSE (perl-DBD-SQLite and wavpack), and Ubuntu (binutils, python2.7, python3.4, python3.5, python3.6, python3.8, and smarty3). --------------------------------------------- https://lwn.net/Articles/889423/ ∗∗∗ CISA Adds 66 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/25/cisa-adds-66-know… ∗∗∗ Microsoft Security Update Revisions (25. März 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 25. März 2022 noch einige Revisionen für Sicherheitsupdates veröffentlicht. In den Revisionen werden geänderte Einschätzungen zu Schwachstellen thematisiert. Hier eine unkommentierte Übersicht. --------------------------------------------- https://www.borncity.com/blog/2022/03/28/microsoft-security-update-revision… ∗∗∗ SonicWall SonicOS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0348 ∗∗∗ PowerDNS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0358 ∗∗∗ Cross-Site Scripting-Schwachstelle in DHC Vision (SYSS-2022-019) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-dhc-… ∗∗∗ SQL Injection in der B2B Suite des Shopware e-Commerce Frameworks (SYSS-2022-018) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/sql-injection-in-der-b2b-suite-des-shopwar… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35550, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2022-23181 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-42340 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2022
by Daily end-of-shift report 25 Mar '22

25 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-03-2022 18:00 − Freitag 25-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing kits constantly evolve to evade security software ∗∗∗ --------------------------------------------- Modern phishing kits sold on cybercrime forums as off-the-shelve packages feature multiple and sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions wont mark them as a threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-kits-constantly-evo… ∗∗∗ Malicious Microsoft Excel add-ins used to deliver RAT malware ∗∗∗ --------------------------------------------- Researchers report a new version of the JSSLoader remote access trojan being distributed via malicious Microsoft Excel addins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-ad… ∗∗∗ Racing against the clock -- hitting a tiny kernel race window ∗∗∗ --------------------------------------------- This is a writeup of how I managed to hit the race on a normal Linux desktop kernel, with a hit rate somewhere around 30% if the proof of concept has been tuned for the specific machine. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting… ∗∗∗ XLSB Files: Because Binary is Stealthier Than XML, (Fri, Mar 25th) ∗∗∗ --------------------------------------------- In one of his last diaries, Brad mentioned an Excel sheet named with a .xlsb extension. Now, it was my turn to find one... --------------------------------------------- https://isc.sans.edu/diary/rss/28476 ∗∗∗ Linux-Malware bedroht Windows ∗∗∗ --------------------------------------------- Es taucht immer mehr Malware auf, die das Windows Subsytem for Linux (WSL) als Einfallstor nutzen. Die Gefahr steigt, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-6631700 ∗∗∗ Mining data from Cobalt Strike beacons ∗∗∗ --------------------------------------------- Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. --------------------------------------------- https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-bea… ∗∗∗ E-Mails mit Anschuldigungen der Polizei sind Fake! ∗∗∗ --------------------------------------------- Auch Sie haben ein E-Mail von der Polizei oder dem Bundeskriminalamt erhalten, das Sie der Kinderpornografie, Pädophilie und des Exhibitionismus beschuldigt? Das E-Mail ist fake, die Anschuldigungen frei erfunden. Antworten Sie nicht und löschen Sie die Nachricht am besten. --------------------------------------------- https://www.watchlist-internet.at/news/e-mails-mit-anschuldigungen-der-poli… ∗∗∗ Crypto malware in patched wallets targeting Android and iOS devices ∗∗∗ --------------------------------------------- ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets. --------------------------------------------- https://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-ta… ===================== = Vulnerabilities = ===================== ∗∗∗ URL rendering trick enabled WhatsApp, Signal, iMessage phishing ∗∗∗ --------------------------------------------- A set of flaws affecting the worlds leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, has allowed threat actors to create legitimate-looking phishing URLs for the past three years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-… ∗∗∗ Western Digital schließt Root-Schadcode-Lücke in My-Cloud-Netzwerkspeichern ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für verschiedene NAS-Modelle von Western Digital. --------------------------------------------- https://heise.de/-6630582 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (nicotine+ and openvpn), openSUSE (bind, libarchive, python3, and slirp4netns), Oracle (cyrus-sasl, httpd, httpd:2.4, and openssl), Red Hat (httpd and httpd:2.4), Scientific Linux (httpd), SUSE (bind, libarchive, python3, and slirp4netns), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/889265/ ∗∗∗ ZDI-22-538: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-538/ ∗∗∗ ZDI-22-537: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-537/ ∗∗∗ ZDI-22-536: (0Day) Electronic Arts Origin Web Helper Service Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-536/ ∗∗∗ ZDI-22-541: (0Day) Array Networks MotionPro Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-541/ ∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nims… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by denial of service vulnerabilities in OpenSSL (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by an OpenSSL vulnerability (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0342 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2022
by Daily end-of-shift report 24 Mar '22

24 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-03-2022 18:00 − Donnerstag 24-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns ∗∗∗ --------------------------------------------- Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years. According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. --------------------------------------------- https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.ht… ∗∗∗ Doppelter Betrug: Phishing-Konzept mit Browser-In-The-Browser-Attacke ausgebaut ∗∗∗ --------------------------------------------- In seinem Beispiel macht sich der Sicherheitsforscher das OAuth-Fenster zunutze. In seiner Demo baut er es via HTML/CSS exakt nach und versieht es mit einer legitimen Google-URL inklusive HTTPS-Schloss-Symbol. Dadurch fällt es Opfern schwerer, den Betrug aufzudecken und eingegebene Passwörter landen bei Betrügern. Einen Schwachpunkt hat dieser Ansatz aber: Der Ausgangspunkt von einer BITB-Attacke ist eine Phishing-Website, die das OAuth-Anmeldeverfahren mit dem Fake-Fenster anbietet. Dahin müssen Betrüger Opfer erst mal locken, ohne dass Verdacht aufkommt. --------------------------------------------- https://heise.de/-6621914 ∗∗∗ A Closer Look at the LAPSUS$ Data Extortion Group ∗∗∗ --------------------------------------------- Microsoft and identity management platform Okta both disclosed this week breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish the information unless a ransom demand is paid. Heres a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations. --------------------------------------------- https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extort… ===================== = Vulnerabilities = ===================== ∗∗∗ Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-031 ∗∗∗ Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030 ∗∗∗ --------------------------------------------- Security risk: Critical The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-030 ∗∗∗ Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) ∗∗∗ --------------------------------------------- Western Digital published a firmware update (5.19.117) which entirely removed support for the open source third party vulnerable service "Depreciated Netatalk Service". As this vulnerability was addressed in the upstream Netatalk code, CVE-2022-23121 was assigned and a ZDI advisory published together with a new Netatalk release 3.1.13 distributed which fixed this vulnerability together with a number of others. --------------------------------------------- https://research.nccgroup.com/2022/03/24/remote-code-execution-on-western-d… ∗∗∗ Splunk: SVD-2022-0301 Indexer denial-of-service via malformed S2S request ∗∗∗ --------------------------------------------- CVSSv3.1 Score: 7.5, High CVE ID: CVE-2021-3422 The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. --------------------------------------------- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.h… ∗∗∗ VMware Carbon App Control: Angreifer könnten Schadcode auf Server schieben ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen zwei kritische Lücken in Carbon App Control für Windows. --------------------------------------------- https://heise.de/-6619596 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-twig), Mageia (abcm2ps, libpano13, and pesign), openSUSE (nextcloud and xen), Oracle (kernel, kernel-container, and openssl), SUSE (java-1_7_1-ibm and xen), and Ubuntu (linux-oem-5.14, openvpn, and thunderbird). --------------------------------------------- https://lwn.net/Articles/889120/ ∗∗∗ Schwachstelle in Windows 3CX-Telefonanlagen, Patchen ist angesagt ∗∗∗ --------------------------------------------- Wer unter Windows ein 3CX-System (Telefonanlage) in einer Version unterhalb v18 Update 3 (Build 450) betreibt, sollte reagieren. Der Hersteller hat ein Sicherheitsupdate für dieses Produkt in Form der v18 Update 3 (Build 450) veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/03/24/schwachstelle-in-windows-3cx-telef… ∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-manage… ∗∗∗ Security Bulletin: IBM Security Verify Governance, Identity Manager virtual appliance component is vulnerable to denial of service (CVE-2021-38951) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35550). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 affects IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-sdk-java-technology-ed… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35603). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Vulnerabilities with Expat affect IBM Cloud Object Storage Systems (Mar 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expa… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-manage… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2022-22374 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35578). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-006/ ∗∗∗ Yokogawa CENTUM and Exaopc ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-083-01 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-083-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2022
by Daily end-of-shift report 23 Mar '22

23 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-03-2022 18:00 − Mittwoch 23-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Okta confirms 2.5% customers impacted by hack in January ∗∗∗ --------------------------------------------- Okta, a major provider of access management systems, says that 2.5%, or approximately 375 customers, were impacted by a cyberattack claimed by the Lapsus$ data extortion group. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-cus… ∗∗∗ Raccoon Stealer – An Insight into Victim “Gates” ∗∗∗ --------------------------------------------- Raccoon Stealer is an information stealer sold to ‘affiliates’ as a Malware-as-a-Service (MaaS) on multiple underground forums. Affiliates are provided access to a control panel hosted on the Tor network as an onion site, where they can generate new malware builds and review data collected from infected hosts. --------------------------------------------- https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-vict… ∗∗∗ Ransomware: Microsoft bestätigt Hack durch Lapsus$ ∗∗∗ --------------------------------------------- Nach der Veröffentlichung von Code durch Lapsus$ bestätigt Microsoft nun den Hack. Der sei aber sehr begrenzt gewesen. --------------------------------------------- https://www.golem.de/news/ransomware-microsoft-bestaetigt-hack-durch-lapsus… ∗∗∗ DEV-0537 criminal actor targeting organizations for data exfiltration and destruction ∗∗∗ --------------------------------------------- The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. --------------------------------------------- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-… ∗∗∗ Exploring a New Class of Kernel Exploit Primitive ∗∗∗ --------------------------------------------- MSRC receives a wide variety of cases spanning different products, bug types and exploit primitives. One particularly interesting primitive we see is an arbitrary kernel pointer read. --------------------------------------------- https://msrc-blog.microsoft.com/2022/03/22/exploring-a-new-class-of-kernel-… ∗∗∗ Arkei Variants: From Vidar to Mars Stealer, (Wed, Mar 23rd) ∗∗∗ --------------------------------------------- Sometime in 2018, a new information stealer named Vidar appeared. Analysis revealed Vidar is an information stealer that is a copycat or fork of Arkei malware. Since that time, Vidar has led to other Arkei-based variants. --------------------------------------------- https://isc.sans.edu/diary/rss/28468 ∗∗∗ Dissecting a Phishing Campaign with a Captcha-based URL ∗∗∗ --------------------------------------------- In today’s environment, much of the population are doing their bank or financial transactions online and online banking or wire transfers have become a huge necessity. Recently, we received a phishing email that is targeting PayPal accounts. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dissecting-… ∗∗∗ A journey into IoT – Unknown Chinese alarm – Part 1 – Discover components and ports ∗∗∗ --------------------------------------------- So, after a couple of introductory articles, let’s start with a series of articles on an analysis executed on an unknown device. I received a Chinese smart alarm, clone of the Xiaomi Smart Home system, and it seemed perfect for the purpose. --------------------------------------------- https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-… ∗∗∗ Alte Tricks, neue Korplug‑Variante: Hodur von Mustang Panda ∗∗∗ --------------------------------------------- ESET-Forscher haben eine zuvor undokumentierte Korplug-Variante namens Hodur entdeckt, die von Mustang Panda verbreitet wird. Sie nutzt Phishing-Köder, die auf aktuelle Ereignisse in Europa anspielen, einschließlich der Invasion in der Ukraine. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/03/23/alte-tricks-neue-korplug-… ∗∗∗ Fake-Shop auf idealo.com.de! ∗∗∗ --------------------------------------------- Kriminelle haben die Website der Preisvergleichsplattformen idealo.at und idealo.de nachgebaut. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-auf-idealocomde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Netatalk < 3.1.13: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Netatalk 3.1.13 behebt die folgenden Schwachstellen: CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, CVE-2022-0194 --------------------------------------------- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (cyrus-sasl, openssl, sphinx, and swtpm), openSUSE (qemu), Red Hat (expat, rh-mariadb103-mariadb, and rh-mariadb105-mariadb), SUSE (apache2, binutils, java-1_7_0-ibm, kernel-firmware, nodejs12, qemu, and xen), and Ubuntu (ckeditor and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/888994/ ∗∗∗ Bosch Fire Monitoring System (FSM) affected by log4net Vulnerability ∗∗∗ --------------------------------------------- A vulnerability has been discovered affecting the Bosch Fire Monitoring System (FSM-2500, FSM-5000, FSM-10k and obsolete FSM-10000). The issue applies to FSM server with version 5.6.630 and lower, and FSM client with version 5.6.2131 and lower. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-479793-bt.html ∗∗∗ ZDI-22-524: (Pwn2Own) NETGEAR R6700v3 libreadycloud.so Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-524/ ∗∗∗ ZDI-22-523: (Pwn2Own) NETGEAR R6700v3 circled Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-523/ ∗∗∗ ZDI-22-522: (Pwn2Own) NETGEAR R6700v3 readycloud_control.cgi Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-522/ ∗∗∗ ZDI-22-521: (Pwn2Own) NETGEAR R6700v3 Missing Authentication for Critical Function Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-521/ ∗∗∗ ZDI-22-520: (Pwn2Own) NETGEAR R6700v3 Improper Certificate Validation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-520/ ∗∗∗ ZDI-22-519: (Pwn2Own) NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-519/ ∗∗∗ ZDI-22-518: (Pwn2Own) NETGEAR R6700v3 httpd Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-518/ ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Service Registry and Repository in packages such as Apache Struts and Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Service Registry and Repository due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Db2 Big SQL is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-is-vulner… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Vulnerability in Apache log4j affects WebSphere Service Registry and Repository (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to LDAP injection due to WebSphere Application Server Liberty (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Cloudera Data Platform Private Cloud Base with IBM products have log messages vulnerable to arbitrary code execution, denial of service, remote code execution, and SQL injection due to Apache Log4j vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-pr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2022-22316) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM WebSphere eXtreme Scale is vulnerable to arbitrary code execution due to Apache Log4j v1.x (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-extreme-sca… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Elastic Storage System (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ VMSA-2022-0008 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0008.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2022
by Daily end-of-shift report 22 Mar '22

22 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-03-2022 18:00 − Dienstag 22-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Serpent malware campaign abuses Chocolatey Windows package manager ∗∗∗ --------------------------------------------- Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new Serpent backdoor malware on systems of French government agencies and large construction firms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abu… ∗∗∗ Conti Ransomware V. 3, Including Decryptor, Leaked ∗∗∗ --------------------------------------------- The latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it’s reportedly clunkier code. Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously released – specifically, the source code for Conti Ransomware V3.0 – to VirusTotal. --------------------------------------------- https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/1790… ∗∗∗ CryptoRom Crypto Scam Abusing iPhone Features to Target Mobile Users ∗∗∗ --------------------------------------------- Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been deceiving unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips. --------------------------------------------- https://thehackernews.com/2022/03/cryptorom-crypto-scam-abusing-iphone.html ∗∗∗ Microsoft und Okta: Hacker-Gruppe Lapsus$ hat offenbar erneut zugeschlagen ∗∗∗ --------------------------------------------- Derzeit untersuchen Microsoft bei Azure DevOps und der Zugriffsmanagement-Dienstleister Okta unberechtigte Server-Zugriffe. --------------------------------------------- https://heise.de/-6603364 ∗∗∗ Ausgesperrt? Vorsicht vor unseriösen Schlüsseldiensten ∗∗∗ --------------------------------------------- Sie haben sich ausgesperrt und benötigen einen Schlüsseldienst, um wieder in Ihre Wohnung zu kommen? Bleiben Sie ruhig, recherchieren Sie sorgfältig und überprüfen Sie das Unternehmen genau! Bedenken Sie: Die ersten Google-Suchergebnisse sind nicht immer die besten. Im Gegenteil: Wie Erfahrungen und Analysen zeigen, sind viele beworbene Schlüsseldienste unseriös! --------------------------------------------- https://www.watchlist-internet.at/news/ausgesperrt-vorsicht-vor-unserioesen… ∗∗∗ Sandworm: A tale of disruption told anew ∗∗∗ --------------------------------------------- [..] BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group – Sandworm. Who is Sandworm? --------------------------------------------- https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-ane… ∗∗∗ FBI and FinCEN Release Advisory on AvosLocker Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/22/fbi-and-fincen-re… ∗∗∗ Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS ∗∗∗ --------------------------------------------- In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. --------------------------------------------- https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick… ∗∗∗ Facestealer-Trojaner aus der Google Play Store-App Craftsart Cartoon Photo Tools klaut Facebook-Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Pradeo haben eine Android-App Craftsart Cartoon Photo Tools im Google Play Store entdeckt. Diese ist mit dem bekannten Facestealer-Trojaner verseucht und 100.000 Leute haben die App auf ihre Geräte gezogen. --------------------------------------------- https://www.borncity.com/blog/2022/03/22/facestealer-trojaner-aus-der-googl… ∗∗∗ Cobalt Strike: Overview – Part 7 ∗∗∗ --------------------------------------------- This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. --------------------------------------------- https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/ ∗∗∗ Detecting shadow credentials ∗∗∗ --------------------------------------------- This article is about my journey into tracing changes to the msDS-KeyCredentialLink attribute to verify if their origin is legitimate or a potential attack (aka. Shadow Credentials). --------------------------------------------- https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ ∗∗∗ 8 Tips for Securing Networks When Time Is Scarce ∗∗∗ --------------------------------------------- In light of increased cyber risk surrounding the Russia-Ukraine conflict, we’ve put together 8 tips that defenders can take right now to prepare. --------------------------------------------- https://www.rapid7.com/blog/post/2022/03/22/8-tips-for-securing-networks-wh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006 ∗∗∗ --------------------------------------------- Security risk: Moderately critical Vulnerability: Third-party libraries CVE IDs: CVE-2022-24775 Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. --------------------------------------------- https://www.drupal.org/sa-core-2022-006 ∗∗∗ Multiple Vulnerabilities in GARO Wallbox ∗∗∗ --------------------------------------------- 1. Without Authentication(CVE-2021-45878) 2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877) 3. Unauthenticated Command Injection(CVE-2021-45876) --------------------------------------------- https://github.com/delikely/advisory/tree/main/GARO ∗∗∗ Kritische Sicherheitslücken in mehr als 200 HP-Drucker-Modellen ∗∗∗ --------------------------------------------- Zahlreiche HP-Drucker haben Sicherheitslücken, durch die Angreifer Schadcode einschleusen und ausführen könnten. Firmware-Updates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6605306 ∗∗∗ Sophos schließt Sicherheitslücken in Unified Threat Management-Firmware ∗∗∗ --------------------------------------------- Eine neue Firmware-Version schließt unter anderem Sicherheitslücken, durch die angemeldete Nutzer Schadcode hätten ausführen können. --------------------------------------------- https://heise.de/-6602749 ∗∗∗ Cyclops-Blink-Botnet: Asus-Router im Fokus, Firmware-Updates verfügbar ∗∗∗ --------------------------------------------- Die Cybergang Sandworm hat ihr Cyclops-Blink-Botnet inzwischen auf Asus-Router angesetzt. Firmware-Updates sollen dem Befall vorbeugen. --------------------------------------------- https://heise.de/-6604576 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/888859/ ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-23192) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2124) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K31323265: OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31323265?utm_source=f5support&utm_mediu… ∗∗∗ PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-007/ ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2022
by Daily end-of-shift report 21 Mar '22

21 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-03-2022 18:00 − Montag 21-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Elden Ring: Hacker zerstören Spielstände ∗∗∗ --------------------------------------------- Invasionen feindlicher Spieler sind noch gefährlicher geworden, denn eine Sicherheitslücke kann Elden Ring zum Absturz zu bringen. --------------------------------------------- https://www.golem.de/news/elden-ring-hacker-zerstoeren-spielstaende-2203-16… ∗∗∗ Sicherheitsanalyse zum Industrieprotokoll OPC UA aktualisiert ∗∗∗ --------------------------------------------- Die Studie des BSI liefert eine Bewertung der spezifizierten und realisierten Sicherheitsfunktionen von OPC UA. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Willhaben-VerkäuferInnen aufgepasst: Kurierdienst von Willhaben ist Betrug ∗∗∗ --------------------------------------------- Auf willhaben.at inseriert? Dann nehmen Sie sich vor betrügerischen KäuferInnen in Acht! Betrügerische KäuferInnen schlagen Ihnen vor, die Zahlung und Übergabe der Ware über den „Kurierdienst PayLivery AG“ vorzunehmen. Der Link zur Webseite, auf der dieser „Kurierdienst“ beschrieben wird, wird gleich mitgesendet. Vorsicht: Diesen Kurierdienst gibt es gar nicht. Die Webseite willhaben-at.shop/help.html ist gefälscht und gehört nicht zu willhaben.at! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-verkaeuferinnen-aufgepasst… ∗∗∗ Free decryptor released for TrickBot gangs Diavol ransomware ∗∗∗ --------------------------------------------- Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ New Phishing toolkit lets anyone create fake Chrome browser windows ∗∗∗ --------------------------------------------- A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-lets-an… ∗∗∗ Meet Exotic Lily, access broker for ransomware and other malware peddlers ∗∗∗ --------------------------------------------- Exotic Lily is the name given to a group of cybercriminals that specialized as an initial access broker, serving groups like Conti and Diavol ransomware. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-acc… ∗∗∗ APT35 Automates Initial Access Using ProxyShell ∗∗∗ --------------------------------------------- In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks [...] --------------------------------------------- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Western Digital EdgeRover geschlossen ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate für Western Digitals Datenverwaltungsanwendung EdgeRover sperrt Angreifer aus. --------------------------------------------- https://heise.de/-6594172 ∗∗∗ A Bug That Doesnt Want To Die (CVE-2021-34484) ∗∗∗ --------------------------------------------- In November we issued a micropatch for a local privilege escalation in User Profile Service. This vulnerability was found and reported to Microsoft by security researcher Abdelhamid Naceri and assigned CVE-2021-34484 when initially fixed. Abdelhamid subsequently noticed that Microsofts patch was incomplete and wrote a POC to bypass it. Based on that information, we were able to create a micropatch for what was then considered a 0day [...] --------------------------------------------- https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html ∗∗∗ Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) ∗∗∗ --------------------------------------------- Update 3/21/2022: Microsofts fix for this issue turned out to be flawed. We ported our micropatches to all affected Windows versions and made them all FREE for everyone again. --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, libgit2, libpano13, paramiko, usbredir, and wordpress), Fedora (expat, kernel, openexr, thunderbird, and wordpress), openSUSE (chromium, frr, and weechat), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), SUSE (frr), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/888686/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0332 ∗∗∗ MISP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0331 ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities fixed in IBM Maximo Application Suite Monitor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Answer Retrieval for Watson Discovery is vulnerable to phishing attacks due to Swagger UI (CVE number(s) 221508) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-answer-retrieval-for-… ∗∗∗ Security Bulletin: urllib upgrade CVE-2021-33503, CVE-2021-28363 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urllib-upgrade-cve-2021-3… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Protect 8.1.14.000 Server is vulnerable to bypass of security restrictions (CVE-2022-22394) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-8-1-… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-2369) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE related to the Libraries component affects IBM Control Center (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: Vulnerabilities in Java SE and Eclipse OpenJ9 affect IBM Control Center (CVE-2020-14803 & CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2022
by Daily end-of-shift report 18 Mar '22

18 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-03-2022 18:00 − Freitag 18-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Unix rootkit used to steal ATM banking data ∗∗∗ --------------------------------------------- Threat analysts following the activity of LightBasin, a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unix-rootkit-used-to-ste… ∗∗∗ Open Source: NPM-Paket löscht Dateien aus Protest gegen Ukrainekrieg ∗∗∗ --------------------------------------------- Ein weitverbreitetes NPM-Paket löscht die Dateien von russischen Entwicklern und vervielfältigt Anti-Kriegsbotschaften. --------------------------------------------- https://www.golem.de/news/open-source-npm-paket-loescht-dateien-aus-protest… ∗∗∗ Scans for Movable Type Vulnerability (CVE-2021-20837), (Fri, Mar 18th) ∗∗∗ --------------------------------------------- Yesterday, our honeypots started seeing many requests scanning for the Movable Type API. Movable Type is a content management system comparable to WordPress or Drupal. --------------------------------------------- https://isc.sans.edu/diary/rss/28454 ∗∗∗ New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers ∗∗∗ --------------------------------------------- ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks. --------------------------------------------- https://thehackernews.com/2022/03/new-variant-of-russian-cyclops-blink.html ∗∗∗ Neue Phishing-Methode kombiniert Fax und Captchas ∗∗∗ --------------------------------------------- Um den Anti-Phishing-Filter auszutricksen, packt eine neue Angriffsmethode Links in Fax-PDFs und versteckt die gefälschte Webseite hinter einem Google-Captcha. --------------------------------------------- https://heise.de/-6587105 ∗∗∗ How to protect RDP ∗∗∗ --------------------------------------------- RDP is still a popular target for attackers, so how do you keep your remote desktops safe? --------------------------------------------- https://blog.malwarebytes.com/security-world/business-security-world/2022/0… ∗∗∗ Diese Betrugsmaschen sollten LinkedIn-NutzerInnen kennen ∗∗∗ --------------------------------------------- LinkedIn wird vor allem mit Professionalität verbunden. Das ist wohl auch ein Grund, wieso LinkedIn weniger mit Betrug in Zusammenhang gebracht wird. Das spielt Kriminellen in die Hände, die mit Fake-Profilen Schadsoftware verbreiten können, betrügerische Jobs anbieten oder mit Hilfe von Phishing-Mails versuchen an sensible Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/diese-betrugsmaschen-sollten-linkedi… ∗∗∗ Strengthening Cybersecurity of SATCOM Network Providers and Customers ∗∗∗ --------------------------------------------- CISA and FBI strongly encourage critical infrastructure organizations and, specifically, organizations that are SATCOM network providers or customers to review the joint CSA and implement the mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/strengthening-cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-treq), Fedora (openvpn, pesign, rust-regex, and thunderbird), Oracle (expat), Red Hat (kpatch-patch-4_18_0-147_58_1), Slackware (bind and openssl), SUSE (python-lxml), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/888412/ ∗∗∗ CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable ∗∗∗ --------------------------------------------- CVE-2021-28372, a vulnerability in third-party software commonly built into many IP cameras, highlights issues in IoT supply chain security. --------------------------------------------- https://unit42.paloaltonetworks.com/iot-supply-chain-cve-2021-28372/ ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect IBM Decision Optimization Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ may affect IBM ILOG CPLEX Optimization Studio (CVE-2022-21360, CVE-2022-21365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-4104, CVE-2021-29469, CVE-2021-44531, CVE-2021-44531, CVE-2022-21824, CVE-2021-29899, CVE-2021-27290 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Information disclosure vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-CVE-2021-39046 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect IBM Decision Optimization Center (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ Runtime may affect IBM Decision Optimization Center (CVE-2022-21360, CVE-2022-21365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K08173228: Multiple Intel CPU vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08173228 ∗∗∗ Synology-SA-22:04 OpenSSL ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_04 ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0329 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2022
by Daily end-of-shift report 17 Mar '22

17 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-03-2022 18:00 − Donnerstag 17-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SolarWinds warns of attacks targeting Web Help Desk instances ∗∗∗ --------------------------------------------- SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-attacks-… ∗∗∗ Microsoft creates tool to scan MikroTik routers for TrickBot infections ∗∗∗ --------------------------------------------- The TrickBot trojan has just added one more trick up its sleeve, now using vulnerable IoT (internet of things) devices like modem routers as proxies for its C2 (command and control) server communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-sc… ∗∗∗ CISA: US-Behörde warnt vor 15 aktiv ausgenutzten Sicherheitslücken ∗∗∗ --------------------------------------------- Die US-Sicherheitsbehörde CISA warnt Unternehmen und Behörden vor 15 älteren Sicherheitslücken, die aktiv für Angriffe ausgenutzt werden. --------------------------------------------- https://www.golem.de/news/cisa-us-behoerde-warnt-vor-15-aktiv-ausgenutzten-… ∗∗∗ DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly ∗∗∗ --------------------------------------------- The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation," Avast researcher Martin Chlumecký said in a report published Wednesday. --------------------------------------------- https://thehackernews.com/2022/03/dirtymoe-botnet-gains-new-exploits-in.html ∗∗∗ LokiLocker ransomware family spotted with built-in wiper ∗∗∗ --------------------------------------------- BlackBerry says extortionists erase documents if ransom unpaid BlackBerry security researchers have identified a ransomware family targeting English-speaking victims that is capable of erasing all non-system files from infected Windows PCs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/03/16/blackberry_l… ∗∗∗ Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks ∗∗∗ --------------------------------------------- What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives. --------------------------------------------- https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-esc… ∗∗∗ From BlackMatter to BlackCat: Analyzing two attacks from one affiliate ∗∗∗ --------------------------------------------- While researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP addresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter attack in September 2021. Further analysis revealed more commonalities, such as tools, file names and techniques that were common to both ransomware variants. --------------------------------------------- http://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-anal… ===================== = Vulnerabilities = ===================== ∗∗∗ New Vulnerability in CRI-O Engine Lets Attackers Escape Kubernetes Containers ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host. "Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," [..] --------------------------------------------- https://thehackernews.com/2022/03/new-vulnerability-in-cri-o-engine-lets.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db). --------------------------------------------- https://lwn.net/Articles/888288/ ∗∗∗ Red Hat Virtualization: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Virtualization ausnutzen, um Dateien zu manipulieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0328 ∗∗∗ ISC Releases Security Advisories for BIND ∗∗∗ --------------------------------------------- Original release date: March 17, 2022The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/isc-releases-secu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of IBM Websphere Liberty (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-0235) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A security vulnerability in log4j v1.2 affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2022
by Daily end-of-shift report 16 Mar '22

16 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-03-2022 18:00 − Mittwoch 16-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Android trojan persists on the Google Play Store since January ∗∗∗ --------------------------------------------- Security researchers tracking the mobile app ecosystem have noticed a recent spike in trojan infiltration on the Google Play Store, with one of the apps having over 500,000 installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-trojan-persists-on-t… ∗∗∗ Qakbot infection with Cobalt Strike and VNC activity, (Wed, Mar 16th) ∗∗∗ --------------------------------------------- On Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot (Qbot) malware. Today's diary provides a quick review of the infection activity. --------------------------------------------- https://isc.sans.edu/diary/rss/28448 ∗∗∗ The Attack of the Chameleon Phishing Page ∗∗∗ --------------------------------------------- Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-… ∗∗∗ Werbe-SMS „Bewerbung erhalten“ führt zu Investment-Betrug ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle SMS, in denen von einer angeblichen Bewerbung durch die EmpfängerInnen die Rede ist. Wie die Kriminellen an Namen und Telefonnummer der Betroffenen gelangen, ist unklar. Klar hingegen ist, dass der enthaltene Link auf eine betrügerische Investment-Werbung führt. --------------------------------------------- https://www.watchlist-internet.at/news/werbe-sms-bewerbung-erhalten-fuehrt-… ∗∗∗ Gh0stCringe RAT Being Distributed to Vulnerable Database Servers ∗∗∗ --------------------------------------------- This blog will explain the RAT malware named Gh0stCringe. Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. --------------------------------------------- https://asec.ahnlab.com/en/32572/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters ∗∗∗ --------------------------------------------- Researchers have disclosed an unpatched security vulnerability in "dompdf," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations. --------------------------------------------- https://thehackernews.com/2022/03/unpatched-rce-bug-in-dompdf-project.html ∗∗∗ 7 RCE and DoS vulnerabilities Found in ClickHouse DBMS ∗∗∗ --------------------------------------------- The vulnerabilities require authentication, but can be triggered by any user with read permissions. This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. --------------------------------------------- https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-db… ∗∗∗ Sicherheitslücke: Präparierte TLS-Zertifikate können OpenSSL-Systeme gefährden ∗∗∗ --------------------------------------------- Angreifer könnten Clients und Server mit präparierten TLS-Zertifikaten auf Basis von elliptischen Kurven lahmlegen. --------------------------------------------- https://heise.de/-6550820 ∗∗∗ Sicherheitsupdates: Angreifer könnten Schadcode durch pfSense-Firewall schieben ∗∗∗ --------------------------------------------- Mehrere Schwachstellen gefährden Systeme mit der Firewall-Distribution pfSense. --------------------------------------------- https://heise.de/-6577971 ∗∗∗ Sicherheitsupdates: Schadcode-Schlupflöcher in Dell-BIOS ∗∗∗ --------------------------------------------- Angreifer könnten Dell-Computer attackieren und im schlimmsten Fall die volle Kontrolle über Geräte erlangen. --------------------------------------------- https://heise.de/-6550647 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, [...] --------------------------------------------- https://lwn.net/Articles/888093/ ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-005 ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js follow-redirects module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Network Automation (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform upgrade from Log4j 2.17 to 2.17.1 to protect from infinite recursion in lookup evaluation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2021-33198 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Improper Restriction of XML External Entity Reference in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-506619-bt.html ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/16/google-releases-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2022
by Daily end-of-shift report 15 Mar '22

15 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-03-2022 18:00 − Dienstag 15-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Massive phishing campaign uses 500+ domains leading to fake login pages ∗∗∗ --------------------------------------------- Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-phishing-campaign-us… ∗∗∗ Sicherheitslücke in Druckern: Über 300 Jahre alter Algorithmus knackt RSA-Keys ∗∗∗ --------------------------------------------- Drucker von Canon und Fujifilm erzeugen schwache RSA-Schlüssel, die sich mit dem Faktorisierungsalgorithmus von Fermat angreifen lassen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-in-druckern-ueber-300-jahre-alt… ∗∗∗ New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel ∗∗∗ --------------------------------------------- Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J vulnerability. What stands out is that the network traffic generated by this sample triggered a DNS Tunnel alert in our system, We decided to take a close look, and indeed, it is a new botnet family, which we named B1txor20 based on its propagation using the file name "b1t", the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes. --------------------------------------------- https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ ∗∗∗ Clean Binaries with Suspicious Behaviour, (Tue, Mar 15th) ∗∗∗ --------------------------------------------- EDR or "Endpoint Detection & Response" is a key element of many networks today. An agent is installed on all endpoints to track suspicious/malicious activity and (try to) block it. Behavioral monitoring is also a key element in modern SIEM infrastructure: To see a word.exe running is definitively not malicious, same with a Powershell script being launched. But if you monitor parent/child relations, to see a Powershell script launched from a Word process, that is suspicious! --------------------------------------------- https://isc.sans.edu/diary/rss/28444 ∗∗∗ A Simple Guide to Getting CVEs Published ∗∗∗ --------------------------------------------- This guide will, hopefully, let you skip the headaches and guesswork that we endured learning this process when you try to get a CVE published. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-simple-gu… ∗∗∗ Can an HTTPS Website be Hacked? ∗∗∗ --------------------------------------------- It should be no shock by now that a professional can break through anything. These days, zero-days are a dime a dozen, so it’s important to ensure your site is hardened and protected as much as possible. While an SSL certificate can certainly be an important factor, it’s only one slice of the pie. In this article, we’ll be elaborating on the myths of SSL, the kinds of hacks that still have the potential to occur, and how you can improve an HTTPS site beyond installing an SSL certificate. --------------------------------------------- https://blog.sucuri.net/2022/03/can-an-https-website-be-hacked.html ∗∗∗ Ukraine-Krieg: BSI warnt vor Kasperskys Sicherheits- und Antiviren-Software ∗∗∗ --------------------------------------------- Wer Antiviren-Software des russischen Herstellers einsetzt, sollte auf alternative Produkte ausweichen, heißt es der offizellen BSI-Warnung. --------------------------------------------- https://heise.de/-6549515 ∗∗∗ Vorsicht vor Anrufe und E-Mails von „Besser-Gefunden“ ∗∗∗ --------------------------------------------- Momentan werden Unternehmen telefonisch von „Besser-Gefunden“ kontaktiert. Die Person am Telefon erklärt Ihnen, dass Ihr Unternehmen einen Vertrag für die Schaltung von kostenpflichtigen Anzeigen im Firmenverzeichnis von „Besser-Gefunden“ abgeschlossen hat und die Gebühren bald fällig werden. Dieser Vertrag verlängert sich automatisch, wenn er nicht sofort schriftlich storniert wird. Vorsicht: Dabei handelt es sich um eine betrügerische Masche zur Kundengewinnung! Legen Sie auf und unterschreiben Sie nichts. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufe-und-e-mails-von-… ∗∗∗ Updated: Kubernetes Hardening Guide ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have updated their joint Cybersecurity Technical Report (CTR): Kubernetes Hardening Guide, originally released in August 2021, based on valuable feedback and inputs from the cybersecurity community. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/updated-kubernete… ∗∗∗ Investigating an engineering workstation – Part 1 ∗∗∗ --------------------------------------------- In this series of blog posts we will deal with the investigation of an engineering workstation running Windows 10 with the Siemens TIA Portal Version 15.1 installed. In this first part we will cover some selected classic Windows-based evidence sources, and how they behave with regards to the execution of the TIA Portal and interaction with it. --------------------------------------------- https://blog.nviso.eu/2022/03/15/investigating-an-engineering-workstation-p… ∗∗∗ Threat Advisory: CaddyWiper ∗∗∗ --------------------------------------------- Overview Cybersecurity company ESET disclosed another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. [..] Analysis: The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Our analysis didn't show any indications of persistency, self-propagation or exploitation code. Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html ∗∗∗ OpenSSL security releases may require Node.js security releases ∗∗∗ --------------------------------------------- The Node.js project may be releasing new versions across all of its supportedrelease lines late this week to incorporate upstream patches from OpenSSL. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/mar-2022-security-releases ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: MacOS 12.3, XCode 13.3, tvOS 15.4, watchOS 8.5, iPadOS 15.4 and more, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- Apple today released one of its massive "surprise" updates for all of its operating systems. This includes updates for Safari as well as stand-alone security updates for older operating systems like macOS Big Sur and Catalina. As so often, this also includes feature updates for the respective operating systems. --------------------------------------------- https://isc.sans.edu/diary/rss/28438 ∗∗∗ Sicherheitsupdate für IBM Spectrum Protect: Fremdzugriff auf Datenbanken möglich ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für IBMs Backup-Lösung Spectrum Protect. Angreifer könnten unter anderem auf eigentlich verschlüsselte Informationen zugreifen. --------------------------------------------- https://heise.de/-6548621 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Fedora (chromium), Mageia (chromium-browser-stable, kernel, kernel-linus, and ruby), openSUSE (firefox, flac, java-11-openjdk, protobuf, tomcat, and xstream), Oracle (thunderbird), Red Hat (kpatch-patch and thunderbird), Scientific Linux (thunderbird), Slackware (httpd), SUSE (firefox, flac, glib2, glibc, java-11-openjdk, libcaca, SDL2, squid, sssd, tomcat, xstream, and zsh), and Ubuntu (zsh). --------------------------------------------- https://lwn.net/Articles/887914/ ∗∗∗ Belden Security Bulletin – Industrial IT BSECV-2021-16 ∗∗∗ --------------------------------------------- CVEs: CVE-2020-24588, CVE-2020-26144, CVE-2020-26146 and CVE-2020-26147. FragAttacks 2 (fragmentation and aggregation attacks) is a collection of security vulnerabilities that affect Wi-Fi devices. An adversary that is within range of a victim's Wi-Fi network can exploit these vulnerabilities to steal user information or attack devices. Affected products: Hirschmann OpenBAT, WLC, BAT450 --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14146&mediaformat… ∗∗∗ Dirty Pipe Linux Flaw Affects a Wide Range of QNAP NAS Devices ∗∗∗ --------------------------------------------- https://thehackernews.com/2022/03/dirty-pipe-linux-flaw-affects-wide.html ∗∗∗ Security Bulletin: CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-deferred-fr… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: A Vulnerability In Apache Commons IO Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Workstations Central Administration Console (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Mobilefirst is affected by a log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mobilefirst-is-affected-b… ∗∗∗ Security Bulletin: Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-1-2-reached-… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j affects IBM Tivoli Composite Application Manager for Application Diagnostics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect Operations Center (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ ABB OPC Server for AC 800M ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-074-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2022
by Daily end-of-shift report 14 Mar '22

14 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-03-2022 18:00 − Montag 14-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Android malware Escobar steals your Google Authenticator MFA codes ∗∗∗ --------------------------------------------- The Aberebot banking trojan appears to have returned, as its author is actively promoting a new version of the tool on dark web markets and forums. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-escobar-stea… ∗∗∗ Curl on Windows, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- It's about 2 years ago that Xavier wrote a diary entry ("Keep an Eye on Command-Line Browsers") mentioning that curl was now build into Windows. [...] So with this particular malicious script, it's rather easy to detect (especially if you are in a network environment without Linux machines): search for curl UAS. If you are in a corporate environment, there's something else to know about curl on Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/28436 ∗∗∗ New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access ∗∗∗ --------------------------------------------- Tracked as CVE-2022-25636 (CVSS score: 7.8), the vulnerability impacts Linux kernel versions 5.4 through 5.6.10 and is a result of a heap out-of-bounds write in the netfilter subcomponent in the kernel. [..] "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat said in an advisory published on February 22, 2022. Similar alerts have been released by Debian, Oracle Linux, SUSE, and Ubuntu. --------------------------------------------- https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html ∗∗∗ Reverse Engineering a Netgear Nday ∗∗∗ --------------------------------------------- This post will detail how I went about developing a proof of concept for a Netgear Nday vulnerability. --------------------------------------------- https://nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-net… ∗∗∗ Making Sense of the Dirty Pipe Vulnerability (CVE-2022-0847) ∗∗∗ --------------------------------------------- [..] the flaw could allow anyone with read access on a system to write arbitrary data into arbitrary files. In this blog post, we analyze the vulnerability details in-depth and demonstrate how the exploit works to successfully escalate privileges. --------------------------------------------- https://redhuntlabs.com/blog/the-dirty-pipe-vulnerability.html ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Following responsible disclosure on September 9, 2021, fixes have been released to address the issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all three of which are affected by the untrusted search path flaw, have opted not to address the bug. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Shodan: Introducing the InternetDB API ∗∗∗ --------------------------------------------- The major differences between the InternetDB API and the main Shodan API are: - No API key required - Much higher rate limit - Weekly updates - Minimal port/ service information - Non-commercial use only --------------------------------------------- https://blog.shodan.io/introducing-the-internetdb-api/ ∗∗∗ Diskrepanz zwischen erwarteten und tatsächlichen Cyberattacken im Ukraine-Krieg ∗∗∗ --------------------------------------------- c’t: Ukrainische Behörden haben Freiwillige in aller Welt aufgerufen, sich an Cyberattacken gegen Russland zu beteiligen. Halten Sie es für sinnvoll, dabei mitzumachen? Dr. Sven Herpig: Nein. Natürlich könnten Freiwillige irgendwelche Ziele in Russland ärgern, aber das wird weit weg sein von kriegsentscheidend. Gleichzeitig ist es aus drei Gründen ziemlich gefährlich. --------------------------------------------- https://heise.de/-6540223 ∗∗∗ Gefälschte Otto-Shops werben auf Facebook ∗∗∗ --------------------------------------------- ottot.shop, otto.us.com und ghrh.shop sind betrügerische Online-Shops. Diese Shops imitieren das deutsche Handelsunternehmen „OTTO“ und bieten Produkte zu sehr günstigen Preisen an. Aber: Ware, die dort bestellt und bezahlt wird, wird nicht geliefert. Geschädigte können versuchen ihr Geld über den Käuferschutz von PayPal zurückzubekommen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-otto-shops-werben-auf-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup & Replication - CVE-2022-26500 | CVE-2022-26501 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. CVSS v3 score: 9.8 --------------------------------------------- https://www.veeam.com/kb4288 ∗∗∗ High-Severity Vulnerabilities Patched in Omron PLC Programming Software ∗∗∗ --------------------------------------------- Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron. An advisory released earlier this month by Japan’s JPCERT/CC revealed that the product is affected by five use-after-free and out-of-bounds vulnerabilities, all with a CVSS score of 7.8. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-pl… ∗∗∗ Riverbed spinoff Aternity ships emergency software patch ∗∗∗ --------------------------------------------- Riverbed’s performance monitoring spinoff Aternity has published seven security advisories describing now-patched vulnerabilities in its AppInternals monitoring agent software. The most serious of the bugs gave attackers remote code execution with system-level privilege. [..] Riverbed has shipped AppInternals Agent versions 11.8.8 and 12.14.0, which include patches for the bugs. --------------------------------------------- https://www.itnews.com.au/news/riverbed-spinoff-aternity-ships-emergency-so… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, haproxy, libphp-adodb, nbd, and vim), Fedora (chromium, cobbler, firefox, gnutls, linux-firmware, radare2, thunderbird, and usbguard), Mageia (gnutls), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, and kernel), SUSE (firefox, tomcat, and webkit2gtk3), and Ubuntu (libxml2 and nbd). --------------------------------------------- https://lwn.net/Articles/887807/ ∗∗∗ Dell BIOS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, CVE-2022-24421 Ein lokaler Angreifer kann mehrere Schwachstellen in Dell BIOS und Dell Computer ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0308 ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943 Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache HTTP Server ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0306 ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus is vulnerable to PostgreSQL Man-in-the-Middle and Slowloris Denial of Service attacks (CVE-2021-23222, CVE-2022-22354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Analytical Decision Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects SPSS Collaboration and Deployment Services (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Big SQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Vulnerabilities in the Linux Kernel, Samba, Sudo, Python, and tcmu-runner affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-li… ∗∗∗ Security Bulletin: IBM Spectrum Copy Data Management is vulnerable to Slowloris, HTTP header injection, XSS, and CSRF (CVE-2022-22354, CVE-2022-22344, CVE-2021-39055, CVE-2021-39051) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-copy-data-ma… ∗∗∗ Security Bulletin: Vulnerabilities in Celery, Golang Go, and Python affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-celery… ∗∗∗ Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-flask-an… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, PostgreSQL, OpenSSL, OpenSSH, and jQuery affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and IBM WebSphere Application Server Liberty affect IBM Operations Center and Client Management Service (CVE-2021-35578, CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, Node.js, OpenSSH, and Golang Go affect IBM Spectrum Protect Plus (CVE-2021-4034, CVE-2022-21681, CVE-2022-21680, CVE-2022-0235, CVE-2021-41617, CVE-2021-44716, CVE-2021-44717, 218243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Reverse Tabnabbing and Cross-Site Request Forgery vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-22348, CVE-2020-22346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-reverse-tabnabbing-and-cr… ∗∗∗ K63603485: Linux kernel vulnerability CVE-2022-0847 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63603485 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2022
by Daily end-of-shift report 11 Mar '22

11 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-03-2022 18:00 − Freitag 11-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Raccoon Stealer Crawls Into Telegram ∗∗∗ --------------------------------------------- The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware. --------------------------------------------- https://threatpost.com/raccoon-stealer-telegram/178881/ ∗∗∗ Keep an Eye on WebSockets, (Fri, Mar 11th) ∗∗∗ --------------------------------------------- It has been a while that I did not spot WebSockets used by malware. Yesterday I discovered an interesting piece of Powershell. Very small and almost undetected according to its Virustotal score (2/54)[1]. A quick reminder for those that don't know what a "WebSocket" is. --------------------------------------------- https://isc.sans.edu/diary/rss/28430 ∗∗∗ Bypassing MFA: A Pentest Case Study ∗∗∗ --------------------------------------------- When a company implements multifactor authentication, the organization is usually confident that it’s using the best system possible. However, not all MFA is built the same and there are times when the MFA solution being implemented is not delivering the protection required. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bypassing-m… ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines. Its, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Whats up with in-the-wild exploits? Plus, what were doing about it. ∗∗∗ --------------------------------------------- If you are a regular reader of our Chrome release blog, you may have noticed that phrases like exploit for CVE-1234-567 exists in the wild have been appearing more often recently. In this post well explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. Well then share how Chrome is continuing to make it harder for attackers to achieve their goals. --------------------------------------------- http://security.googleblog.com/2022/03/whats-up-with-in-wild-exploits-plus.… ∗∗∗ WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities ∗∗∗ --------------------------------------------- Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. --------------------------------------------- https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixe… ∗∗∗ Cobalt Strike: Memory Dumps – Part 6 ∗∗∗ --------------------------------------------- This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/ ∗∗∗ Infostealer Being Distributed via YouTube ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post. --------------------------------------------- https://asec.ahnlab.com/en/32499/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-503: MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-503/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion). --------------------------------------------- https://lwn.net/Articles/887635/ ∗∗∗ Mattermost security updates 6.4.2, 6.3.5, 6.2.5, 5.37.9 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.4.2, 6.3.5 (Extended Support Release), 6.2.5, 5.37.9 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-4-2-6-3-5-6-2-5-5… ∗∗∗ Siemens Solid Edge, JT2Go, and Teamcenter Visualization ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization that was published February 10, 2022, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-041-07 ∗∗∗ Mehrere Schwachstellen in PONTON X/P Messenger (SYSS-2021-077/-078/-079/-080) ∗∗∗ --------------------------------------------- Der PONTON X/P Messenger der PONTON GmbH ist in den Versionen 3.8.0 und 3.10.0 unter eingeschränkten Voraussetzungen anfällig für mehrere Schwachstellen. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-ponton-x/p-messe… ∗∗∗ CERT-EU warnt vor SMBv3-Schwachstelle CVE-2022-24508, Fix durch Windows März 2022-Updates ∗∗∗ --------------------------------------------- Mit den Sicherheitsupdates vom 8. März 2022 für Windows hat Microsoft eine Reihe Schwachstellen geschlossen. Darunter ist auch eine als wichtig eingestufte Remote Code Execution-Schwachstelle (REC) im Windows SMBv3 Client/Server. CERT-EU warnt in einer aktuellen Mitteilung vor dieser SMBv3-Schwachstelle CVE-2022-24508 [...] --------------------------------------------- https://www.borncity.com/blog/2022/03/11/cert-eu-warnt-vor-smbv3-schwachste… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 10 March 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0299 ∗∗∗ phpMyAdmin: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0304 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0302 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has a vulnerability (CVE-2021-39022), related to hazardous input. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A Python Issue Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-python-issue-affects-ib… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to an attacker obtaining sensitive information (CVE-2021-35550, CVE-2021-35603) and denial of service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Cloud Pak for Automation Workflow Process Service (CVE-2021-38893 CVE-2021-38966) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2022
by Daily end-of-shift report 10 Mar '22

10 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-03-2022 18:00 − Donnerstag 10-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Nearly 30% of critical WordPress plugin bugs dont get a patch ∗∗∗ --------------------------------------------- Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nearly-30-percent-of-critica… ∗∗∗ What Security Controls Do I Need for My Kubernetes Cluster? ∗∗∗ --------------------------------------------- This Tech Tip offers some security controls to embed in your organizations CI/CD pipeline to protect Kubernetes clusters and corporate networks. --------------------------------------------- https://www.darkreading.com/dr-tech/what-security-controls-do-i-need-for-my… ∗∗∗ Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads ∗∗∗ --------------------------------------------- The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things. --------------------------------------------- https://threatpost.com/qakbot-botnet-sprouts-fangs-injects-malware-into-ema… ∗∗∗ Credentials Leaks on VirusTotal, (Thu, Mar 10th) ∗∗∗ --------------------------------------------- A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. Im keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform. --------------------------------------------- https://isc.sans.edu/diary/rss/28426 ∗∗∗ Demystifying E-Commerce Website Security ∗∗∗ --------------------------------------------- Here we’ll be discussing the main aspects that are important to an E-Commerce website, the kinds of vulnerabilities that can impact your business, and how to take better preventative measures. --------------------------------------------- https://blog.sucuri.net/2022/03/demystifying-e-commerce-website-security.ht… ∗∗∗ Pre-announcement of 4 BIND security issues scheduled for disclosure 16 March 2022 ∗∗∗ --------------------------------------------- As part of our policy of pre-notification of upcoming security releases, we are writing to inform you that the March 2022 BIND maintenance releases that will be released on Wednesday, 16 March, will contain a patches for a security vulnerabilities affecting the BIND 9.11.x, 9.16.x and 9.18.x release branches. Further details about those vulnerabilities will be publicly disclosed at the time the releases are published. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2022-March/001211.html ∗∗∗ Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers ∗∗∗ --------------------------------------------- In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EUs digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation (GDPR) and the Network and Information Systems Directive (NISD) --------------------------------------------- https://arxiv.org/abs/2203.04887 ∗∗∗ The Conti Leaks: Insight into a Ransomware Unicorn ∗∗∗ --------------------------------------------- In late February 2022, the internal chat logs of the Conti ransomware group were disclosed. This blog dissects the internal chat logs that illuminate how Conti’s organizational infrastructure is run, details key figureheads, tooling as well as bitcoin transactions. --------------------------------------------- https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/ ∗∗∗ Spectre V2 ist auch bei ARM und Intel zurück: Angriff auf Branch History Buffer ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen von Intel-Prozessoren und ARM-Kernen gegen Seitenkanalangriffe vom Typ Spectre V2 reichen nicht aus. --------------------------------------------- https://heise.de/-6545263 ∗∗∗ „Ihr ID-Betriebssystem wird gesperrt“ – Apple E-Mail ist Fake! ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail, das angeblich von Apple versendet wird, werden Sie aufgefordert Ihre Apple ID zu überprüfen. Doch Vorsicht – es handelt sich um Phishing! Hier sind Kriminelle auf Ihre Daten aus! Am besten ignorieren Sie das E-Mail. --------------------------------------------- https://www.watchlist-internet.at/news/ihr-id-betriebssystem-wird-gesperrt-… ∗∗∗ Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools ∗∗∗ --------------------------------------------- Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ [webapps] Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- # note : this is blind RCE so don't expect to see results on the site # this exploit is tested against Zabbix 5.0.17 only --------------------------------------------- https://www.exploit-db.com/exploits/50816 ∗∗∗ XSA-396 ∗∗∗ --------------------------------------------- CVEs: CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends --------------------------------------------- https://xenbits.xen.org/xsa/advisory-396.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat). --------------------------------------------- https://lwn.net/Articles/887484/ ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- - SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028 - Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0298 ∗∗∗ CVE-2022-0022 PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes (Severity: MEDIUM) ∗∗∗ --------------------------------------------- Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. [..] Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0022 ∗∗∗ UNIVERGE WA Series vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN72801744/ ∗∗∗ [remote] Siemens S7-1200 - Unauthenticated Start/Stop Command ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50820 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-23450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to cross-site scripting (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM DataPower Gateway permits reflected JSON injection (CVE-2021-38910) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-per… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2022
by Daily end-of-shift report 09 Mar '22

09 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-03-2022 18:00 − Mittwoch 09-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Betrug auf Discord: „Sorry, ich habe deinen Steam-Account gemeldet!“ ∗∗∗ --------------------------------------------- Gamerinnen und Gamer aufgepasst: Auf Discord kommt es momentan zu Kontaktaufnahmen durch Kriminelle, die sich für das Melden des Steam-Accounts entschuldigen. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-auf-discord-sorry-ich-habe-de… ∗∗∗ Daxin Backdoor: In-Depth Analysis, Part Two ∗∗∗ --------------------------------------------- In the second of a two-part series of blogs, we examine the communications and networking features of Daxin. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ===================== = Vulnerabilities = ===================== ∗∗∗ Guidance for CVE-2022-23278 spoofing in Microsoft Defender for Endpoint ∗∗∗ --------------------------------------------- Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. --------------------------------------------- https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoo… ∗∗∗ New 16 High-Severity UEFI Firmware Flaws Discovered in Millions of HP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday disclosed 16 new high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices. --------------------------------------------- https://thehackernews.com/2022/03/new-16-high-severity-uefi-firmware.html ∗∗∗ Critical RCE Bugs Found in Pascom Cloud Phone System Used by Businesses ∗∗∗ --------------------------------------------- Researchers have disclosed three security vulnerabilities affecting Pascom Cloud Phone System (CPS) that could be combined to achieve a full pre-authenticated remote code execution of affected systems. --------------------------------------------- https://thehackernews.com/2022/03/critical-rce-bugs-found-in-pascom-cloud.h… ∗∗∗ TLStorm: Three critical vulnerabilities discovered in APC Smart-UPS devices ∗∗∗ --------------------------------------------- Armis has discovered a set of three critical zero-day vulnerabilities in APC Smart-UPS devices that can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. --------------------------------------------- https://www.armis.com/research/tlstorm/ ∗∗∗ Patchday: SAP behebt 16 Schwachstellen ∗∗∗ --------------------------------------------- Zum März-Patchday bei SAP liefert das Unternehmen Aktualisierungen für zwölf neue Sicherheitslücken aus. Zudem aktualisiert es vier ältere Sicherheitsmeldungen. --------------------------------------------- https://heise.de/-6543439 ∗∗∗ Alte Lücke in Pulse Connect Secure-VPN wird angegriffen ∗∗∗ --------------------------------------------- Schon Mitte 2020 hat Pulse Secure in seiner VPN-Lösung Aktualisierungen veröffentlicht, die Sicherheitslücken schließen. Die Lücken werden jetzt angegriffen. --------------------------------------------- https://heise.de/-6544328 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-4.19, spip, and thunderbird), Fedora (cyrus-sasl and libxml2), Mageia (firefox and thunderbird), openSUSE (buildah and tcpdump), Red Hat (cyrus-sasl, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (buildah, kernel, libcaca, and tcpdump), and Ubuntu (linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oem-5.14, linux-oracle, linux-oracle-5.13, [...] --------------------------------------------- https://lwn.net/Articles/887309/ ∗∗∗ Microsoft Releases March 2022 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/microsoft-release… ∗∗∗ SAP Releases March 2022 Security Updates ∗∗∗ --------------------------------------------- SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/sap-releases-marc… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/adobe-releases-se… ∗∗∗ ZDI-22-492: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-492/ ∗∗∗ ZDI-22-491: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-491/ ∗∗∗ ZDI-22-490: (0Day) Ecava IntegraXor Inkscape WMF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-490/ ∗∗∗ ZDI-22-489: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Uninitialized Pointer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-489/ ∗∗∗ ZDI-22-488: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Uninitialized Pointer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-488/ ∗∗∗ ZDI-22-487: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-487/ ∗∗∗ ZDI-22-486: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-486/ ∗∗∗ ZDI-22-485: (0Day) Ecava IntegraXor Inkscape PCX File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-485/ ∗∗∗ AMD: LFENCE/JMP Mitigation Update for CVE-2017-5715 ∗∗∗ --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 ∗∗∗ Intel Processor Advisory: INTEL-SA-00598 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in ISC BIND affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-isc-bind… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer Content Analytics Studio ( CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ XSA-398 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-398.html ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0279 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0276 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341586 ∗∗∗ NetApp SnapCenter Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500477-NETAPP-SNAPCENTER-INFOR… ∗∗∗ Brocade Fabric OS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500476-BROCADE-FABRIC-OS-VULNE… ∗∗∗ Lenovo Thin Installer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500475-LENOVO-THIN-INSTALLER-D… ∗∗∗ Glance by Mirametrix Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500474-GLANCE-BY-MIRAMETRIX-VU… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2022
by Daily end-of-shift report 08 Mar '22

08 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-03-2022 18:00 − Dienstag 08-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fernverwaltung mit Sicherheitslücke gefährdet medizinische Geräte ∗∗∗ --------------------------------------------- Viele medizinische IoT-Geräte enthalten Fernverwaltungssoftware von Axeda/PTC. Sicherheitslücken ermöglichen Angreifern das Einschleusen von Schadcode. --------------------------------------------- https://heise.de/-6542436 ∗∗∗ Stecker zum Stromsparen auf „getecotex.com“ ist Betrug ∗∗∗ --------------------------------------------- Auf getecotex.com wird ein Stecker zum Stromsparen angeboten. Für 59 Euro kann angeblich der Stromfluss stabilisiert, hochfrequenter Strom entfernt und die Energierechnung reduziert werden. Vorsicht: Diese Versprechen sind frei erfunden - ein solches Gerät existiert nicht. Sie werden betrogen und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/stecker-zum-stromsparen-auf-getecote… ∗∗∗ CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector ∗∗∗ --------------------------------------------- A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet. --------------------------------------------- https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-… ∗∗∗ Emotet growing slowly but steadily since November resurgence ∗∗∗ --------------------------------------------- The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-growing-slowly-but-st… ∗∗∗ An attackers toolchest: Living off the land ∗∗∗ --------------------------------------------- If you’ve been keeping up with the information security world, you’ve certainly heard that recent ransomware attacks and other advanced persistent threats are sometimes using special kind of tools. But for the most part, the tools will be very familiar to you. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37248-living-off-the-land ∗∗∗ Androids March 2022 Security Updates Patch 39 Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced the release of patches for 39 vulnerabilities as part of the March 2022 security update for Android. The most serious vulnerability is CVE-2021-39708, a remotely exploitable elevation of privilege issue identified in the System component. --------------------------------------------- https://www.securityweek.com/androids-march-2022-security-updates-patch-39-… ∗∗∗ Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities ∗∗∗ --------------------------------------------- We disclosed several GKE Autopilot vulnerabilities and attack techniques to Google. The issues are now fixed - we provide a technical analysis. --------------------------------------------- https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/ ∗∗∗ Phishing attempts from FancyBear and Ghostwriter stepping up says Google ∗∗∗ --------------------------------------------- Google TAG also sees Chinese Mustang Panda going after Europeans and DDoS attempts against Ukrainian targets. --------------------------------------------- https://www.zdnet.com/article/phishing-attempts-from-fancybear-and-ghostwri… ∗∗∗ Daxin Backdoor: In-Depth Analysis, Part One ∗∗∗ --------------------------------------------- In the first of a two-part series of blogs, we will delve deeper into Daxin, examining the driver initialization, networking, key exchange, and backdoor functionality of the malware. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ∗∗∗ FBI Releases Indicators of Compromise for RagnarLocker Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000163-MW and apply the recommended mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/fbi-releases-indi… ∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- 08.03.2022 16:40 Bereich "Indirekte Angriffsfläche" erweitert --------------------------------------------- https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Kritische Sicherheitslecks in APC Smart-UPS ∗∗∗ --------------------------------------------- In den APC Smart-UPS von Schneider Electric könnten Angreifer Sicherheitslücken ausnutzen, um Schadcode einzuschleusen oder die Geräte außer Funktion zu setzen. --------------------------------------------- https://heise.de/-6542950 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis). --------------------------------------------- https://lwn.net/Articles/887159/ ∗∗∗ AVEVA System Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Storage of Sensitive Information in Memory vulnerability in the AVEVA System Platform, a software management product. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-067-02 ∗∗∗ Sensormatic PowerManage (Update A) ∗∗∗ --------------------------------------------- This update advisory is a follow-up to the original advisory titled ICSA-22-034-01 Sensormatic PowerManage that was published February 3, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. Update A (Part 1 of 1): Upgrade PowerManage to Version 4.10 --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0268 ∗∗∗ Citrix Federated Authentication Service (FAS) Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341587 ∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guar… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: IBM Security Directory Integrator has upgraded log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-in… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Virtualization Engine TS7700 (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ SSA-250085: Multiple Vulnerabilities in SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-250085.txt ∗∗∗ SSA-223353: Multiple Vulnerabilities in Nucleus RTOS based SIMOTICS CONNECT 400 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-223353.txt ∗∗∗ SSA-166747: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-166747.txt ∗∗∗ SSA-155599: File Parsing Vulnerabilities in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-155599.txt ∗∗∗ SSA-148641: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-148641.txt ∗∗∗ SSA-134279: Vulnerability in Mendix Forgot Password Appstore module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-134279.txt ∗∗∗ SSA-764417: Multiple Vulnerabilities in RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-764417.txt ∗∗∗ SSA-594438: Remote Code Execution and Denial-of-Service Vulnerability in multiple RUGGEDCOM ROX products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-594438.txt ∗∗∗ SSA-562051: Cross-Site Scripting Vulnerability in Polarion ALM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-562051.txt ∗∗∗ SSA-415938: Improper Access Control Vulnerability in Mendix ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-415938.txt ∗∗∗ SSA-406691: Buffer Vulnerabilities in DHCP function of RUGGEDCOM ROX products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-406691.txt ∗∗∗ SSA-389290: Third-Party Component Vulnerabilities in SINEC INS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-389290.txt ∗∗∗ SSA-337210: Privilege Escalation Vulnerability in SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-337210.txt ∗∗∗ SSA-256353: Third-Party Component Vulnerabilities in RUGGEDCOM ROS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-256353.txt ∗∗∗ SSA-252466: Multiple Vulnerabilities in Climatix POL909 (AWM and AWB) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-252466.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2022
by Daily end-of-shift report 07 Mar '22

07 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-03-2022 18:00 − Montag 07-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ E-Mail vom "Zoll Kundenservice" ist Fake ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail von "[email protected]" wird behauptet, dass Ihr Paket nicht geliefert werden kann, da Zollgebühren nicht bezahlt wurden. Um die Zollgebühren zu begleichen, werden Sie aufgefordert, einen Paysafecard-Pin um 75 Euro zu schicken. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-zoll-kundenservice-ist-fa… ∗∗∗ Notfallupdate: Sicherheitslücken in Firefox und Thunderbird werden angegriffen ∗∗∗ --------------------------------------------- Die Mozilla-Stiftung hat außer der Reihe Sicherheitsupdates für Firefox, Klar und Thunderbird herausgegeben, die bereits aktiv angegriffene Lücken schließen. --------------------------------------------- https://heise.de/-6540649 ∗∗∗ Sicherheitsprobleme bei Samsung: Quellcode geklaut, unsichere Kryptografie ∗∗∗ --------------------------------------------- Einbrecher haben bei Samsung Quellcode entwendet. Zudem patzte der Hersteller bei Kryptografie in der Trusted Execution Environment von Flaggschiff-Smartphones. --------------------------------------------- https://heise.de/-6540849 ∗∗∗ Dirty Pipe: Linux-Kernel-Lücke erlaubt Schreibzugriff mit Root-Rechten ∗∗∗ --------------------------------------------- Ein Fehler bei der Verarbeitung von Pipes im Linux-Kernel lässt sich ausnutzen, um Root-Rechte zu erlangen. --------------------------------------------- https://www.golem.de/news/dirty-pipe-linux-kernel-luecke-erlaubt-schreibzug… ∗∗∗ Microsoft fixes critical Azure bug that exposed customer data ∗∗∗ --------------------------------------------- Microsoft has addressed a critical vulnerability in the Azure Automation service that could have allowed attackers to take full control over other Azure customers data. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-critical-az… ∗∗∗ Massive Meris Botnet Embeds Ransomware Notes from REvil ∗∗∗ --------------------------------------------- Notes threatening to tank targeted companies stock price were embedded into the DDoS ransomware attacks as a string_of_text directed to CEOs and webops_geeks in the URL. --------------------------------------------- https://threatpost.com/massive-meris-botnet-embeds-ransomware-notes-revil/1… ∗∗∗ Scam E-Mail Impersonating Red Cross, (Fri, Mar 4th) ∗∗∗ --------------------------------------------- Earlier today, I received a scam email that impersonates the Ukrainian Red Cross. It attempts to solicit donations via Bitcoin. The email is almost certainly not related to any valid Red Cross effort. --------------------------------------------- https://isc.sans.edu/diary/rss/28404 ∗∗∗ oledumps Extra Option, (Sat, Mar 5th) ∗∗∗ --------------------------------------------- A colleague asked if it was possible with oledump.py, to search through a set of malicious documents and filter out all streams that have identical VBA source code. --------------------------------------------- https://isc.sans.edu/diary/rss/28406 ∗∗∗ Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking ∗∗∗ --------------------------------------------- Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage (TNAS) devices that could be chained to attain unauthenticated remote code execution with the highest privileges. The issues reside in TOS, an abbreviation for TerraMaster Operating System, and "can grant unauthenticated attackers access to the victims box simply by knowing the IP [...] --------------------------------------------- https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.ht… ∗∗∗ Backdooring WordPress using PyShell ∗∗∗ --------------------------------------------- PyShell is new tool made for bug bounty, ethical hacking, penetration testers or red-teamers. This tool helps you to obtain a shell-like interface on a web server to be remotely accessed. --------------------------------------------- https://blog.wpsec.com/backdooring-wordpress-using-pyshell/ ∗∗∗ Beware of malware offering “Warm greetings from Saudi Aramco” ∗∗∗ --------------------------------------------- A new Formbook campaign is targeting oil and gas companies. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware… ∗∗∗ Amcache contains SHA-1 Hash – It Depends! ∗∗∗ --------------------------------------------- If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. --------------------------------------------- https://blog.nviso.eu/2022/03/07/amcache-contains-sha-1-hash-it-depends/ ∗∗∗ Webhook Party – Malicious packages caught exfiltrating data via legit webhook services ∗∗∗ --------------------------------------------- Checkmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages attempting to use a dependency confusion attack. Those packages were detected by the team’s malicious package detection system. Findings show all packages caught contained malicious payload [...] --------------------------------------------- https://checkmarx.com/blog/webhook-party-malicious-packages-caught-exfiltra… ===================== = Vulnerabilities = ===================== ∗∗∗ New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances ∗∗∗ --------------------------------------------- Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8. --------------------------------------------- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, containerd, cyrus-sasl2, expat, firefox-esr, freecad, kernel, and tiff), Fedora (seamonkey, swtpm, and webkit2gtk3), Mageia (docker-containerd, firefox, flac, libtiff, libxml2, and mc), openSUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, libeconf, shadow and util-linux, mariadb, nodejs14, perl-App-cpanminus, vim, wireshark, wpa_supplicant, and zsh), SUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, java-11-openjdk, [...] --------------------------------------------- https://lwn.net/Articles/887055/ ∗∗∗ Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device ∗∗∗ --------------------------------------------- Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device. --------------------------------------------- https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte… ∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nims… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38988) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: Some unspecified vulnerabilities in Java SE result in the unauthenticated attacker to take control of the system or some impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-some-unspecified-vulnerab… ∗∗∗ Bitdefender Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0264 ∗∗∗ Webmin: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0267 ∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0266 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0265 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2022
by Daily end-of-shift report 04 Mar '22

04 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-03-2022 18:00 − Freitag 04-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 8-Character Passwords Can Be Cracked in Less than 60 Minutes ∗∗∗ --------------------------------------------- Researchers say passwords with less than seven characters can be hacked "instantly." --------------------------------------------- https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-c… ∗∗∗ 5 Risks That Can Cause Your Website to Get Reinfected ∗∗∗ --------------------------------------------- Re-infections are one of the most frustrating encounters site owners experience. Like a game of whack-a-mole, when you think you’ve found and removed everything malicious, more malicious content pops up. --------------------------------------------- https://blog.sucuri.net/2022/03/5-risks-that-can-cause-your-website-to-get-… ∗∗∗ SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store ∗∗∗ --------------------------------------------- NCC Group, as well as many other researchers noticed a rise in Android malware last year, especillay Android banking malware. --------------------------------------------- https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-bankin… ∗∗∗ Nvidias geleakte Code-Signing-Zertifikate missbraucht ∗∗∗ --------------------------------------------- Die Einbrecher haben bei Nvidia auch Code-Signing-Zertifikate entwendet und veröffentlicht. Mit denen werden nun Angriffs-Tools signiert. --------------------------------------------- https://heise.de/-6537255 ∗∗∗ Betrügerische Spendenaufrufe: Kriminelle missbrauchen Krieg in der Ukraine ∗∗∗ --------------------------------------------- Um Menschen in der Ukraine finanziell zu unterstützen, gibt es derzeit zahlreiche Möglichkeiten. Doch auch Kriminelle missbrauchen diese Situation und erstellen betrügerische Webseiten mit Spendenaufrufen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-spendenaufrufe-krimin… ∗∗∗ A Backdoor Lockpick ∗∗∗ --------------------------------------------- In early September, 2021, a fairly ordinary and inexpensive residential router came into the Zero Day research team’s possession. --------------------------------------------- https://medium.com/tenable-techblog/a-backdoor-lockpick-d847a83f4496 ∗∗∗ Die Renaissance des Cybervigilantismus ∗∗∗ --------------------------------------------- Der Krieg zwischen Russland und der Ukraine hat als - bis zu einem gewissen Grad überraschenden - Nebeneffekt die Renaissance von Software, die der durch Anonymous bekannt und populär gemachten, zu DDoS-Zwecken verwendeten "Low Orbit Ion Cannon" ähnelt. Dutzende solcher Programme oder auf dem selben Prinzip basierende Webseiten werden aktuell auf den sozialen Netzwerken verteilt und fast schon begeistert von vielen Menschen genutzt. --------------------------------------------- https://cert.at/de/blog/2022/3/die-renaissance-des-cybervigilantismus ∗∗∗ NSA Releases Network Infrastructure Security Guidance ∗∗∗ --------------------------------------------- The report captures best practices based on the depth and breadth of experience in supporting customers and responding to threats. Recommendations include perimeter and internal network defenses to improve monitoring and access controls throughout the network. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/03/nsa-releases-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Amazon Alexa can be hijacked via commands from own speaker ∗∗∗ --------------------------------------------- Without a critical update, Amazon Alexa devices could wake themselves up and start executing audio commands issued by a remote attacker, according to infosec researchers at Royal Holloway, University of London. --------------------------------------------- https://www.theregister.com/2022/03/03/amazon_alexa_speaker_vuln/ ∗∗∗ New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape? ∗∗∗ --------------------------------------------- CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/ ∗∗∗ Kritische Root-Lücken gefährden Ciscos Fernzugriff-Software Expressway Series ∗∗∗ --------------------------------------------- Der Netzwerkhersteller Cisco hat wichtige Sicherheitsupdates für Expressway Series, StarOS & Co. veröffentlicht. --------------------------------------------- https://heise.de/-6537019 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (varnish), Fedora (barrier and polkit), openSUSE (bitcoin, conmon, libcontainers-common, libseccomp, podman, firefox, nodejs-electron, nodejs8, php7, and webkit2gtk3), SUSE (conmon, libcontainers-common, libseccomp, podman, cyrus-sasl, expat, firefox, nodejs8, php7, tomcat, and webkit2gtk3), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/886792/ ∗∗∗ pfSense-pkg-WireGuard vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85572374/ ∗∗∗ B&R APROL and B&R APROL: A flaw in Chainsaw component of Log4j can lead to code execution ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16449471… ∗∗∗ Security Bulletin: IBM Security QRadar SOAR is using a component vulnerable to Cross Site Scripting (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-soar-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security QRadar SOAR ( CVE-2021-35560, CVE-2021-35578, CVE-2021-35564, CVE-2021-35565, CVE-2021-35588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ Trailer Power Line Communications (PLC) J2497 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-063-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2022
by Daily end-of-shift report 03 Mar '22

03 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-03-2022 18:00 − Donnerstag 03-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Free decryptor released for HermeticRansom victims in Ukraine ∗∗∗ --------------------------------------------- Avast Threat Labs has released a decryptor for the HermeticRansom ransomware strain used predominately in targeted attacks against Ukrainian systems in the past ten days. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ Researchers Devise Attack for Stealing Data During Homomorphic Encryption ∗∗∗ --------------------------------------------- A vulnerability in a Microsoft crypto library gives attackers a way to figure out what data is being encrypted in lockpicker-like fashion. --------------------------------------------- https://www.darkreading.com/application-security/researchers-devise-attack-… ∗∗∗ Threat landscape for industrial automation systems, H2 2021 ∗∗∗ --------------------------------------------- By 2021 everyone got used to pandemic limitations – industrial organization employees and IT security professionals and threat actors. If we compare the numbers from 2020 and 2021, we see that 2021 looks more stable, particularly in H2. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ The Truth About USB Device Serial Numbers – (and the lies your tools tell) ∗∗∗ --------------------------------------------- Evidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry. The difficulty comes in attempting to make sense of all this data. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity. --------------------------------------------- https://www.sans.org/blog/the-truth-about-usb-device-serial-numbers?msc=rss ∗∗∗ Vorsicht vor diesen betrügerischen Handwerksdiensten! ∗∗∗ --------------------------------------------- Ihnen ist die Tür zugefallen, der Schlüssel abgebrochen, oder ein Abflussrohr ist verstopft? Solche Notsituationen werden zunehmend von Kriminellen ausgenutzt: Sie bieten schnelle und einfache Hilfe an, doch Vorsicht! Diese unseriösen Anbieter verlangen Wucherpreise in bar und beheben oft nicht einmal das Problem! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-diesen-betruegerischen-… ∗∗∗ Update: Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- Version 1.3 03.03.2022 15:45 * Weitere Empfehlungen, "Weitere Lektüre" Sektion * Aufgrund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifische Gefährdung für Österreich ist aktuell noch nicht auszumachen. --------------------------------------------- https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4). --------------------------------------------- https://lwn.net/Articles/886683/ ∗∗∗ Zoho ManageEngine Desktop Central: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Zoho ManageEngine Desktop Central ausnutzen, um Informationen offenzulegen. CVE Liste: CVE-2022-23779 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0253 ∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Autodesk AutoCAD ausnutzen, um beliebigen Programmcode auszuführen. CVE Liste: CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25795 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0252 ∗∗∗ Security Bulletin: IBM i is vulnerable to bypass security restrictions due to Samba SMB1 (CVE-2021-43566 and CVE-2021-44141) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-is-vulnerable-to-by… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-components-are-affe… ∗∗∗ Security Bulletin: IBM DataPower affected by vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-affected-by… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ K73200428: Linux kernel vulnerability CVE-2022-0185 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73200428?utm_source=f5support&utm_mediu… ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-062-01 ∗∗∗ BD Viper LT ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-062-02 ∗∗∗ IPCOMM ipDIO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-062-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2022
by Daily end-of-shift report 02 Mar '22

02 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-03-2022 18:00 − Mittwoch 02-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing attacks target countries aiding Ukrainian refugees ∗∗∗ --------------------------------------------- A spear-phishing campaign likely coordinated by a state-backed threat actor has been targeting European government personnel providing logistics support to Ukrainian refugees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attacks-target-coun… ∗∗∗ Geoblocking when you cant Geoblock, (Tue, Mar 1st) ∗∗∗ --------------------------------------------- Given recent events, I've gotten a flood of calls from clients who want to start blocking egress traffic to specific countries, or block ingress traffic from specific countries (or both). --------------------------------------------- https://isc.sans.edu/diary/rss/28392 ∗∗∗ TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps ∗∗∗ --------------------------------------------- An Android banking trojan designed to steal credentials and SMS messages has been observed once again sneaking past Google Play Store protections to target users of more than 400 banking and financial apps, including those from Russia, China, and the U.S. --------------------------------------------- https://thehackernews.com/2022/03/teabot-android-banking-malware-spreads.ht… ∗∗∗ "Authority-Scam": Kriminelle imitieren Behörden für Investment-Betrug ∗∗∗ --------------------------------------------- Beim „Authority-Scam“ geben sich die Kriminellen als Behörde aus und fordern Zahlungen wegen der Investments. Nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-kriminelle-imitieren-… ∗∗∗ Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization ∗∗∗ --------------------------------------------- Scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations found 75% had known security gaps. --------------------------------------------- https://unit42.paloaltonetworks.com/infusion-pump-vulnerabilities/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Bugs Reported in Popular Open Source PJSIP SIP and Media Stack ∗∗∗ --------------------------------------------- As many as five security vulnerabilities have been disclosed in the PJSIP open-source multimedia communication library that could be abused by an attacker to trigger arbitrary code execution and denial-of-service (DoS) in applications that use the protocol stack. --------------------------------------------- https://thehackernews.com/2022/03/critical-bugs-reported-in-popular-open.ht… ∗∗∗ IBM warnt vor zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- IBM hat für diverse Produkte Updates veröffentlicht, die teils kritische Sicherheitslücken schließen. Administratoren sollten sie zeitnah installieren. --------------------------------------------- https://heise.de/-6531076 ∗∗∗ Sicherheitsupdates von Fortinet: Angreifer könnten Admin-Zugänge erraten ∗∗∗ --------------------------------------------- Unter anderen FortiMail und FortiWLC sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-6531249 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mingw-expat and seamonkey), openSUSE (mc, mysql-connector-java, nodejs12, and sphinx), Red Hat (kernel and kpatch-patch), SUSE (cyrus-sasl, kernel, nodejs12, and php74), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/886560/ ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in AIX CAA (CVE-2022-22350, CVE-2021-38996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-aix-ca… ∗∗∗ Security Bulletin: SQL injection vulnerability in PostgreSQL affects IBM Connect:Direct Web Services (CVE-2021-23214) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote attacker due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Bulletin: IBM InfoSphere Master Data Management Server vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-ibm-inf… ∗∗∗ Security Bulletin: Vulnerabilities with Expat, Spring Framework and Apache HTTP Server affect IBM Cloud Object Storage Systems (Feb 2022 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expa… ∗∗∗ VMSA-2022-0007 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0007.html ∗∗∗ K34519550: Linux kernel vulnerability CVE-2021-27364 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34519550 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2022
by Daily end-of-shift report 01 Mar '22

01 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-02-2022 18:00 − Dienstag 01-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Axis Communications shares details on disruptive cyberattack ∗∗∗ --------------------------------------------- Axis Communications has published a post mortem about a cyberattack that caused severe disruption in their systems, with some systems still partially offline. --------------------------------------------- https://www.bleepingcomputer.com/news/security/axis-communications-shares-d… ∗∗∗ Cyber threat activity in Ukraine: analysis and resources ∗∗∗ --------------------------------------------- Microsoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed activity in order to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts. We’ve brought together all our analysis and guidance for customers who may be impacted by events ... --------------------------------------------- https://msrc-blog.microsoft.com:443/2022/02/28/analysis-resources-cyber-thr… ∗∗∗ Instagram scammers as busy as ever: passwords and 2FA codes at risk ∗∗∗ --------------------------------------------- Instagram scams dont seem to be dying out - were seeing more variety and trickiness than ever... --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/28/instagram-scammers-as-busy-as-e… ∗∗∗ Triaging A Malicious Docker Container ∗∗∗ --------------------------------------------- Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting. In this article, we will walk through the triage of a malicious image containing a previously undetected-in-VirusTotal (at the time of this writing) piece of malware --------------------------------------------- https://sysdig.com/blog/triaging-malicious-docker-container/ ∗∗∗ How To Protect Magento Websites ∗∗∗ --------------------------------------------- As of recently, Magento1 has become outdated and no longer supported. Adobe’s goal is to move all users away to Magento2 instead, which has 2FA and a non-standard login URL enabled by default, being generally more secure. Migrating is very costly for an average business, however, so this article will hopefully shed some light on how you can still protect your site regardless of which version of Magento is currently being used. --------------------------------------------- https://blog.sucuri.net/2022/02/how-to-protect-magento-websites.html ∗∗∗ Trickbot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail ∗∗∗ --------------------------------------------- Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gangs AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail. --------------------------------------------- https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html ∗∗∗ Nein, Signal wurde nicht gehackt ∗∗∗ --------------------------------------------- Auf Twitter tritt Signal derzeit Gerüchten entgegen, die behaupten, der Messenger sei gehackt oder anderweitig kompromittiert worden. Die Gerüchte "sind falsch. Signal wurde nicht gehackt", betont Signal auf Twitter. "Wir glauben, dass diese Gerüchte Teil einer koordinierten Fehlinformationskampagne sind, die die Menschen dazu bringen soll, weniger sichere Alternativen zu nutzen." --------------------------------------------- https://www.golem.de/news/messenger-nein-signal-wurde-nicht-gehackt-2203-16… ∗∗∗ Unusual sign-in activity mail goes phishing for Microsoft account holders ∗∗∗ --------------------------------------------- We look at a phishing mail which may cause concern for users of Microsoft services as it claims theres been a suspicious login from Russia.The post Unusual sign-in activity mail goes phishing for Microsoft account holders appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/03/unusual-sign-in-activity-mail-g… ∗∗∗ DDoS Attacks Abuse Network Middleboxes for Reflection, Amplification ∗∗∗ --------------------------------------------- Threat actors specializing in distributed denial-of-service (DDoS) attacks have started abusing network middleboxes for reflection and amplification, Akamai warns. --------------------------------------------- https://www.securityweek.com/ddos-attacks-abuse-network-middleboxes-reflect… ∗∗∗ Betrügerische Investitionsplattformen: Checken Sie unsere Liste ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! In diesem Artikel listen wir betrügerische Investitionsplattformen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-investitionsplattform… ∗∗∗ Tales from the Field: Coin-Operated Culprit ∗∗∗ --------------------------------------------- Due to a lack of proper visibility and segmentation, a breakroom vending machine was provided unfettered access to an operational network worth billions of dollars. --------------------------------------------- https://claroty.com/2022/02/28/blog-tales-from-the-field-coin-operated-culp… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in VoipMonitor ∗∗∗ --------------------------------------------- I discovered and reported a few bugs in VoipMonitor ranging from a simple authentication bypass to a full RCE chain. Here I'll describe "most" of these bugs. The issues have been patched in VoipMonitor GUI version 24.97. --------------------------------------------- https://kerbit.io/research/read/blog/3 ∗∗∗ Cloud-Schutzlösung von Okta könnte Schadcode auf Server lassen ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt ein Schadcode-Schlupfloch in Okta Advanced Server Client. --------------------------------------------- https://heise.de/-6529223 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Oracle (kernel, kernel-container, and ruby:2.5), Red Hat (rh-ruby26-ruby), Slackware (libxml2 and libxslt), SUSE (htmldoc and SUSE Manager Server 4.2), and Ubuntu (mariadb-10.3, mariadb-10.5, policykit-1, qemu, virglrenderer, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/886472/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Lansweeper could lead to JavaScript, SQL injections ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Lansweeper IT asset management solution that could allow an attacker to inject JavaScript or SQL code on the targeted device. [..] Users are encouraged to update these affected products as soon as possible: Lansweeper version 9.1.20.2. Talos tested and confirmed this version is affected by these vulnerabilities. Lansweeper 9.2.0 incorporates fixes for these issues. --------------------------------------------- http://blog.talosintelligence.com/2022/03/vuln-spotlight-.html ∗∗∗ ZDI-22-424: (0Day) Delta Industrial Automation DIAEnergie AM_Handler SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-424/ ∗∗∗ ZDI-22-423: (0Day) Delta Industrial Automation DIAEnergie HandlerPage_KID Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-423/ ∗∗∗ ZDI-22-422: (0Day) Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-422/ ∗∗∗ ZDI-22-421: (0Day) Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-421/ ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to buffer overflow and denial of service (CVE-2021-44790, CVE-2021-34798, CVE-2021-39275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-http-server-as-use… ∗∗∗ Security Bulletin: Ansible vulnerability affects IBM Elastic Storage System (CVE-2021-3583) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ansible-vulnerability-aff… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management(CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an incorrect session invalidation vulnerability (CVE-2021-38986) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Dashboards may be vulnerable to a denial of service vulnerability due to IBM X-Force vulnerability 220063 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in AIX audit commands (CVE-2021-38955) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-audi… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a Java vulnerability (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for i is vulnerable to CVE-2021-44224 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow unauthorized viewing of logs and files (CVE-2022-22326) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27645) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by a password hash that provides insufficient protection (CVE-2022-22321) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Datacap is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ BECKHOFF: Null Pointer Dereference vulnerability in products with OPC UA technology ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-003/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2022
by Daily end-of-shift report 28 Feb '22

28 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-02-2022 18:00 − Montag 28-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Visual Voice Mail on Android may be vulnerable to eavesdropping ∗∗∗ --------------------------------------------- The security researcher, Chris Talbot, discovered the flaw on June 21, 2021, and filed the vulnerability under CVE-2022-23835. The bug is not a flaw in the Android operating system but rather how the service is implemented by mobile carriers. However, the flaw has a "disputed" status because AT&T and T-Mobile dismissed the report for describing a non-exploitable risk, while Sprint and Verizon have not responded. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visual-voice-mail-on-android… ∗∗∗ Reborn of Emotet: New Features of the Botnet and How to Detect it ∗∗∗ --------------------------------------------- One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotets executables. And it looked like the end of the trojans story. But the malware never ceased to surprise. November 2021, it was reported that TrickBot no longer works alone and delivers Emotet. --------------------------------------------- https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.h… ∗∗∗ CISA Warns of High-Severity Flaws in Schneider and GE Digitals SCADA Software ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system (ICS) advisory related to multiple vulnerabilities impacting Schneider Electrics Easergy medium voltage protection relays. --------------------------------------------- https://thehackernews.com/2022/02/cisa-warns-of-high-severity-flaws-in.html ∗∗∗ Rogue RDP – Revisiting Initial Access Methods ∗∗∗ --------------------------------------------- With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red teams that will inevitably make initial access a bit more difficult to achieve. Over the last year, I have invested some research time in pursuing the use of the Remote Desktop Protocol as an alternative initial access vector, which this post will cover. --------------------------------------------- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-metho… ∗∗∗ BSI liefert "Maßnahmenkatalog Ransomware" ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik stellt im "Maßnahmenkatalog Ransomware" für Unternehmen und Behörden wichtige Präventionsmaßnahmen vor. --------------------------------------------- https://heise.de/-6528055 ∗∗∗ BrokenPrint: A Netgear stack overflow ∗∗∗ --------------------------------------------- This blog post describes a stack-based overflow vulnerability found and exploited in September 2021 in the Netgear R6700v3 --------------------------------------------- https://research.nccgroup.com/2022/02/28/brokenprint-a-netgear-stack-overfl… ∗∗∗ Bestellungen bei herzens-mensch.de und heimfroh.com führen zu Problemen ∗∗∗ --------------------------------------------- Bei den Online-Shops herzens-mensch.de und heimfroh.com handelt es sich um sogenannte Dropshipping-Shops. Die Shops geben an, ein österreichisches Unternehmen zu sein, liefern jedoch aus Asien. Diese Vorgehensweise ist nicht unbedingt betrügerisch, eine Bestellung bei herzens-mensch.de oder heimfroh.com kann aber sehr teuer werden und zu zahlreichen Problemen führen. --------------------------------------------- https://www.watchlist-internet.at/news/bestellungen-bei-herzens-menschde-un… ∗∗∗ Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks ∗∗∗ --------------------------------------------- The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets. There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 [..] --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- Auf Grund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifsch hohe Gefährdung für Österreich ist aktuell noch nicht auszumachen. Wir sind in laufendem Kontakt mit unseren Kollegen im europäischen CSIRTs Network und in den nationalen Koordinierungsstrukturen. --------------------------------------------- https://cert.at/de/aktuelles/2022/2/ukraine-krise-aktuelle-informationen ∗∗∗ BlackCat ransomware ∗∗∗ --------------------------------------------- AT&T Alien Labs is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware ===================== = Vulnerabilities = ===================== ∗∗∗ Mozillas VPN-Client könnte Schadcode nachladen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für Mozilla VPN. Nach erfolgreichen Attacken könnten Angreifer Systeme übernehmen. --------------------------------------------- https://heise.de/-6527681 ∗∗∗ Programmiersprache: Sicherheitslücke ermöglicht Codeschmuggel in PHP ∗∗∗ --------------------------------------------- Mit neuen PHP-Versionen schließen die Entwickler Sicherheitslücken, die Angreifern unter Umständen das Einschleusen von Schadcode ermöglichen könnten. --------------------------------------------- https://heise.de/-6527558 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0). --------------------------------------------- https://lwn.net/Articles/886358/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Gerbv could lead to code execution, information disclosure ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Gerbv file viewing software that could allow an attacker to execute arbitrary remote code or disclose sensitive information. [..] Cisco Talos worked with Gerbv to responsibly disclose these vulnerabilities in adherence to Cisco’s vulnerability disclosure policy. However, an update is not available to fix these issues as of Feb. 28, 2022. CVE IDs: CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, CVE-2021-40401, CVE-2021-40400, CVE-2021-40402, CVE-2021-40403 --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-gerbv-g.html ∗∗∗ ABB CYBER SECURITY ADVISORY - AC 800M MMS - DENIAL OF SERVICE VULNERABILITY IN MMS COMMUNICATION ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=7PAA001499&Language… ∗∗∗ Security Bulletin: Vulnerability in Java SE -CVE-2021-2161 may affect IBM Watson Assistant for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE – 2021-22930 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Content Navigator is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution (CVE-2021-44142). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak… ∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE-2021-22959, CVE-2021-22960 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-… ∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak… ∗∗∗ Security Bulletin: A Vulnerability In Apache HttpClient Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2022
by Daily end-of-shift report 25 Feb '22

25 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-02-2022 18:00 − Freitag 25-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US and UK expose new malware used by MuddyWater hackers ∗∗∗ --------------------------------------------- MuddyWater is "targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-and-uk-expose-new-malware… ∗∗∗ Jester Stealer malware adds more capabilities to entice hackers ∗∗∗ --------------------------------------------- An infostealing piece of malware called Jester Stealer has been gaining popularity in the underground cybercrime community for its functionality and affordable prices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jester-stealer-malware-adds-… ∗∗∗ Cyberangriffe im Ukraine-Krieg: BSI warnt Behörden und Unternehmen nachdrücklich ∗∗∗ --------------------------------------------- Das BSI hat ein weiteres Warnschreiben an Unternehmen und Behörden geschickt. Demnach gibt es Netzwerkscans und erste Wiper in Partnerstaaten. --------------------------------------------- https://www.golem.de/news/cyberangriffe-im-ukraine-krieg-bsi-warnt-behoerde… ∗∗∗ Some details of the DDoS attacks targeting Ukraine and Russia in recent days ∗∗∗ --------------------------------------------- At 360Netlab, we continuously track botnets on a global scale through our BotMon system. In particular, for DDoS-related botnets, we further tap into their C2 communications to enable us really see the details of the attacks. --------------------------------------------- https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukra… ∗∗∗ Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure ∗∗∗ --------------------------------------------- The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years. --------------------------------------------- https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html ∗∗∗ „ID-app aktivieren“: Betrügerisches Mail im Namen der Volksbank im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische E-Mails im Namen der Volksbank, in der dazu aufgefordert wird die ID-app zu aktivieren. Diese App wird von der Volksbank tatsächlich angeboten, um mehr Sicherheit zu gewährleisten. In diesem Fall missbrauchen aber Kriminelle diese Sicherheitsmaßnahme, um an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/id-app-aktivieren-betruegerisches-ma… ∗∗∗ Russia-Ukraine Crisis: How to Protect Against the Cyber Impact (Updated Feb. 24 to Include New Information on DDoS, HermeticWiper and Defacement) ∗∗∗ --------------------------------------------- We provide an overview of known cyberthreats related to the Russia-Ukraine crisis including DDoS attacks, HermeticWiper and defacement and share recommendations for proactive defense. --------------------------------------------- https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukrai… ∗∗∗ Mac-Malware auf dem Vormarsch ∗∗∗ --------------------------------------------- Die Sicherheitsgefahren für mobile Geräte und Macs nehmen zu. Festgestellt wurden die Mac-Malware-Familien Cimpli, Pirrit, Imobie, Shlayer und Genieo. --------------------------------------------- https://www.zdnet.de/88399571/mac-malware-auf-dem-vormarsch/ ∗∗∗ Threat Update – Ukraine & Russia conflict ∗∗∗ --------------------------------------------- In this report, NVISO CTI describes the cyber threat landscape of Ukraine and by extension the current situation. --------------------------------------------- https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/ ∗∗∗ New Infostealer ‘ColdStealer’ Being Distributed ∗∗∗ --------------------------------------------- The ASEC analysis team has discovered the distribution of ColdStealer that appears to be a new type of infostealer. --------------------------------------------- https://asec.ahnlab.com/en/32090/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Java- und Kernel-Lücken in IBM AIX bedrohen Server ∗∗∗ --------------------------------------------- Angreifer könnten Server mit IBM AIX attackieren und im schlimmsten Fall die volle Kontrolle über Systeme erlangen. --------------------------------------------- https://heise.de/-6526120 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet6.0, kernel, libarchive, libxml2, and wireshark), openSUSE (opera), Oracle (cyrus-sasl), Red Hat (cyrus-sasl, python-pillow, and ruby:2.5), Scientific Linux (cyrus-sasl), and Ubuntu (snapd). --------------------------------------------- https://lwn.net/Articles/886124/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: CVE-2021-35550 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35550-may-affect… ∗∗∗ Security Bulletin: Vulnerabilities in Java SE affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-s… ∗∗∗ Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect… ∗∗∗ Security Bulletin: Vulnerability in the AIX smbcd daemon (CVE-2021-38993) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable to provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM PowerVM Novalink could allow a remote authenticated attacker to conduct an LDAP injection. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-coul… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM Application Server Liberty due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Mozilla VPN local privilege escalation via uncontrolled OpenSSL search path ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-08/ ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-01 ∗∗∗ Mitsubishi Electric EcoWebServerIII ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-02 ∗∗∗ Schneider Electric Easergy P5 and P3 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-03 ∗∗∗ Baker Hughes Bently Nevada 3500 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-231-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2022
by Daily end-of-shift report 24 Feb '22

24 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-02-2022 18:00 − Donnerstag 24-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware infiltrates Microsoft Store via clones of popular games ∗∗∗ --------------------------------------------- A malware named Electron Bot has found its way into Microsofts Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of 5,000 computers in Sweden, Israel, Spain, and Bermuda. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-infiltrates-microsof… ∗∗∗ Malware: Mit Wipern und DDoS gegen ukrainische IT-Systeme ∗∗∗ --------------------------------------------- Etliche Webseiten in der Ukraine sind nicht erreichbar. Zudem sind Hunderte Rechner von einer vernichtenden Schadsoftware befallen. --------------------------------------------- https://www.golem.de/news/malware-mit-wipern-und-ddos-gegen-ukrainische-it-… ∗∗∗ Ukraine & Russia Situation From a Domain Names Perspective , (Thu, Feb 24th) ∗∗∗ --------------------------------------------- Every time, something happens in the world like an earthquake, big floods, or even major sports events, it is followed by a peak of new domains registrations. --------------------------------------------- https://isc.sans.edu/diary/rss/28376 ∗∗∗ Shadowserver Special Reports - Cyclops Blink ∗∗∗ --------------------------------------------- In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter. --------------------------------------------- https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blin… ∗∗∗ HermeticWiper: New Destructive Malware Used In Cyber Attacks on Ukraine ∗∗∗ --------------------------------------------- On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations. --------------------------------------------- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ ∗∗∗ SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors ∗∗∗ --------------------------------------------- SockDetour is a custom backdoor being used to maintain persistence, designed to serve as a backup backdoor in case the primary one is removed. --------------------------------------------- https://unit42.paloaltonetworks.com/sockdetour/ ∗∗∗ Clang Checkers and CodeQL Queries for Detecting Untrusted Pointer Derefs and Tainted Loop Conditions ∗∗∗ --------------------------------------------- In this final blog of the series, we experiment with CodeQL’s IR and Clang checkers for detecting such bug classes. --------------------------------------------- https://www.thezdi.com/blog/2022/2/22/clang-checkers-and-codeql-queries-for… ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerabilities in Accusoft ImageGear could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in Accusoft ImageGear. --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-accusoft-code.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco schließt Root-Lücke in Netzwerk-OS, gibt wichtige Hinweise für Firewalls ∗∗∗ --------------------------------------------- Wer eine Firewall von Cisco nutzt, sollte diese aus Sicherheitsgründen bis Anfang März aktualisieren. Außerdem gibt es Patches für NX-OS. --------------------------------------------- https://heise.de/-6524029 ∗∗∗ Stored Cross-Site Scripting Vulnerability Patched in a WordPress Photo Gallery Plugin ∗∗∗ --------------------------------------------- On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2022/02/stored-cross-site-scripting-vulnerab… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat), Fedora (php and vim), Mageia (cpanminus, expat, htmldoc, nodejs, polkit, util-linux, and varnish), Red Hat (389-ds-base, curl, kernel, kernel-rt, openldap, python-pillow, rpm, sysstat, and unbound), Scientific Linux (389-ds-base, kernel, openldap, and python-pillow), and Ubuntu (cyrus-sasl2, linux-oem-5.14, and php7.0). --------------------------------------------- https://lwn.net/Articles/885885/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (php), openSUSE (jasper and thunderbird), Oracle (389-ds-base, kernel, openldap, and python-pillow), Red Hat (cyrus-sasl and samba), and SUSE (cyrus-sasl, firefox, jasper, kernel-rt, nodejs10, nodejs14, nodejs8, and thunderbird). --------------------------------------------- https://lwn.net/Articles/885997/ ∗∗∗ Security Bulletin: Datastax Enterprise with IBM is vulnerable to exploiting Apache Cassandra User-Defined Functions for Remote Code Execution ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datastax-enterprise-with-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities were detected in IBM Sterling External Authentication Server (CVE-2022-22333, CVE-2022-22349) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ Security Bulletin: IBM Operational Decision Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) . ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operational-decision-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerabilities in the AIX kernel (CVE-2021-38994, CVE-2021-38995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-ai… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Logback ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Sterling Secure Proxy (CVE-2022-22336, CVE-2022-22333) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ VMSA-2022-0006 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0006.html ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0232 ∗∗∗ XSS Vulnerabilities in Proxy Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2022
by Daily end-of-shift report 23 Feb '22

23 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-02-2022 18:00 − Mittwoch 23-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ LockBit, Conti most active ransomware targeting industrial sector ∗∗∗ --------------------------------------------- Ransomware attacks extended into the industrial sector last year to such a degree that this type of incident became the number one threat in the industrial sector. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-conti-most-active-ra… ∗∗∗ Entropy ransomware linked to Dridex malware downloader ∗∗∗ --------------------------------------------- Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general purpose Dridex malware that started as a banking trojan. --------------------------------------------- https://www.bleepingcomputer.com/news/security/entropy-ransomware-linked-to… ∗∗∗ Creaky Old WannaCry, GandCrab Top the Ransomware Scene ∗∗∗ --------------------------------------------- Nothing like zombie campaigns: WannaCrys old as dirt, and GandCrab threw in the towel years ago. Theyre on auto-pilot at this point, researchers say. --------------------------------------------- https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/ ∗∗∗ How to Fix the specialadves WordPress Redirect Hack ∗∗∗ --------------------------------------------- Attackers are regularly exploiting vulnerable plugins to compromise WordPress websites and redirect visitors to spam and scam websites. --------------------------------------------- https://blog.sucuri.net/2022/02/how-to-fix-the-specialadves-wordpress-redir… ∗∗∗ 25 Malicious JavaScript Libraries Distributed via Official NPM Package Repository ∗∗∗ --------------------------------------------- Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down. --------------------------------------------- https://thehackernews.com/2022/02/25-malicious-javascript-libraries.html ∗∗∗ Cisco warns firewall customers of four-day window for urgent updates ∗∗∗ --------------------------------------------- Firewalls are supposed to update so they block new threats – miss this deadline and they might not. --------------------------------------------- https://www.theregister.com/2022/02/23/cisco_firepower_rapid_update_require… ∗∗∗ SameSite: Hax – Exploiting CSRF With The Default SameSite Policy ∗∗∗ --------------------------------------------- Default SameSite settings are not the same as SameSite: Lax set explicitly. TLDR? A two-minute window from when a cookie is issued is open to exploit CSRF. --------------------------------------------- https://pulsesecurity.co.nz/articles/samesite-lax-csrf ∗∗∗ Shadowserver Starts Conducting Daily Scans to Help Secure ICS ∗∗∗ --------------------------------------------- The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks. --------------------------------------------- https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-hel… ∗∗∗ Investieren Sie nicht bei bottic.org! ∗∗∗ --------------------------------------------- Schnell, viel Geld verdienen mit Crypto-Investments, das verspricht eine Vielzahl an unseriösen Investitionsplattformen. Wir raten zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/investieren-sie-nicht-bei-botticorg/ ∗∗∗ Increased Phishing Attacks Disguised as Microsoft ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages. --------------------------------------------- https://asec.ahnlab.com/en/31994/ ∗∗∗ (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware ∗∗∗ --------------------------------------------- UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it’s exclusively used by the group. --------------------------------------------- https://www.mandiant.com/resources/unc2596-cuba-ransomware ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Planning Analytics, IBM Planning Analytics Workspace, IBM Cúram Social Program Management, IBM SDK Java Technology Edition, IBM Cloud Application Business Insights, IBM Sterling Global Mailbox, Content Collector, IBM WebSphere Application Server, CICS Transaction Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-02-23 ∗∗∗ --------------------------------------------- Cisco has published 4 Security Advisories: 3 High, 1 Medium Severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ ZDI-22-404: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr1 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-404/ ∗∗∗ ZDI-22-403: (0Day) WECON LeviStudioU UMP File Parsing XY Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-403/ ∗∗∗ ZDI-22-402: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr2 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-402/ ∗∗∗ ZDI-22-401: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-401/ ∗∗∗ ZDI-22-400: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-400/ ∗∗∗ ZDI-22-399: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-399/ ∗∗∗ ZDI-22-398: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-398/ ∗∗∗ ZDI-22-397: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-397/ ∗∗∗ ZDI-22-396: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-396/ ∗∗∗ ZDI-22-395: (0Day) WECON LeviStudioU UMP File Parsing Disc Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-395/ ∗∗∗ SSA-306654: Insyde BIOS Vulnerabilities in Siemens Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-306654.txt ∗∗∗ Remote Code Execution in pfSense <= 2.5.2 ∗∗∗ --------------------------------------------- https://www.shielder.it/advisories/pfsense-remote-command-execution/ ∗∗∗ CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool ∗∗∗ --------------------------------------------- https://www.securityweek.com/cisa-warns-attacks-exploiting-recent-vulnerabi… ∗∗∗ Trend Micro ServerProtect: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0223 ∗∗∗ SA45038 - CVE-2022-23852 - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-2385… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2022
by Daily end-of-shift report 22 Feb '22

22 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-02-2022 18:00 − Dienstag 22-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Revamped CryptBot malware spread by pirated software sites ∗∗∗ --------------------------------------------- A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-sp… ∗∗∗ VU#229438: Mobile device monitoring services do not authenticate API requests ∗∗∗ --------------------------------------------- The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. [..] We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability For advice on detecting and removing stalkerware apps, see "Your Android phone could have stalkerware, here's how to remove it." --------------------------------------------- https://kb.cert.org/vuls/id/229438 ∗∗∗ Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike ∗∗∗ --------------------------------------------- Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts. --------------------------------------------- https://thehackernews.com/2022/02/hackers-backdoor-unpatched-microsoft.html ∗∗∗ Horde Webmail 5.2.22 - Account Takeover via Email ∗∗∗ --------------------------------------------- We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment. [..] Although we reported this vulnerability almost 6 months ago, there is currently no official patch available. Hence, we provide recommendations on how to mitigate this code vulnerability at the end of this blog post. --------------------------------------------- https://blog.sonarsource.com/horde-webmail-account-takeover-via-email ∗∗∗ Empfehlungen: Mit kostenlosen IT-Security-Tools Computer sicherer machen ∗∗∗ --------------------------------------------- Admins aufgepasst: IT-Security ist komplex, doch es gibt jede Menge nützliche und vor allem kostenlose Services und Tools, die helfen können. Eine Auflistung. --------------------------------------------- https://heise.de/-6515891 ∗∗∗ Achtung: E-Mail von DNS Österreich ist Fake ∗∗∗ --------------------------------------------- Zahlreiche Webseiten-BetreiberInnen erhalten momentan ein E-Mail von DNS Österreich. Das vermeintliche Unternehmen behauptet darin, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, die Domain für € 297,50 vorab zu kaufen. Überweisen Sie nichts, Sie verlieren Ihr Geld. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-e-mail-von-dns-oesterreich-i… ∗∗∗ Asustor NAS owners hit by DeadBolt ransomware attack ∗∗∗ --------------------------------------------- While Asustor investigates what is clearly a serious problem, it says it has disabled functionality which can allow remote access to its NAS drives: ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to. In addition, the company has published the following recommendations for customers to protect themselves from the DeadBolt ransomware --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/asustor-nas-owners-hit-by-d… ∗∗∗ Ransomware victims are paying up. But then the gangs are coming back for more ∗∗∗ --------------------------------------------- Cybersecurity experts warn against paying ransoms - this is why. --------------------------------------------- https://www.zdnet.com/article/ransomware-victims-are-paying-up-but-the-croo… ∗∗∗ Integer overflow: How does it occur and how can it be prevented? ∗∗∗ --------------------------------------------- Make no mistake, counting on a computer is not as easy as it may seem. Here’s what happens when a number gets “too big”. --------------------------------------------- https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can… ∗∗∗ Kernel Karnage – Part 9 (Finishing Touches) ∗∗∗ --------------------------------------------- I also incorporated dynamic function imports using hashed function names and CIG to protect the spawned suspended process against injection of non-Microsoft-signed binaries. The Beacon payload is stored as an AES256 encrypted PE resource and decrypted in memory before being injected into the remote process. --------------------------------------------- https://blog.nviso.eu/2022/02/22/kernel-karnage-part-9-finishing-touches/ ===================== = Vulnerabilities = ===================== ∗∗∗ NAS: Sicherheitslücke in Synology DSM erlaubt Ausführen beliebiger Befehle ∗∗∗ --------------------------------------------- Angreifer könnten beliebige Befehle auf Synology-NAS-Geräten ausführen. Der Hersteller arbeitet an Updates zum Beheben der Fehler. Erste stehen bereit. --------------------------------------------- https://heise.de/-6515542 ∗∗∗ TYPO3-PSA-2022-001: Sanitization bypass in SVG Sanitizer ∗∗∗ --------------------------------------------- Third-party package enshrined/svg-sanitize, used by TYPO3 core packages, was susceptible to bypassing the sanitization strategy. --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2022-001 ∗∗∗ Reflected XSS in Header Footer Code Manager ∗∗∗ --------------------------------------------- On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations. The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-… ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Webmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Code auszuführen --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0217 ∗∗∗ EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67108459/ ∗∗∗ EC-CUBE improperly handles HTTP Host header values ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN53871926/ ∗∗∗ ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php ∗∗∗ Security Bulletin: App Connect Professional is affected by Quick Emulator vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-cast-iron-and-a… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU (minus CVE-2021-35550/35561/35603) plus CVE-2021-41035 affects IBM Tivoli Composite Application Manager for ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ GE Proficy CIMPLICITY-IPM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-01 ∗∗∗ GE Proficy CIMPLICITY-Cleartext ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-02 ∗∗∗ WIN-911 2021 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2022
by Daily end-of-shift report 21 Feb '22

21 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-02-2022 18:00 − Montag 21-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Versuchter Finanzbetrug nach Exchange-Einbruch ∗∗∗ --------------------------------------------- Nachdem die Exchange-Sicherheitslücken abgedichtet wurden, gingen Angriffe weiter. Mittels Spear-Phishing sollten die Opfer zu Überweisungen gedrängt werden. --------------------------------------------- https://heise.de/-6509718 ∗∗∗ Ungewöhnlicher Krypto-Raubzug erbeutet Millionen ∗∗∗ --------------------------------------------- Der Klayswap-Angriff hingegen attackierte Infrastruktur, auf die sich im Prinzip alle Internet-Dienste verlassen: das Routing, Zertifikate und Open-Source-Bibliotheken. Letztlich tauschten die Angreifer eine nachgeladene JavaScript-Datei durch eine trojanisierte Version aus, die Transaktionen auf ihr eigenes Konto umleitete. Spannend ist jedoch, wie sie das bewerkstelligten. --------------------------------------------- https://heise.de/-6496145 ∗∗∗ European Cybersecurity Agencies Issue Resilience Guidance for Decision Makers ∗∗∗ --------------------------------------------- The European Union Agency for Cybersecurity (ENISA) and the European Union’s Computer Emergency Response Team (CERT-EU) last week published a set of best practices to help organizations boost their cyber resilience. The joint guidance is meant for public and private organizations in the EU, specifically CISOs and other decision makers. The document is also recommended for entities that support organizational risk management. --------------------------------------------- https://www.securityweek.com/european-cybersecurity-agencies-issue-resilien… ∗∗∗ Schicken Sie Ihrer Internet-Bekanntschaft keine Steam-Guthaben-Codes ∗∗∗ --------------------------------------------- Soziale Netzwerke wie Facebook und Instagram sind beliebte Kanäle, um neue Bekanntschaften zu machen. Beim Austausch mit Fremden über das Internet besteht aber immer die Gefahr, dass sich die Person als jemand anderes ausgibt. Bittet Sie diese Person um Geld oder Guthabenkarten, sollten Sie den Kontakt abbrechen! --------------------------------------------- https://www.watchlist-internet.at/news/schicken-sie-ihrer-internet-bekannts… ∗∗∗ Ransomware trifft Europas industrielle Steuersysteme und Betriebstechnik so häufig wie IT-Systeme ∗∗∗ --------------------------------------------- Interessante Erkenntnisse aus einer Befragung von 1.100 Security-Spezialisten im Rahmen einer Studie im Hinblick auf die Sicherheit industrieller Anlagen und der kritischen Infrastruktur in Europa. Die Aussage der Studie war, dass industrielle Steuersysteme und Betriebstechnik in Europa fast ebenso häufig wie die IT-Systeme von Ransomware befallen wurde. --------------------------------------------- https://www.borncity.com/blog/2022/02/19/ransomware-trifft-europas-industri… ∗∗∗ Sicherheitslücke in diversen zebNet-Produkten entdeckt (Feb. 2022) ∗∗∗ --------------------------------------------- In Folge dieser Entdeckung hat zebNet für sämtliche betroffene Produkte, welche sich in der Unterstützung befinden, am 19.02.2022 (d.h. binnen 24-Stunden) fehlerbereinigte Versionen bereitgestellt. Der Hersteller weist darauf hin, dass diese Updates umgehend von allen Kunden, die ein betroffenes Produkt einsetzen, installiert werden sollten. --------------------------------------------- https://www.borncity.com/blog/2022/02/20/sicherheitslcke-in-diversen-zebnet… ∗∗∗ Chasing the Silver Petit Potam to Domain Admin ∗∗∗ --------------------------------------------- Exploiting Petit Potam in a different way to force some downgrade and protocol attacks. --------------------------------------------- https://blog.zsec.uk/chasing-the-silver-petit-potam/ ∗∗∗ Mobile malware evolution 2021 ∗∗∗ --------------------------------------------- In 2021, we observed a downward trend in the number of attacks on mobile users. But it is too early to celebrate: attacks are becoming more sophisticated in terms of both malware functionality and vectors. --------------------------------------------- https://securelist.com/mobile-malware-evolution-2021/105876/ ∗∗∗ New Android Banking Trojan Spreading via Google Play Store Targets Europeans ∗∗∗ --------------------------------------------- "Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." --------------------------------------------- https://thehackernews.com/2022/02/xenomorph-android-banking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Irony alert! PHP fixes security flaw in input validation code ∗∗∗ --------------------------------------------- If you’re using PHP in your network, check that you’re using the latest version, currently 8.1.3. Released yesterday [2022-02-17], this version fixes various memory mismanagement bugs, including CVE-2021-21708, which is a use-after-free blunder in a function called php_filter_float(). (Versions 8.0 and 7.4 are still supported, and are vulnerable too; if you aren’t using the latest 8.1 flavour of PHP then you need 8.0.16 and 7.4.28 respectively.) --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/18/irony-alert-php-fixes-security-… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Cloud Pak for Security vulnerable to information exposure (CVE-2021-35567) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-vu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM FileNet Content Manager component in IBM Business Automation Workflow -CVE-2021-31811, CVE-2021-31812, CVE-2021-23926, CVE-2021-38965 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Polkit as used by IBM® QRadar SIEM is vulnerable to privilege escalation (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-polkit-as-used-by-ibm-qra… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2021-2341 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Cloud Pak for Network Automation is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-network… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: A vulnerability in Kubernetes affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-kubern… ∗∗∗ K28409053: Apache Tomcat vulnerability CVE-2022-23181 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28409053?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2022
by Daily end-of-shift report 18 Feb '22

18 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-02-2022 18:00 − Freitag 18-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Conti ransomware gang takes over TrickBot malware operation ∗∗∗ --------------------------------------------- After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-… ∗∗∗ Remcos RAT Delivered Through Double Compressed Archive, (Fri, Feb 18th) ∗∗∗ --------------------------------------------- One of our readers shared an interesting sample received via email. --------------------------------------------- https://isc.sans.edu/diary/rss/28354 ∗∗∗ Microsoft Warns of Ice Phishing Threat on Web3 and Decentralized Networks ∗∗∗ --------------------------------------------- Microsoft has warned of emerging threats in the Web3 landscape, including "ice phishing" campaigns, as a surge in adoption of blockchain and DeFi technologies emphasizes the need to build security into the decentralized web while its still in its early stages. --------------------------------------------- https://thehackernews.com/2022/02/microsoft-warns-of-ice-phishing-threat.ht… ∗∗∗ Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2) ∗∗∗ --------------------------------------------- This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. --------------------------------------------- https://research.nccgroup.com/2022/02/18/analyzing-a-pjl-directory-traversa… ∗∗∗ Microsoft Teams Abused for Malware Distribution in Recent Attacks ∗∗∗ --------------------------------------------- A recently identified malicious campaign has been abusing Microsoft Teams for the distribution of malware, enterprise email security firm Avanan reports. --------------------------------------------- https://www.securityweek.com/microsoft-teams-abused-malware-distribution-re… ∗∗∗ Vorsicht bei der Jobsuche: Ignorieren Sie Stellenangebote von skovgaardtransit.com! ∗∗∗ --------------------------------------------- LeserInnen der Watchlist Internet melden uns derzeit ein betrügerisches Stellenangebot eines angeblich globalen Logistikunternehmens namens Skovgaard Logistics Services LTD. Das unseriöse Unternehmen verspricht darin einen Job mit „hoher Bezahlung“, Vorkenntnisse sind keine notwendig. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-jobsuche-ignorieren… ∗∗∗ NSA Best Practices for Selecting Cisco Password Types ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance on securing network infrastructure devices and credentials. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/17/nsa-best-practice… ∗∗∗ CISA Compiles Free Cybersecurity Services and Tools for Network Defenders ∗∗∗ --------------------------------------------- CISA has compiled and published a list of free cybersecurity services and tools to help organizations reduce cybersecurity risk and strengthen resiliency. This non-exhaustive living repository includes services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/18/cisa-compiles-fre… ∗∗∗ Academics publish method for recovering data encrypted by the Hive ransomware ∗∗∗ --------------------------------------------- A team of South Korean researchers has published an academic paper on Thursday detailing a method to recover files encrypted by the Hive ransomware without paying the attackers for the decryption key. --------------------------------------------- https://therecord.media/academics-publish-method-for-recovering-data-encryp… ∗∗∗ Distribution of Magniber Ransomware Stops (Since February 5th) ∗∗∗ --------------------------------------------- The ASEC analysis team constantly monitors ‘malvertising’ which is a term for the distribution of malware via browser online advertisement links. The team has recently discovered that Magniber ransomware, a typical malware distributed via malvertising has stopped its distribution. --------------------------------------------- https://asec.ahnlab.com/en/31690/ ∗∗∗ Log4Shell 2 Months Later: Security Strategies for the Internets New Normal ∗∗∗ --------------------------------------------- On Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/17/log4shell-2-months-later-securi… ===================== = Vulnerabilities = ===================== ∗∗∗ Onlineshops: Erneut kritische Lücke in Adobe Commerce und Magento entdeckt ∗∗∗ --------------------------------------------- Aufgrund einer weiteren Sicherheitslücke hat Adobe einen Notfallpatch überarbeitet. Es gibt bereits Attacken auf Onlineshops. --------------------------------------------- https://heise.de/-6495424 ∗∗∗ Root-Rechte durch Schwachstelle in Softwareverteilungssystem Snap ∗∗∗ --------------------------------------------- Sicherheitslücken in der Software-Bereitstellung Snap ermöglichen Angreifern unter anderem, ihre Rechte im System auszuweiten. Updates beheben die Fehler. --------------------------------------------- https://heise.de/-6495740 ∗∗∗ Vulnerability found in WordPress plugin with over 3 million installations ∗∗∗ --------------------------------------------- UpdraftPlus patched the vulnerability on Thursday in version 1.22.3. --------------------------------------------- https://www.zdnet.com/article/vulnerability-found-in-wordpress-plugin-with-… ∗∗∗ Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-ke… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 2.0. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39026 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: CVE-2021-42771 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-42771/ ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0003.html ∗∗∗ Bitdefender Antivirus: Schwachstelle ermöglicht Manipulation von Produkteinstellungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0207 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2022
by Daily end-of-shift report 17 Feb '22

17 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-02-2022 18:00 − Donnerstag 17-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Neue Welle von Spam-Mails: "Dein Paket wartet!" ∗∗∗ --------------------------------------------- Die E-Mails enthalten eine Zahlungsaufforderung und geben an, dass ein Paket abgeholt werden kann. --------------------------------------------- https://futurezone.at/digital-life/spam-e-mail-phishing-betrug-post-lieferu… ∗∗∗ Researchers Warn of a New Golang-based Botnet Under Continuous Development ∗∗∗ --------------------------------------------- Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken thats under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts. --------------------------------------------- https://thehackernews.com/2022/02/researchers-warn-of-new-golang-based.html ∗∗∗ Tutorial: Kubernetes Vulnerability Scanning & Testing With Open Source ∗∗∗ --------------------------------------------- Kubernetes containers have several security risks, including runtime threats, vulnerabilities, exposures, and failed compliance audits. These insecurities motivated CyberArk to develop two open source tools: Kubesploit and KubiScan. These tools benefit the Kubernetes community by performing deep security operations while simultaneously mimicking a real attack. They allow us to test our resiliency. --------------------------------------------- https://www.conjur.org/blog/tutorial-kubernetes-vulnerability-scanning-test… ∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗ --------------------------------------------- NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community. --------------------------------------------- https://research.nccgroup.com/2022/02/17/detecting-karakurt-an-extortion-fo… ∗∗∗ Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1) ∗∗∗ --------------------------------------------- Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed would be stored unencrypted. This allowed us to bypass the firmware update package encryption. With the firmware extracted, the binaries could be reverse-engineered to find vulnerabilities that would allow remote code execution. --------------------------------------------- https://research.nccgroup.com/2022/02/17/bypassing-software-update-package-… ∗∗∗ Gefahr Datenleaks: Achten Sie auf Passwort-Sicherheit! ∗∗∗ --------------------------------------------- Um sich vor den Gefahren im Netz zu schützen, macht es Sinn, sich regelmäßig über Internetbetrug zu informieren und die Tricks der Kriminellen zu kennen. Doch leider können Sie auch zum Opfer werden, wenn Sie alles richtig machen und sich nicht in Internetfallen locken lassen. Das gilt zum Beispiel, wenn Ihre Daten bei einem sogenannten Datenleak veröffentlicht werden. --------------------------------------------- https://www.watchlist-internet.at/news/gefahr-datenleaks-achten-sie-auf-pas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Information disclosure CVE IDs: CVE-2022-25270 Description: The Quick Edit module does not properly check entity access in some circumstances. --------------------------------------------- https://www.drupal.org/sa-core-2022-004 ∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Improper input validation CVE IDs: CVE-2022-25271 Description: Drupal cores form API has a vulnerability where certain contributed or custom modules forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. --------------------------------------------- https://www.drupal.org/sa-core-2022-003 ∗∗∗ Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025 ∗∗∗ --------------------------------------------- Project: Quick Edit Security risk: Moderately critical Vulnerability: Information Disclosure Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-025 ∗∗∗ Sicherheitsupdate: Präparierte Mails können Thunderbird aus dem Tritt bringen ∗∗∗ --------------------------------------------- Es ist eine gegen mögliche Schadcode-Attacken abgesicherte Version des Mailclients Thunderbird erschienen. --------------------------------------------- https://heise.de/-6484606 ∗∗∗ VMSA-2022-0005 - VMware NSX Data Center for vSphere (NSX-V) VMware Cloud Foundation (Cloud Foundation) ∗∗∗ --------------------------------------------- CVSSv3 Range: 8.8 CVE(s): CVE-2022-22945 Synopsis: VMware NSX Data Center for vSphere update addresses CLI shell injection vulnerability (CVE-2022-22945) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0005.html ∗∗∗ Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin ∗∗∗ --------------------------------------------- On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. [..] We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulne… ∗∗∗ PostgreSQL JDBC 42.3.3 Released ∗∗∗ --------------------------------------------- A security advisory has been created for the PostgreSQL JDBC Driver. The URL connection string loggerFile property could be mis-used to create an arbitrary file on the system that the driver is loaded. Additionally anything in the connection string will be logged and subsequently written into that file. In an insecure system it would be possible to execute this file through a webserver. --------------------------------------------- https://www.postgresql.org/about/news/postgresql-jdbc-4233-released-2410/ ∗∗∗ SSA-949188: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-949188.txt ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM OpenPages for Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-for-cloud-p… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to arbitrary code execution due to Apache Log4j CVE-2021-4104 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Financial Transaction Manager is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue within the channel process.(CVE-2021-39034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2022
by Daily end-of-shift report 16 Feb '22

16 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-02-2022 18:00 − Mittwoch 16-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Researcher fully recovers text from pixels: how to reverse redaction ∗∗∗ --------------------------------------------- A researcher has demonstrated how he was able to successfully recover text that had been redacted using the pixelation technique. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-fully-recovers-te… ∗∗∗ Trickbot Malware Targeted Customers of 60 High-Profile Companies Since 2020 ∗∗∗ --------------------------------------------- The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. --------------------------------------------- https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.ht… ∗∗∗ 25 years on, Microsoft makes another stab at stopping macro malware ∗∗∗ --------------------------------------------- Microsoft has announced that from April 2022 it is changing the default behavior of Office applications so that they block macros in files from the internet. What’s more, it won’t give users a simple one-click way to allow the macros to run, foiling much of the social engineering tricks commonly used by cybercriminals. --------------------------------------------- https://grahamcluley.com/microsoft-stab-macro-viruses/ ∗∗∗ OpSec. Hunting wireless ∗∗∗ --------------------------------------------- Continuing my series on OSINT techniques you can use for reviewing your own corporate OpSec, one of the most common services available in a modern corporate office is of course wireless. --------------------------------------------- https://www.pentestpartners.com/security-blog/opsec-hunting-wireless/ ∗∗∗ Characterising Cybercriminals: A Review. (arXiv:2202.07419v1 [cs.CY]) ∗∗∗ --------------------------------------------- This review provides an overview of current research on the knowncharacteristics and motivations of offenders engaging in cyber-dependentcrimes. --------------------------------------------- http://arxiv.org/abs/2202.07419 ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Security Bug Reported in Apache Cassandra Database Software ∗∗∗ --------------------------------------------- Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2022/02/high-severity-rce-security-bug-reported.h… ∗∗∗ VMware-Sicherheitsupdates: Angreifer könnten Schadcode in Host-Systeme schieben ∗∗∗ --------------------------------------------- Die VMware-Entwickler haben Sicherheitslücken in mehreren Anwendungen geschlossen. Sie stufen das Risiko als "kritisch" ein. --------------------------------------------- https://heise.de/-6478188 ∗∗∗ Atlassian Confluence und Jira für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- Admins sollten ihre Confluence und Jira Server vor möglichen Angriffen absichern. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6478758 ∗∗∗ ZDI-22-368: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-368/ ∗∗∗ ZDI-22-367: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-367/ ∗∗∗ ZDI-22-366: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-366/ ∗∗∗ ZDI-22-365: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-365/ ∗∗∗ ZDI-22-364: MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-364/ ∗∗∗ ZDI-22-363: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-363/ ∗∗∗ Cisco Email Security Appliance DNS Verification Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Maximo Anywhere Discloses Sensitive Information in Local Storage ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-discl… ∗∗∗ Security Bulletin: App Connect Professional is affected by polkit's pkexec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SECURITY BULLETIN: February 2022 Security Bulletin for Trend Micro Apex One ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000290464 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2022
by Daily end-of-shift report 15 Feb '22

15 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-02-2022 18:00 − Dienstag 15-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Domain-Hijacking: Tausende NPM-Accounts könnten sich übernehmen lassen ∗∗∗ --------------------------------------------- Laut einer Untersuchung lassen sich verwaiste NPM-Pakete leicht übernehmen. Außerdem könnten einige Maintainer überarbeitet sein. [..] Das hat auch NPM-Besitzer Github erkannt und führt deshalb langsam die zwingende Nutzung einer Zweifaktorauthentifizierung ein. --------------------------------------------- https://www.golem.de/news/domain-hijacking-tausende-npm-accounts-koennten-s… ∗∗∗ Who Are Those Bots?, (Tue, Feb 15th) ∗∗∗ --------------------------------------------- Im operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on a list of email addresses that have been crawled. [..] I extracted the list of IP addresses that generated authentication failures for the last 30 days and got a list of 11K addresses. They are part of botnets used to launch these attacks. But who are those bots? What kind of host are we facing? --------------------------------------------- https://isc.sans.edu/diary/rss/28342 ∗∗∗ New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin ∗∗∗ --------------------------------------------- A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency. MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems. --------------------------------------------- https://thehackernews.com/2022/02/new-mylobot-malware-variant-sends.html ∗∗∗ Dropping Files on a Domain Controller Using CVE-2021-43893 ∗∗∗ --------------------------------------------- On December 14, 2021, during the Log4Shell chaos, Microsoft published CVE-2021-43893, a remote privilege escalation vulnerability affecting the Windows Encrypted File System (EFS). The vulnerability was credited to James Forshaw of Google Project Zero, but perhaps owing to the Log4Shell atmosphere, the vulnerability gained little to no attention. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-cont… ∗∗∗ macOS: Sicherheitsupdates für ältere Versionen ∗∗∗ --------------------------------------------- Big Sur und Catalina erhalten jeweils ein Patch-Paket – doch leider verrät Apple nichts zum Inhalt. --------------------------------------------- https://heise.de/-6457597 ∗∗∗ Qnap lässt Sicherheitsupdate-Support für einige NAS-Modelle aufleben ∗∗∗ --------------------------------------------- Wer einen älteren Netzwerkspeicher (NAS) von Qnap besitzt, könnte ab sofort wieder Sicherheitspatches bekommen. --------------------------------------------- https://heise.de/-6474074 ∗∗∗ Betrügerische Wohnungsinserate erkennen: So geht’s ∗∗∗ --------------------------------------------- Auf Plattformen wie immobilienscout24.at, willhaben.at oder im Facebook Marketplace werden immer wieder Fake-Inserate von Miet- und Eigentumswohnungen veröffentlicht. Fake-Inserate können aber anhand einiger Merkmale schnell entlarvt werden. Zum einen am günstigen Preis, zum anderen an der Kommunikation mit den Eigentümerinnen und Eigentümern. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-wohnungsinserate-erke… ∗∗∗ New Emotet Infection Method ∗∗∗ --------------------------------------------- As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. [..] The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload. --------------------------------------------- https://unit42.paloaltonetworks.com/new-emotet-infection-method/ ∗∗∗ Warning over mysterious hackers that have been targeting aerospace and defence industries for years ∗∗∗ --------------------------------------------- Cybersecurity researchers detail a hacking operation that has been conducting phishing campaigns and malware attacks since 2017, despite barely changing its tactics. --------------------------------------------- https://www.zdnet.com/article/these-prolific-hackers-have-been-targeting-th… ∗∗∗ Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud ∗∗∗ --------------------------------------------- Unpatched servers have been used to twist corporate email threads and conduct financial theft. --------------------------------------------- https://www.zdnet.com/article/squirrelwaffle-loader-leverages-microsoft-exc… ∗∗∗ FBI and USSS Release Advisory on BlackByte Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/15/fbi-and-usss-rele… ∗∗∗ Sicherheitswarnung von Tuxedo Computer – dringend Passwort ändern ∗∗∗ --------------------------------------------- TUXEDO Computers ist ein in Augsburg angesiedelter Anbieter von Computern. [..] Bei diesem Hersteller hat es eine Sicherheitslücke gegeben, so dass der Hersteller die Kunden auffordert, ihre Kennwörter für deren Online-Konten zu ändern. --------------------------------------------- https://www.borncity.com/blog/2022/02/15/sicherheitswarnung-von-tuxedo-comp… ∗∗∗ Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users ∗∗∗ --------------------------------------------- Multi-factor Authentication or MFA (sometimes referred as 2FA) is an excellent way to protect your Office 365 accounts from attackers trying to gain access to them. [..] In this case, we are examining MFA Fatigue by focusing on a current attack vector—Push Notification Spamming. We’ll describe what MFA fatigue is, how it is carried out and detail the steps for IT professionals to detect and mitigate it within their organizations. --------------------------------------------- https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Google announces zero-day in Chrome browser – update now! ∗∗∗ --------------------------------------------- Zero-day buses: none for a while, then three at once. Heres Google joining Apple and Adobe in "zero-day week" --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-ch… ∗∗∗ Security Bulletin: Trend Micro Antivirus for Mac Link Following Privilege Escalation Vulnerability (CVE-2022-24671) ∗∗∗ --------------------------------------------- The update resolves a vulnerability in the product that allows a local attacker to modify a file during the update process and escalate their privileges. Please note that an attacker must at least have low-level privileges on the system to attempt to exploit this vulnerability. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10937 ∗∗∗ Unsichere Babymonitore von Nooie: Fremde könnten Vollzugriff erlangen ∗∗∗ --------------------------------------------- Bei der Analyse von zwei Babyphones von Nooie hat Bitdefender Sicherheitslücken entdeckt, durch die Angreifer etwa den Videostream anzapfen könnten. --------------------------------------------- https://heise.de/-6475088 ∗∗∗ Multiple Critical Vulnerabilities in multiple Zyxel devices ∗∗∗ --------------------------------------------- Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration. One of the worst vulnerabilities is the unauthenticated buffer overflow in the "zhttpd" webserver, which is developed by Zyxel. By bypassing ASLR, the buffer overflow can be turned into an unauthenticated remote code execution. Besides, vulnerabilities like unauthenticated file disclosure, authenticated command injection and processing of symbolic links in the FTP daemon were found in the firmware. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ VMSA-2022-0004 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-8.4 CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050 Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0004.html ∗∗∗ Symlink Directory Traversal in Linksys WLAN-Router (SYSS-2021-046) ∗∗∗ --------------------------------------------- Linksys WLAN-Router beinhaltet eine Schwachstelle, die es Angreifern erlaubt, Zugriff auf das gesamte interne Dateisystem des Routers zu erhalten. --------------------------------------------- https://www.syss.de/pentest-blog/symlink-directory-traversal-in-linksys-wla… ∗∗∗ Unzureichender Schutz für Medieninhalte bei AVMs FRITZ!Box (SYSS-2021-050) ∗∗∗ --------------------------------------------- AVMs FRITZ!Box-Heimrouter ermöglichen es Angreifenden, in Heimnetzwerken auf Mediendaten wie z. B. Bilder oder Videos zuzugreifen. --------------------------------------------- https://www.syss.de/pentest-blog/unzureichender-schutz-fuer-medieninhalte-b… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 15 February 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ ZDI-22-349: (Pwn2Own) Western Digital My Cloud Pro Series PR4100 ConnectivityService Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-349/ ∗∗∗ ZDI-22-348: (Pwn2Own) Western Digital MyCloud PR4100 cgi_api Server-Side Request Forgery Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-348/ ∗∗∗ ZDI-22-347: (Pwn2Own) Western Digital MyCloud PR4100 nasAdmin Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-347/ ∗∗∗ ZDI-22-346: (Pwn2Own) Western Digital MyCloud PR4100 samba Configuration Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-346/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220216-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ TYPO3-EXT-SA-2022-004: File Content Injection in extension "Hardcoded text to Locallang" (mqk_locallangtools) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-004 ∗∗∗ TYPO3-EXT-SA-2022-003: Insecure direct object reference in extension "Varnishcache" (varnishcache) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-003 ∗∗∗ TYPO3-EXT-SA-2022-002: Cross-Site Scripting in extension "Bookdatabase" (extbookdatabase) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-002 ∗∗∗ TYPO3-EXT-SA-2022-001: Server-side request forgery in extension "Kitodo.Presentation" (dlf) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-001 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2022
by Daily end-of-shift report 14 Feb '22

14 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-02-2022 18:00 − Montag 14-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Project Zero: Vendors are now quicker at fixing zero-days ∗∗∗ --------------------------------------------- Googles Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-project-zero-vendors-… ∗∗∗ Microsoft is making it harder to steal Windows passwords from memory ∗∗∗ --------------------------------------------- Microsoft is enabling an Attack Surface Reduction security feature rule by default to block hackers attempts to steal Windows credentials from the LSASS process. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-is-making-it-hard… ∗∗∗ Allcome clipbanker is a newcomer in underground forums ∗∗∗ --------------------------------------------- The malware underground market might seem astoundingly professional in marketing and support. Lets take a look under the covers of one particular malware-as-a-service—the clipboard banker Allcome. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-ne… ∗∗∗ DHL Spear Phishing to Capture Username/Password, (Sun, Feb 13th) ∗∗∗ --------------------------------------------- This week I got this run-of-the-mill DHL phishing in my ISC inbox. --------------------------------------------- https://isc.sans.edu/diary/rss/28332 ∗∗∗ Reminder: Decoding TLS Client Hellos to non TLS servers, (Mon, Feb 14th) ∗∗∗ --------------------------------------------- If you still run a non-TLS web server, you may occasionally find requests like the following in your weblogs. --------------------------------------------- https://isc.sans.edu/diary/rss/28338 ∗∗∗ Vulnerabilities that aren’t. Unquoted Spaces ∗∗∗ --------------------------------------------- I’ve covered a couple of web vulnerabilities that (mostly) aren’t, and now it’s time for a Windows specific one. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-un… ∗∗∗ E-Mail vom Bundeskriminalamt mit Betreff „BUNDESKRIMINALAMT VORLADUNG“ ist Fake ∗∗∗ --------------------------------------------- „Hallo, wir teilen Ihnen mit, dass Sie eine Straftat begangen haben“ lautet der Text in einem E-Mail – angeblich vom Bundeskriminalamt. In einem angehängten PDF-Dokument teilen Ihnen das Bundeskriminalamt, die Polizei sowie Europol mit, dass gegen Sie ein Verfahren wegen einer sexuellen Straftat eingeleitet wurde. Achtung: Dieses E-Mail ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-bundeskriminalamt-mit-bet… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/11/cisa-adds-one-kno… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa ∗∗∗ --------------------------------------------- A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview. --------------------------------------------- https://threatpost.com/critical-mqtt-bugs-industrial-rce-moxa/178399/ ∗∗∗ Jetzt aktualisieren! Angriffe auf Shop-Systeme Adobe Commerce und Magento ∗∗∗ --------------------------------------------- Adobe meldet Angriffe auf die Shop-Systeme Commerce und Magento. Updates stehen bereit, die die ausgenutzte kritische Sicherheitslücke schließen sollen. --------------------------------------------- https://heise.de/-6455225 ∗∗∗ ZDI-22-318: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-318/ ∗∗∗ Security Bulletin: IBM Cognos Analytics Mobile is affected by security vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-mobi… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres (Standard and Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console is vulnerable to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to arbitrary code execution in Log4j CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console uses Apache Log4j which is subject to a vulnerability alert CVE-2021-44228. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2022
by Daily end-of-shift report 11 Feb '22

11 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-02-2022 18:00 − Freitag 11-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft starts killing off WMIC in Windows, will thwart attacks ∗∗∗ --------------------------------------------- Microsoft is moving forward with removing the Windows Management Instrumentation Command-line (WMIC) tool, wmic.exe, starting with the latest Windows 11 preview builds in the Dev channel. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-killing-of… ∗∗∗ Zyxel Network Storage Devices Hunted By Mirai Variant, (Thu, Feb 10th) ∗∗∗ --------------------------------------------- I have been talking a lot about various network storage devices and how you never ever want to expose them to the Internet. The brands that usually come up are Synology and QNAP, which have a significant market share. But they are not alone. --------------------------------------------- https://isc.sans.edu/diary/rss/28324 ∗∗∗ CinaRAT Delivered Through HTML ID Attributes, (Fri, Feb 11th) ∗∗∗ --------------------------------------------- I found another sample that again drops a malicious ISO file but this time, it is much more obfuscated and the VT score is 0! Yes, not detected by any antivirus solution! --------------------------------------------- https://isc.sans.edu/diary/rss/28330 ∗∗∗ Use Zoom on a Mac? You might want to check your microphone settings ∗∗∗ --------------------------------------------- Big Brother Zoomer is listening to us, complain users Apple Mac users running the Zoom meetings app are reporting that its keeping their computers microphone on when they arent using it. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/02/10/zoom_mac_mic… ∗∗∗ Schwachstelle im Virenschutz Microsoft-Defender stillschweigend abgedichtet ∗∗∗ --------------------------------------------- Durch zu laxe Rechtevergabe hätten Angreifer auf die Microsoft-Defender-Ausnahmen zugreifen können. Die Lücke hat das Unternehmen ohne Ankündigung behoben. --------------------------------------------- https://heise.de/-6444399 ∗∗∗ Luftnummer: Warnung vor Geisterberührungen auf Touchscreens ∗∗∗ --------------------------------------------- Die TU Darmstadt warnt, dass gezielte Angriffe auf Touchscreens möglich seien. Praxistauglich ist der beschriebene "GhostTouch"-Angriff jedoch nicht. --------------------------------------------- https://heise.de/-6445488 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-know… ∗∗∗ Malicious Chrome Browser Extension Exposed: ChromeBack Leverages Silent Extension Loading ∗∗∗ --------------------------------------------- GoSecure Titan Labs received a malicious Chrome extension sample that we are calling ChromeBack from GoSecures Titan Managed Detection and Response (MDR) team. --------------------------------------------- https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft: SMB-Lücke in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine fast zwei Jahre alte kritische Lücke in Windows wird derzeit aktiv ausgenutzt. Exploits gibt es auch für eine sieben Jahre alte Windows-Lücke. --------------------------------------------- https://www.golem.de/news/microsoft-smb-luecke-in-windows-wird-aktiv-ausgen… ∗∗∗ Notfall-Patch für iPhones, iPads und Macs: iOS 15.3.1 und macOS 12.2.1 verfügbar ∗∗∗ --------------------------------------------- Apple schließt eine Lücke, die offenbar aktiv für Angriffe ausgenutzt wird. Außerdem beseitigt der Hersteller Bugs, darunter Bluetooth-Probleme bei Intel-Macs. --------------------------------------------- https://heise.de/-6440372 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba). --------------------------------------------- https://lwn.net/Articles/884516/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Xpat vulnerability affect IBM Cloud Object Storage Systems (Feb 2022 V1-a) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xpat-vulnerability-affect… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-24750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: EDB Postgres Advanced Server with IBM and IBM Data Management Platform for EDB Postgres (Standard or Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-edb-postgres-advanced-ser… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0178 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2022
by Daily end-of-shift report 10 Feb '22

10 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-02-2022 18:00 − Donnerstag 10-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Wave of MageCart attacks target hundreds of outdated Magento sites ∗∗∗ --------------------------------------------- Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. [...] The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-magecart-attacks-tar… ∗∗∗ FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems ∗∗∗ --------------------------------------------- Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain. The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-h… ∗∗∗ Linux Malware on the Rise ∗∗∗ --------------------------------------------- Ransomware, cryptojacking, and a cracked version of the penetration-testing tool Cobalt Strike have increasingly targeted Linux in multicloud infrastructure, report states. --------------------------------------------- https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illic… ∗∗∗ Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware ∗∗∗ --------------------------------------------- The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot. --------------------------------------------- https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/1783… ∗∗∗ SAP to Give Threat Briefing on Uber-Severe ‘ICMAD’ Bugs ∗∗∗ --------------------------------------------- SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more. [..] Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download [..] --------------------------------------------- https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/ ∗∗∗ Vorsicht vor betrügerischen Fortnite-Shops! ∗∗∗ --------------------------------------------- Betrügerische Fortnite-Onlineshops, wie premiumskins.net bieten beliebte Outfits, sogenannte „Fortnite-Skins“ zum Kauf an. Doch Vorsicht – oft werden die Skins nach Bezahlung nicht geliefert! Kaufen Sie Skins nur über den offiziellen Store, innerhalb des Spiels und vertrauen Sie keinen externen Anbietern. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-fortnit… ∗∗∗ Ransomware tracker: the latest figures [February 2022] ∗∗∗ --------------------------------------------- Over the last two years, The Record and our parent company Recorded Future have updated this ransomware tracker using data collected from government agencies, news reports, hacking forums, and other sources. The trend is clear: despite bold efforts from governments around the world, ransomware isn’t going anywhere. Here are some of our most critical findings --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-290: BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-290/ ∗∗∗ WordPress-Übernahme durch kritische Lücken in PHP Everywhere ∗∗∗ --------------------------------------------- Angreifer hätten durch eine kritische Sicherheitslücke in PHP Everywhere beliebigen Code in WordPress-Instanzen ausführen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-6369318 ∗∗∗ Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin ∗∗∗ --------------------------------------------- On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. --------------------------------------------- https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulner… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex). --------------------------------------------- https://lwn.net/Articles/884381/ ∗∗∗ Dell Computer: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Dell Computer ausnutzen, um beliebigen Programmcode auszuführen oder modifizierte BIOS-Firmware zu installieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0174 ∗∗∗ Drupal: Mehrere Schwachstellen [in Plugins] ∗∗∗ --------------------------------------------- Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden. Ein entfernter, anonymer oderauthentisierter Angreifer kann mehrere Schwachstellen in Drupal [Plugins] ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0173 ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ CVE-2022-0016 GlobalProtect App: Privilege Escalation Vulnerability When Using Connect Before Logon (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0016 ∗∗∗ CVE-2022-0017 GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0017 ∗∗∗ CVE-2022-0018 GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0018 ∗∗∗ CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0011 ∗∗∗ CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0021 ∗∗∗ CVE-2022-0020 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0020 ∗∗∗ CVE-2022-0019 GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2022
by Daily end-of-shift report 09 Feb '22

09 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-02-2022 18:00 − Mittwoch 09-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kimsuki hackers use commodity RATs with custom Gold Dragon malware ∗∗∗ --------------------------------------------- South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodit… ∗∗∗ Fake Windows 11 upgrade installers infect you with RedLine malware ∗∗∗ --------------------------------------------- Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-inst… ∗∗∗ Ransomware dev releases Egregor, Maze master decryption keys ∗∗∗ --------------------------------------------- The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egre… ∗∗∗ Bios, UEFI, WLAN: Intel schließt zahlreiche Firmware-Sicherheitslücken ∗∗∗ --------------------------------------------- An einem groß angelegten Patch-Day stellt Intel Updates für Sicherheitslücken bereit. Diese lassen sich zum Ausweiten von Rechten nutzen. --------------------------------------------- https://www.golem.de/news/bios-uefi-wlan-intel-schliesst-zahlreiche-firmwar… ∗∗∗ Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th) ∗∗∗ --------------------------------------------- Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08. --------------------------------------------- https://isc.sans.edu/diary/rss/28318 ∗∗∗ SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718) ∗∗∗ --------------------------------------------- In this blog post, we’ll look at a Windows Print Spooler local privilege escalation vulnerability that I found and reported in November 2021. The vulnerability got patched as part of Microsoft’s Patch Tuesday in February 2022. --------------------------------------------- https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalati… ∗∗∗ CISA and SAP warn about major vulnerability ∗∗∗ --------------------------------------------- SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products. --------------------------------------------- https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/ ∗∗∗ AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware ∗∗∗ --------------------------------------------- Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-040a ===================== = Vulnerabilities = ===================== ∗∗∗ Ausführen von Schadcode denkbar: Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler schließen in aktualisierten Versionen von Firefox und Thunderbird viele Sicherheitslücken. Einige davon stufen sie als hohes Risiko ein. --------------------------------------------- https://heise.de/-6360477 ∗∗∗ Patchday Microsoft: Angreifer könnten eine Kernel-Lücke in Windows ausnutzen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Azure, Office, Windows & Co. Das ist selten: Keine der geschlossenen Lücken gilt als kritisch. --------------------------------------------- https://heise.de/-6360267 ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Illustrator ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben ihr Software-Portfolio gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6360575 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh,[...] --------------------------------------------- https://lwn.net/Articles/884242/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ HPE Agentless Management registers unquoted service paths ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12969207/ ∗∗∗ Security Advisory for Citrix Hypervisor (CVE-2022-23034, CVE-2022-23035, CVE-2021-0145) ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX337526 ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Apache Log4j affects Netcool Operation Insight (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go (CVE CVE-2021-41771 & CVE-2021-41772) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0002.html ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0158 ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0156 ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0159 ∗∗∗ QNAP: Multiple Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2022
by Daily end-of-shift report 08 Feb '22

08 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-02-2022 18:00 − Dienstag 08-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Internetsicherheit: So schützen Sie sich vor Account-Hijacking und Co. ∗∗∗ --------------------------------------------- Wir erklären Ihnen, worauf Sie achten sollten, damit Sie sicher im Internet unterwegs sind. --------------------------------------------- https://heise.de/-6355600 ∗∗∗ Microsoft Office soll VBA-Makros standardmäßig blockieren ∗∗∗ --------------------------------------------- Makros sind ein Einfallstor für Malware. VBA-Makros standardmäßig zu deaktivieren, ist längst überfällig. --------------------------------------------- https://heise.de/-6353429 ∗∗∗ Patchday: Lücken in SAP-Produkten ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Am Februar-Patchday schließt SAP mehrere kritische Sicherheitslücken, durch die Angreifer Schadcode in betroffene Systeme einschleusen hätten können. --------------------------------------------- https://heise.de/-6356776 ∗∗∗ Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages ∗∗∗ --------------------------------------------- Specifically, in this paper, we study [..] security releases over a dataset of 4,377 security advisories across seven package ecosystems (Composer, Go, Maven, npm, NuGet, pip, and RubyGems). [..] Based on our findings, we make four recommendations for the package maintainers and the ecosystem administrators, such as using private fork for security fixes and standardizing the practice for announcing security releases. --------------------------------------------- https://arxiv.org/pdf/2112.06804.pdf ∗∗∗ “We absolutely do not care about you”: Sugar ransomware targets individuals ∗∗∗ --------------------------------------------- They call it Sugar ransomware, but its not sweet in any way. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-… ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- [UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress IP2Location Country Blocker 2.26.7 Cross Site Scripting ∗∗∗ --------------------------------------------- An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022020031 ∗∗∗ CVE-2021-38130 Voltage SecureMail 7.3 Mail Relay Information Leakage Vuln. ∗∗∗ --------------------------------------------- An information leakage vulnerability with a CVSS of 4.1 was discovered in SecureMail Server for versions prior to 7.3.0.1. The vulnerability can be exploited to send sensitive information to an unauthorized user. A resolution of this vulnerability is available in the Voltage SecureMail version 7.3.0.1 patch release. --------------------------------------------- https://portal.microfocus.com/s/article/KM000003667?language=en_US ∗∗∗ Patchday: Kritische System-Lücke lässt Angreifer auf Android-Geräte zugreifen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android 10, 11, 12 und verschiedene Komponenten des Systems. --------------------------------------------- https://heise.de/-6355256 ∗∗∗ Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution ∗∗∗ --------------------------------------------- On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin [...] --------------------------------------------- https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-ever… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (log4j), Debian (chromium, xterm, and zabbix), Fedora (kate, lua, and podman), Oracle (aide and log4j), and SUSE (xen). --------------------------------------------- https://lwn.net/Articles/884082/ ∗∗∗ K33484369: Linux kernel vulnerability CVE-2021-20194 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33484369?utm_source=f5support&utm_mediu… ∗∗∗ K01217337: Linux kernel vulnerability CVE-2021-22543 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01217337?utm_source=f5support&utm_mediu… ∗∗∗ Mitsubishi Electric FA Engineering Software Products (Update D) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update F) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ SSA-914168: Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-914168.txt ∗∗∗ SSA-669737: Improper Access Control Vulnerability in SICAM TOOLBOX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669737.txt ∗∗∗ SSA-654775: Open Redirect Vulnerability in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-654775.txt ∗∗∗ SSA-609880: File Parsing Vulnerabilities in Simcenter Femap before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-609880.txt ∗∗∗ SSA-539476: Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-539476.txt ∗∗∗ SSA-301589: Multiple File Parsing Vulnerabilities in Solid Edge, JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-301589.txt ∗∗∗ SSA-244969: OpenSSL Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-244969.txt ∗∗∗ SSA-838121: Multiple Denial of Service Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-838121.txt ∗∗∗ SSA-831168: Cross-Site Scripting Vulnerability in Spectrum Power 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-831168.txt ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-35728) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2021-20190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Log4Shell Vulnerability affects IBM SPSS Statistics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2022
by Daily end-of-shift report 07 Feb '22

07 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-02-2022 18:00 − Montag 07-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Medusa malware ramps up Android SMS phishing attacks ∗∗∗ --------------------------------------------- The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-andr… ∗∗∗ An Insidious Mac Malware Is Growing More Sophisticated ∗∗∗ --------------------------------------------- When UpdateAgent emerged in late 2020, it utilized basic infiltration techniques. Its developers have since expanded it in dangerous ways. --------------------------------------------- https://www.wired.com/story/mac-malware-growing-more-sophisticated ∗∗∗ Shadow Credentials ∗∗∗ --------------------------------------------- During Black Hat Europe 2019 Michael Grafnetter discussed several attacks towards Windows Hello for Business including a domain persistence technique which involves the modification of the msDS-KeyCredentialLink attribute of a target computer or user account. [..] The following diagram visualize the steps of the technique Shadow Credentials in practice. --------------------------------------------- https://pentestlab.blog/2022/02/07/shadow-credentials/ ∗∗∗ web3 phishing via self-customizing landing pages ∗∗∗ --------------------------------------------- You may not quite understand what "web3" is all about (I do not claim to do so), but it appears phishers may already use it. [..] the JavaScript used to implement the phishing page is interesting. Not only does it customize the login dialog with the company logo, but it also replaces the entire page with a screenshot of the domain homepage. --------------------------------------------- https://isc.sans.edu/diary/rss/28312 ∗∗∗ Sextortion: Wenn ein harmloser Flirt in Erpressung endet ∗∗∗ --------------------------------------------- Sextortion ist eine Betrugsmasche, bei der meist männliche Opfer von Online-Bekanntschaften aufgefordert werden, sexuelles Bild- und Videomaterial von sich zu versenden oder sich nackt vor der Webcam zu zeigen. Mit diesen Bildern und Videos werden die Opfer dann erpresst: Zahlen oder das Material wird im Internet veröffentlicht! --------------------------------------------- https://www.watchlist-internet.at/news/sextortion-wenn-ein-harmloser-flirt-… ∗∗∗ FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000162-MW and apply the recommend mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/07/fbi-releases-indi… ∗∗∗ Microsoft deaktiviert wegen Emotet & Co. MSIX ms-appinstaller Protokoll-Handler in Windows (Feb. 2022) ∗∗∗ --------------------------------------------- Nachdem Ransomware wie Emotet oder BazarLoader den MSIX ms-appinstaller Protokoll-Handler missbrauchten, hat Microsoft nun erneut reagiert. Der komplette MSIX ms-appinstaller Protokoll-Handler wurde vorerst in Windows – quasi als Schutz vor Emotet, BazarLoader oder ähnlicher Malware – deaktiviert. --------------------------------------------- https://www.borncity.com/blog/2022/02/05/microsoft-deaktiviert-msix-ms-appi… ∗∗∗ Vorsicht: audacity.de und keepass.de verbreiten Malware (Feb. 2022) ∗∗∗ --------------------------------------------- Kleiner Hinweis an Leute, die sich gerne Software aus dem Internet herunterladen. Es sieht so aus, als ob die Domains audacity.de und keepass.de in die Hände von Leuten gekommen sind, die damit Schindluder treiben. Statt ein Audio-Tool oder einen Passwort-Manager zu bekommen, wird über die betreffenden Seiten Malware verteilt. --------------------------------------------- https://www.borncity.com/blog/2022/02/07/vorsicht-audacity-de-und-keepass-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/884015/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0143 ∗∗∗ Multiple ESET products for macOS vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95898697/ ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multipe vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2022
by Daily end-of-shift report 04 Feb '22

04 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-02-2022 18:00 − Freitag 04-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schwachstelle in GitOps-Tool: Argo CD über Path Traversal angreifbar ∗∗∗ --------------------------------------------- Angriffe mit manipulierten Helm-Charts ermöglichen Zugriff auf beliebige Verzeichnisse im Repository des Continuous-Delivery-Werkzeugs für Kubernetes. --------------------------------------------- https://heise.de/-6349810 ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- - Volexity discovers XSS zero-day vulnerability against Zimbra - Targeted sectors include European government and media - Successful exploitation results in theft of email data from users --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ∗∗∗ Cybersecurity for Industrial Control Systems: Part 1 ∗∗∗ --------------------------------------------- In this two-part series, we look into various cybersecurity threats that affected industrial control systems endpoints. We also discuss several insights and recommendations to mitigate such threats. --------------------------------------------- https://www.iiot-world.com/ics-security/cybersecurity/cybersecurity-for-ind… ∗∗∗ Vulnerabilities that aren’t. ETag headers ∗∗∗ --------------------------------------------- This time we’re looking at the ETag (Entity Tag) header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-et… ∗∗∗ Target open-sources its web skimmer detector ∗∗∗ --------------------------------------------- Targets cybersecurity team has open-sourced the code of Merry Maker, the companys internal application that it has used since 2018 to detect if any of its own websites have been compromised with malicious code that can steal payment card details from buyers. --------------------------------------------- https://therecord.media/target-open-sources-its-web-skimmer-detector/ ∗∗∗ An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’ ∗∗∗ --------------------------------------------- Late last year, cybersecurity researchers began to notice a ransomware strain called ALPHV that stood out for being particularly sophisticated and coded in the Rust programming language—a first for ransomware used in real-world attacks. --------------------------------------------- https://therecord.media/an-alphv-blackcat-representative-discusses-the-grou… ∗∗∗ Special Report: Die Tücken von Active Directory Certificate Services (AD CS) ∗∗∗ --------------------------------------------- Active Directory Certificate Services (ADCS) ist anfällig für Fehlkonfigurationen, mit denen eine komplette Kompromittierung des Netzes trivial möglich ist. Publiziert wurde das Problem im Sommer 2021, jetzt wird diese Methode bei APT-Angriffen benutzt. Kontrollieren Sie mit den bereitgestellten Tools ihr Setup. Stellen Sie mit den angeführten Präventiv-Maßnahmen höhere Sichtbarkeit her. Überprüfen Sie mit den vorgestellen Tools, ob eine Fehlkonfiguration bereits ausgenutzt wurde. --------------------------------------------- https://cert.at/de/spezielles/2022/2/special-report-die-tucken-von-active-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, [...] --------------------------------------------- https://lwn.net/Articles/883828/ ∗∗∗ Mattermost security updates 6.3.3, 6.2.3, 6.1.3, 5.37.8 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.3.3 (Extended Support Release), 6.2.3, 6.1.3, 5.37.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-3-6-2-3-6-1-3-5… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-kno… ∗∗∗ CSV+ vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67396225/ ∗∗∗ K40508224: Perl vulnerability CVE-2020-10878 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40508224 ∗∗∗ K05295469: Expat vulnerability CVE-2019-15903 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05295469 ∗∗∗ Security Bulletin: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix Dynamic Server in Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring installed WebSphere Application Server (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (October 2021) affects IBM InfoSphere Information Server (CVE-2021-35578 CVE-2021-35564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2022
by Daily end-of-shift report 03 Feb '22

03 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-02-2022 18:00 − Donnerstag 03-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spam-Anrufe von Wiener Nummer: “This is the police” ∗∗∗ --------------------------------------------- Bei solchen Anrufen gilt es generell, sofort aufzulegen. Ist man sich unsicher, ob der Anruf echt war (im Falle eines englischsprachigen Tonbands ist er das jedenfalls nicht), kann man eigenständig die Polizei (133) anrufen. Die Polizei warnt, dass man nie eine "Polizei"-Telefonnummern zurückrufen soll, wenn das in solchen Anrufen gefordert wird. Hat man bereits mit der Person gesprochen und Daten herausgegeben, soll man umgehend Anzeige bei der Polizei erstatten. --------------------------------------------- https://futurezone.at/digital-life/spam-anrufe-wiener-nummer-federal-police… ∗∗∗ WooCommerce Skimmer Uses Fake Fonts and Favicon to Steal CC Details ∗∗∗ --------------------------------------------- Today’s investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December. What first seemed to be a routine case of credit card theft turned out to be a much more interesting infection that leveraged both font, favicon and other less-commonly used files to pilfer credit card details. --------------------------------------------- https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-fav… ∗∗∗ A comprehensive guide on [NTLM] relaying anno 2022 ∗∗∗ --------------------------------------------- For years now, Internal Penetration Testing teams have been successful in obtaining a foothold or even compromising entire domains through a technique called NTLM relaying. [..] This blog post aims to be a comprehensive resource that will walk through the attack primitives that continue to work today. While most will be well known techniques, some techniques involving Active Directory Certificate Services might be lesser known. --------------------------------------------- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ ∗∗∗ Tattoo-Giveaways auf Instagram führen in eine Abo-Falle ∗∗∗ --------------------------------------------- Kriminelle versenden Nachrichten von Fake-Accounts und behaupten, dass Instagram-User bei einem Gewinnspiel gewonnen hätten. Doch der angebliche Gewinn führt nicht zu einem neuen Tattoo, sondern in eine gut getarnte Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/tattoo-giveaways-auf-instagram-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File ParsingOut-Of-Bounds Read Information Disclosure Vulnerability * DCM File Parsing Use-After-Free Information Disclosure Vulnerability * JP2 File Parsing Use-After-Free Remote Code Execution Vulnerability * JP2 File Parsing Memory Corruption Remote Code Execution Vulnerability * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability --------------------------------------------- https://www.zerodayinitiative.com/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, samba). --------------------------------------------- https://lwn.net/Articles/883676/ ∗∗∗ Sensormatic PowerManage ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ Airspan Networks Mimosa ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Airspan Networks Mimosa network management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-02 ∗∗∗ Zwei Schwachstellen in AudioCodes Session Border Controller (SYSS-2021-068/-075) ∗∗∗ --------------------------------------------- In AudioCodes Session Border Controller (SBC) kann Telefonbetrug begangen werden. Auch wurde eine Rechteeskalation in der Web Management-Konsole gefunden. --------------------------------------------- https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construct… ∗∗∗ InsydeH2O UEFI System Management Mode (SMM) Vulnerabilities ∗∗∗ --------------------------------------------- Mitigation Strategy for Customers (what you should do to protect yourself): Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500463-INSYDEH2O-UEFI-SYSTEM-M… ∗∗∗ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by JWT-Go vulnerability (CVE-2020-26160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Standard is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-38960 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Enterprise is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ K67416037: Linux kernel vulnerability CVE-2021-23133 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67416037?utm_source=f5support&utm_mediu… ∗∗∗ Weidmueller: Remote I/O fieldbus couplers (IP20) affected by INFRA:HALT vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-042/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2022
by Daily end-of-shift report 02 Feb '22

02 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-02-2022 18:00 − Mittwoch 02-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM ∗∗∗ --------------------------------------------- The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM). UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. --------------------------------------------- https://kb.cert.org/vuls/id/796611 ∗∗∗ CISA Releases Securing Industrial Control Systems: A Unified Initiative ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. The strategy—developed in collaboration with industry and government partners—lays out CISA's plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure. --------------------------------------------- https://us-cert.cisa.gov/ics/cisa-releases-securing-industrial-control-syst… ∗∗∗ Kasper: a tool for finding speculative-execution vulnerabilities ∗∗∗ --------------------------------------------- The Systems and Network Security Group at Vrije Universiteit Amsterdam hasannounced a tool calledKasper that is able to scan the kernel source and locatespeculative-execution vulnerabilities: Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels). --------------------------------------------- https://lwn.net/Articles/883448/ ∗∗∗ Post E-Mail „Dein Paket wartet !“ ist fake! ∗∗∗ --------------------------------------------- Kriminelle versenden gehäuft E-Mails im Namen der Post mit dem Betreff „Dein Paket wartet !“. Eine Liefergebühr über 1,69 Euro sei ausständig. Achtung: Die E-Mails sind frei erfunden. Die Kriminellen wenden Spoofing an, um die Mail-Adresse echt aussehen zu lassen und verlinken auf eine nachgebaute Post-Website. --------------------------------------------- https://www.watchlist-internet.at/news/post-e-mail-dein-paket-wartet-ist-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron). --------------------------------------------- https://lwn.net/Articles/883541/ ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome versions 98.0.4758.80/81/82 for Windows and 98.0.4758.80 for Mac and Linux. These versions address vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/02/google-releases-s… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Sealevel SeaConnect ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in Sealevel Systems Inc.’s SeaConnect internet-of-things edge device — many of which could allow an attacker to conduct a man-in-the-middle attack or execute remote code on the targeted device. The SeaConnect 370W is a WiFi-connected edge device commonly used in industrial control system (ICS) environments that allow users to remotely monitor and control the status of real-world I/O processes. This device offers remote control via MQTT, Modbus TCP and a manufacturer-specific interface referred to as the "SeaMAX API." --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-sea-level-connect.… ∗∗∗ Cisco Prime Service Catalog Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Umbrella Secure Web Gateway File Inspection Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV Series Routers Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ FortiAuthenticator - Improper access control in HA service ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-20-217 ∗∗∗ FortiMail - reflected cross-site scripting vulnerability in FortiGuard URI protection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-185 ∗∗∗ FortiExtender - Arbitrary command execution because of missing CLI input sanitization ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-148 ∗∗∗ FortiWeb - OS command injection due to unsafe input validation function ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-166 ∗∗∗ FortiWeb - Stack-based buffer overflow in command line interpreter ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-132 ∗∗∗ FortiWeb - OS command injection due to direct input interpolation in API controllers ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-180 ∗∗∗ FortiWeb - arbitrary file/directory deletion ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-158 ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to leaking sensitive information due to CVE-2021-3712 in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ K74013101: Binutils vulnerability CVE-2021-42574 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74013101?utm_source=f5support&utm_mediu… ∗∗∗ K28622040: Python vulnerability CVE-2019-9948 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28622040?utm_source=f5support&utm_mediu… ∗∗∗ Advantech ADAM-3600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-032-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2022
by Daily end-of-shift report 01 Feb '22

01 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 31-01-2022 18:00 − Dienstag 01-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI-Grundschutz-Kompendium 2022: Neue Bausteine, schlankere Struktur ∗∗∗ --------------------------------------------- Das IT-Grundschutzkompendium in der Edition 2022 wartet mit einigen neuen Bausteinen, aber auch mit strukturellen Änderungen auf. --------------------------------------------- https://heise.de/-6344956 ∗∗∗ SMS der „Bawag“ mit „Ihr Konto wurde gesperrt!“ ist Fake ∗∗∗ --------------------------------------------- Vorsicht: Momentan kursiert ein betrügerisches SMS – angeblich von der Bawag. In der Nachricht werden Sie darüber informiert, dass Ihr Konto gesperrt wurde. Sie werden aufgefordert, auf einen Link zu klicken. Tun Sie das keinesfalls. Der Link führt auf eine gefälschte BAWAG-Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/sms-der-bawag-mit-ihr-konto-wurde-ge… ∗∗∗ Domain Escalation – Machine Accounts ∗∗∗ --------------------------------------------- The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password hash could not be cracked due to complexity or assessment time constraints. However, performing pass the hash with machine accounts instead of local administrators accounts is not very common even though it has been described in an article by Adam Chester years ago and could be used in scenarios where the host is part of an elevated group such as the domain admins. --------------------------------------------- https://pentestlab.blog/2022/02/01/machine-accounts/ ∗∗∗ Updates released for multiple vulnerabilities found in 42 Gears SureMDM products ∗∗∗ --------------------------------------------- 42 Gears released an initial set of updates in November and more earlier this month. --------------------------------------------- https://www.zdnet.com/article/multiple-vulnerabilities-found-in-42-gears-su… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-146: Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Esri ArcReader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-146/ ∗∗∗ ZDI-22-148: ESET Endpoint Antivirus Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-148/ ∗∗∗ Rate - Critical - Unsupported - SA-CONTRIB-2022-010 ∗∗∗ --------------------------------------------- 2022-01-31 a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2022-010 ∗∗∗ WordPress-Plug-in Essential Addons for Elementor als Schadcode-Schleuder ∗∗∗ --------------------------------------------- In der aktuellen Version von Essential Addons for Elementor haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-6344583 ∗∗∗ VMSA-2022-0003 ∗∗∗ --------------------------------------------- VMware Cloud Foundation contains an information disclosure vulnerability due to the logging of plaintext credentials within some log files. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/883423/ ∗∗∗ Ricon Mobile Industrial Cellular Router ∗∗∗ --------------------------------------------- This advisory contains mitigations for an OS Command Injection vulnerability in the Ricon Mobile Industrial Cellular Router mobile network router. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-032-01 ∗∗∗ Advantech ADAM-3600 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Cryptographic Key vulnerability in Advantech ADAM-3600 remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-032-02 ∗∗∗ January 31, 2022 TNS-2022-04 [R1] Nessus 10.1.0 Fixes One Third-Party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-04 ∗∗∗ K59563964: Apache Log4j Remote Code Execution vulnerability CVE-2022-23302 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K59563964 ∗∗∗ K97120268: Apache Log4j SQL injection vulnerability CVE-2022-23305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97120268 ∗∗∗ K00322972: Apache Log4j Chainsaw vulnerability CVE-2022-23307 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00322972 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability (CVE-2021-4034) in Polkit affects IBM Netezza PDA OS Security ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in PostgreSQL, Node.js, and Data Tables from Spry Media may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-postgr… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Golang Go, MinIO, and Python may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golang… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may impact IBM Spectrum Protect Plus (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring operands and Integration Server operands that use the JDBC connector may be vulnerable to remote code execution due to CVE-2021-44228 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Verify Access fixed a security vulnerability in the product. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces… ∗∗∗ Security Bulletin: IBM TRIRIGA Indoor Maps, a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to arbitrary code execution due to Apache Log4j library vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-indoor-maps-a… ∗∗∗ Security Bulletin: Cross-site scripting and session fixation vulnerability in IBM Financial Transaction Manager for SWIFT Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2022
by Daily end-of-shift report 31 Jan '22

31 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-01-2022 18:00 − Montag 31-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Log4Shell: Eine Bestandsaufnahme ∗∗∗ --------------------------------------------- Nach der Panik wegen der größten Sicherheitslücke aller Zeiten blieb der große Knall aus. Kommt der noch oder haben wir das Gröbste überstanden? --------------------------------------------- https://heise.de/-6342536 ∗∗∗ Unseriöse Umzugsfirmen: Vorsicht bei zu günstigen Angeboten ∗∗∗ --------------------------------------------- Sie ziehen gerade um und sind auf der Suche nach einer Umzugsfirma? Unser Tipp: Lassen Sie sich nicht von Billigangeboten täuschen! Festpreisangebote von „25 Euro pro Stunde für 2 Männer inklusive LKW“ sind vollkommen unrealistisch. Dabei handelt es sich um ein Lockangebot. Bei einer Beauftragung wird Ihnen schlussendlich der 3- bis 4-fache Preis verrechnet! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-umzugsfirmen-vorsicht-bei… ∗∗∗ 277,000 routers exposed to Eternal Silence attacks via UPnP ∗∗∗ --------------------------------------------- A malicious campaign known as Eternal Silence is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-e… ∗∗∗ Be careful with RPMSG files, (Mon, Jan 31st) ∗∗∗ --------------------------------------------- Not many people are aware of ".rpmsg" files. The file extension means "restricted-permission message". They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email. --------------------------------------------- https://isc.sans.edu/diary/rss/28292 ∗∗∗ Rip Raw - A tool to analyse the memory of compromised Linux systems ∗∗∗ --------------------------------------------- It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory. --------------------------------------------- https://github.com/cado-security/rip_raw ∗∗∗ TrendNET AC2600 RCE via WAN ∗∗∗ --------------------------------------------- This blog provides a walkthrough of how to gain RCE on the TrendNET AC2600 (model TEW-827DRU specifically) consumer router via the WAN interface. There is currently no publicly available patch for these issues; therefore only a subset of issues disclosed in TRA-2021–54 will be discussed in this post. --------------------------------------------- https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4 ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in) ∗∗∗ --------------------------------------------- Wir suchen derzeit: - Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben - IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung - Python Entwickler:in zur Weiterentwicklung von bestehenden Open-Source-Projekten, insbesondere IntelMQ und Tuency Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2022/1/in-eigener-sache-certat-sucht-verstarkung-ju… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#119678: Samba vfs_fruit module insecurely handles extended file attributes ∗∗∗ --------------------------------------------- The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges. --------------------------------------------- https://kb.cert.org/vuls/id/119678 ∗∗∗ ABB: SECURITY - OPC Server for AC 800M - Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- ABB is aware that OPC Server for AC 800M contains a Remote Code Execution vulnerability. An authenticated remote user with low privileges who successfully exploited this vulnerability could insert and execute arbitrary code in the node running the AC800M OPC Server. --------------------------------------------- https://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/B0A9E56BA54C9C3AC12587DB002… ∗∗∗ Lenovo Security Advisory: LEN-78122 - Intel Graphics Drivers Advisory Intel Graphics Drivers Advisory ∗∗∗ --------------------------------------------- Intel reported potential security vulnerabilities in some Intel Graphics Drivers that may allow escalation of privilege or denial of service. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500462-intel-graphics-d… ∗∗∗ OpenSSL Security Advisory [28 January 2022] - BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) ∗∗∗ --------------------------------------------- There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of theTLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. --------------------------------------------- https://openssl.org/news/secadv/20220128.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo [...] --------------------------------------------- https://lwn.net/Articles/883322/ ∗∗∗ SBA-ADV-20220127-01: Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery ∗∗∗ --------------------------------------------- Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the `request_uri` parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/65856734acca54052de34b5206… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology JetWave products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ K54450124: NSS vulnerability CVE-2021-43527 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54450124 ∗∗∗ K46015513: Polkit pkexec vulnerability CVE-2021-4034 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46015513 ∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-002/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2022
by Daily end-of-shift report 28 Jan '22

28 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-01-2022 18:00 − Freitag 28-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lets Encrypt: Was Admins heute tun müssen ∗∗∗ --------------------------------------------- Heute um 17 Uhr werden bei Lets Encrypt Zertifikate zurückgezogen. Wir beschreiben, wie Admins prüfen können, ob sie betroffen sind. Eine Anleitung von Hanno Böck --------------------------------------------- https://www.golem.de/news/let-s-encrypt-was-admins-heute-tun-muessen-2201-1… ∗∗∗ Fake-Gewinnspiel führt in Abo-Falle: BetrügerInnen geben sich als Ö-Ticket aus! ∗∗∗ --------------------------------------------- Auf Facebook geben sich Kriminelle unter der Seite „Oeticket Österreich“ als Ö-Ticket aus und bewerben das „Gewinnspiel des Jahres“. Zu gewinnen gibt es 2 Tickets für ein Ed Sheeran Konzert. Doch Achtung: Mit dieser Masche versuchen die Kriminellen an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-fuehrt-in-abo-falle… ∗∗∗ QNAP probt Zwangsupdate nach 3.600 DeadBolt-Ransomware-Infektionen ∗∗∗ --------------------------------------------- QNAP-Nutzer werden aktuell wohl Opfer der DeadBolt-Ransomware – ich hatte es nicht im Blog, aber binnen einer Woche waren es wohl über 3.600 Opfer. Der NAS-Hersteller greift nun zu drastischen Mitteln und versucht die Firmware betroffener Geräte zwangsweise zu aktualisieren. --------------------------------------------- https://www.borncity.com/blog/2022/01/28/qnap-probt-zwangsupdate-nach-3-600… ∗∗∗ EU to create pan-European cyber incident coordination framework ∗∗∗ --------------------------------------------- The European Systemic Risk Board (ESRB) proposed a new systemic cyber incident coordination framework that would allow EU relevant authorities to better coordinate when having to respond to major cross-border cyber incidents impacting the Unions financial sector. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-to-create-pan-european-cy… ∗∗∗ Doctor Web’s December 2021 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics from Dr.Web for Android anti-virus products, adware trojans remained the most active Android threat in December. Another common threat detected on protected devices was malware that downloaded other apps. At the same time, more threats have been found on Google Play, like fake apps from the Android.FakeApp malware family. These are used in various fraudulent schemes. --------------------------------------------- https://news.drweb.com/show/?i=14408&lng=en&c=9 ∗∗∗ Doctor Web’s December 2021 virus activity review ∗∗∗ --------------------------------------------- Our December analysis of Dr.Web’s statistics revealed a 34% increase in the total number of threats compared to the previous month. The number of unique threats decreased by 15%. Nonetheless, adware still made up the majority of detected threats. These threats manifested with different types of malware. A variety of malware, including backdoors, was most often distributed in mail traffic. --------------------------------------------- https://news.drweb.com/show/?i=14410&lng=en&c=9 ∗∗∗ Why are WordPress Websites Targeted by Hackers? ∗∗∗ --------------------------------------------- If you are wondering why your wordpress site keeps getting hacked, or why you’re being targeted by hackers, we’ve compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Currently over 445 million websites are utilizing WordPress. With a make up of over 40% of sites on the web utilizing WordPress to some extent, it’s only expected for bad actors to take advantage of its popularity. --------------------------------------------- https://blog.sucuri.net/2022/01/why-are-wordpress-sites-targeted-by-hackers… ∗∗∗ Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victims network to further propagate spam emails and widen the infection pool. The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target's bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-device-registration-trick.h… ∗∗∗ How to avoid an open source security nightmare ∗∗∗ --------------------------------------------- Just as it would be a mistake to say that all closed source projects are bug-free, its a mistake to say that all open source projects are security risks. Different projects have different focuses; some of them are much more concerned with the security of their releases. --------------------------------------------- https://www.zdnet.com/article/how-to-avoid-an-open-source-security-nightmar… ∗∗∗ Weekly Threat Report 28th January 2022 ∗∗∗ --------------------------------------------- Read about the Mirai-based malware exploiting poor security, CISA updates and New Scanning Made Easy trial service from the NCSC --------------------------------------------- https://www.ncsc.gov.uk/report/weekly-threat-report-28th-january-2022 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates available in Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1 ∗∗∗ --------------------------------------------- Foxit has released Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1, which address potential security and stability issues. CVE-2018-1285, CVE-2021-40420, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741, CVE-2022-22150 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046) ∗∗∗ --------------------------------------------- 2022-01-27: VMSA-2022-0028.10 - Revised advisory with updates to multiple products, including vCenter Server. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/883047/ ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- BOSCH-SA-637429: The ActiveMover with Profinet communication module (Rexroth no. 3842 559 445) sold by Bosch Rexroth contains communication technology from Hilscher (PROFINET IO Device V3) in which a vulnerability with high severity has been discovered. A Denial of Service vulnerability may lead to unexpected loss of cyclic communication or interruption of acyclic communication. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2022
by Daily end-of-shift report 27 Jan '22

27 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-01-2022 18:00 − Donnerstag 27-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2020-0696 - Microsoft Outlook Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- How are the email security systems bypassed with vulnerability on ''Microsoft Outlook for Mac''? Improper hyperlink translation in ''Microsoft Outlook for Mac'' leads to the complete bypassing of email security systems and sending the malicious link to the victim as clickable. [..] The below investigation was performed with trial accounts provided by multiple vendors and reported responsibly to Microsoft, which has taken action to remedy the problem. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2020-06… ∗∗∗ Update-Reigen: macOS 12.2, watchOS 8.4 und tvOS 15.3 beheben Fehler ∗∗∗ --------------------------------------------- Apple hat neben iOS und iPadOS 15.3 auch alle anderen Betriebssysteme aktualisiert. Zudem gibts ein HomePod-OS-Update. --------------------------------------------- https://heise.de/-6340079 ∗∗∗ Hackers Using New Evasive Technique to Deliver AsyncRAT Malware ∗∗∗ --------------------------------------------- [..] Opening the decoy file redirects the message recipient to a web page prompting the user to save an ISO file. But unlike other attacks that route the victim to a phishing domain set up explicitly for downloading the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.ht… ∗∗∗ Configuring Linux auditd for Threat Detection ∗∗∗ --------------------------------------------- The topics I look to cover in this article are - Quick intro to the Linux Audit System - Tips when writing audit rules - Designing a configuration for security monitoring - What to record with auditd - Tips on managing noise --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ∗∗∗ Financially Motivated Mobile Scamware Exceeds 100M Installations ∗∗∗ --------------------------------------------- In the pursuit of identifying and taking down similar financially motivated scams, zLabs researchers have discovered another premium service abuse campaign with upwards of 105 million victims globally, which we have named Dark Herring. [..] At the time of publishing, the scam services and phishing sites are no longer active, and Google has removed all the malicious applications from Google Play. --------------------------------------------- https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-insta… ∗∗∗ Jetzt handeln! Erpressungstrojaner DeadBolt hat es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Der Hersteller von Netzwerkspeichern (NAS) Qnap warnt abermals vor Ransomware-Attacken und gibt wichtige Tipps zur Absicherung. --------------------------------------------- https://heise.de/-6340174 ∗∗∗ Betrug mit nachgebautem Käuferschutz auf ebay-kleinanzeigen.de ∗∗∗ --------------------------------------------- eBay-kleinanzeigen.de stellt eine beliebte Kleinanzeigen-Plattform dar. Wie bei einigen anderen bekannten Marktplätzen wird auch hier eine sichere Bezahlmethode direkt auf der Plattform angeboten. Kriminelle nützen dies aus, indem sie die Kommunikation von offizieller Website und App beispielsweise auf WhatsApp verlagern. Später verweisen sie auf nachgebaute Websites und zweigen Zahlungen direkt in die eigenen Taschen ab! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-nachgebautem-kaeuferschut… ∗∗∗ The January 2022 Security Update Review ∗∗∗ --------------------------------------------- The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2022/1/11/the-january-2022-security-update-revi… ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014 ∗∗∗ --------------------------------------------- Project: Private Taxonomy Terms Security risk: Critical Description: This module enables users to create private vocabularies.The module doesnt sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-014 ∗∗∗ Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011 ∗∗∗ --------------------------------------------- Project: Navbar Security risk: Moderately critical Description: This module provides a very simple, mobile-friendly navigation toolbar.The module doesnt sufficiently check for user-provided input. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-011 ∗∗∗ Xerox Versalink Denial Of Service ∗∗∗ --------------------------------------------- A specifically crafted TIFF payload may be submitted to the printers job queue (in person or over the network) by unauthenticated/unprivileged users or network or internet attackers by means of a JavaScript payload. The device will panic upon attempting to read the submitted file and a physical reboot will be required. Upon reboot, the device will attempt to resume the last-printed job, triggering the panic once more. The process repeats ad-infinitum. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010119 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/882882/ ∗∗∗ Synology-SA-22:02 Samba ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_02 *** Drupal: Bugs in unsupporteten Sub-Projekten *** --------------------------------------------- The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. [..] If you use this project, you should uninstall it. - Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022 https://www.drupal.org/sa-contrib-2022-022 - Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021 https://www.drupal.org/sa-contrib-2022-021 - Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020 https://www.drupal.org/sa-contrib-2022-020 - Vendor Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-019 https://www.drupal.org/sa-contrib-2022-019 - Cog - Critical - Unsupported - SA-CONTRIB-2022-018 https://www.drupal.org/sa-contrib-2022-018 - Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017 https://www.drupal.org/sa-contrib-2022-017 - Vocabulary Permissions Per Role - Critical - Unsupported - SA-CONTRIB-2022-016 https://www.drupal.org/sa-contrib-2022-016 - Exif - Critical - Unsupported - SA-CONTRIB-2022-015 https://www.drupal.org/sa-contrib-2022-015 - Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013 https://www.drupal.org/sa-contrib-2022-013 - Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012 https://www.drupal.org/sa-contrib-2022-012 - Rate - Critical - Unsupported - SA-CONTRIB-2022-010 https://www.drupal.org/sa-contrib-2022-010 - Expire reset password link - Critical - Unsupported - SA-CONTRIB-2022-009 https://www.drupal.org/sa-contrib-2022-009 - Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008 https://www.drupal.org/sa-contrib-2022-008 - Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007 https://www.drupal.org/sa-contrib-2022-007 - Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005 https://www.drupal.org/sa-contrib-2022-005 - Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006 https://www.drupal.org/sa-contrib-2022-006 --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ Security Bulletin:IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-db2-on-openshift-and-i… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-22960, CVE-2021-22959 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2022
by Daily end-of-shift report 26 Jan '22

26 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-01-2022 18:00 − Mittwoch 26-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ALPN: Ein Prozent der Lets-Encrypt-Zertifikate wird zurückgezogen ∗∗∗ --------------------------------------------- Lets Encrypt teilt mit, dass es Probleme bei der ALPN-Validierungsmethode gab und damit ausgestellte Zertifikate zurückgezogen werden. --------------------------------------------- https://www.golem.de/news/alpn-ein-prozent-der-let-s-encrypt-zertifikate-wi… ∗∗∗ Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW, (Wed, Jan 26th) ∗∗∗ --------------------------------------------- Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration, which is embedded by Hewlett-Packard Enterprise on some of their servers. Besides its use for maintenance, it is often used by administrators for an emergency access to the server when everything "above it" (hypervisor or OS) fails and/or is unreachable. Since these kinds of platforms/interfaces are quite sensitive from the security standpoint, access to them should always be limited to relevant administrator groups only and their firmware should always be kept up to date. --------------------------------------------- https://isc.sans.edu/diary/rss/28276 ∗∗∗ German govt warns of APT27 hackers backdooring business networks ∗∗∗ --------------------------------------------- "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)." The BfV also published indicators of compromise (IOCs) and YARA rules to help targeted German organizations to check for HyperBro infections and connections to APT27 command-and-control (C2) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-h… ∗∗∗ Sysdig-Report: Container-Deployments weisen mehrheitlich Schwachstellen auf ∗∗∗ --------------------------------------------- Sysdig beobachtet einen anhaltenden Shift Left bei Container Security, viele Schwachstellen bleiben aber ungepatcht und Rechte-Konfigurationen unzureichend. --------------------------------------------- https://heise.de/-6336816 ∗∗∗ Root-Zugriff unter Linux durch Polkit-Lücke ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwachstelle in Polkit entdeckt, die Rechteausweitung ermöglicht. Für die viele Distributionen sind bereits Patches verfügbar. --------------------------------------------- https://heise.de/-6338569 ∗∗∗ Fake-Shops geben sich als Shops für Warenhausauflösungen aus ∗∗∗ --------------------------------------------- Derzeit stoßen wir vermehrt auf Fake-Shops, die behaupten auf Warenhausauflösungen spezialisiert zu sein oder Überbestände von Amazon oder von Kaufhäusern zu verkaufen. Damit begründen Sie auch ihre günstigen Preise für Marken-Produkte wie KitchenAid, Weber oder DeLonghi. Doch wer genau hinsieht, erkennt, dass es sich um Fake-Shops handelt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-geben-sich-als-shops-fuer… ∗∗∗ Vidar Exploiting Social Media Platform (Mastodon) ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware. --------------------------------------------- https://asec.ahnlab.com/en/30875/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in TransmitMail ∗∗∗ --------------------------------------------- TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. - Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146 - Cross-site scripting (CWE-79) - CVE-2022-21193 --------------------------------------------- https://jvn.jp/en/jp/JVN70100915/ ∗∗∗ Security Update - Fix available for a privilege escalation vulnerability ∗∗∗ --------------------------------------------- This notification is in regard to an elevation of privilege vulnerability (CVE-2022-23863) that was recently identified and fixed in Desktop Central and Desktop Central MSP. [...] A privilege escalation vulnerability that may allow an authenticated user to change passwords of a more privileged account. --------------------------------------------- https://pitstop.manageengine.com/portal/en/community/topic/security-update-… ∗∗∗ Denial of service & User Enumeration in WAGO 750-8xxx PLC ∗∗∗ --------------------------------------------- The Wago PLC models 750-8xxx are prone to multiple security vulnerabilities. These include a Denial-of-Service (DoS) of the connection to the Codesys service and the enumeration of usernames via a timing sidechannel. By exploiting these vulnerabilities, the remote usage of the Codesys services can be prevented and existing usernames on the device can be identified. [..] WAGO's customers should upgrade the firmware to the latest version available. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/denial-of-service-user-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server). --------------------------------------------- https://lwn.net/Articles/882724/ ∗∗∗ Security Advisory - Laser Command Injection Vulnerability on Huawei Terminals ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220126-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-24122 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Jan 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Automationis vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-automat… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: IBM Observability by Instana and IBM Observability with Instana – Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-observability-by-inst… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: Tivoli Network Manager IP Edition is vulnerable to a denial of service vulnerability (CVE-2021-30468) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-network-manager-ip… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-17527 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-13935 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ GE Gas Power ToolBoxST ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-025-01 ∗∗∗ Injection of arbitrary HTML code in Bosch Video Security Android App ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-844050-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2022
by Daily end-of-shift report 25 Jan '22

25 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 24-01-2022 18:00 − Dienstag 25-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Responsible Disclosure: Vom Finden und Melden von Sicherheitslücken ∗∗∗ --------------------------------------------- Im Auftrag eines ISP habe ich mehrere Sicherheitslücken in einem Cisco-Router gefunden. Hier erkläre ich, wie ich vorgegangen bin. Ein Erfahrungsbericht von Marco Wiorek --------------------------------------------- https://www.golem.de/news/responsible-disclosure-vom-finden-und-melden-von-… ∗∗∗ Analyse: Linux- und ESXi-Varianten der LockBit-Ransomware ∗∗∗ --------------------------------------------- Die Forscher von Trend Micro Research haben das Thema LockBit-Ransomware in einer Analyse aufgegriffen. Denn diese Ransomware bedroht inzwischen nicht mehr nur Windows-Systeme. Es gibt bereits Samples, die auch Linux- und VMware ESXi-Instanzen befallen können. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/analyse-linux-und-esxi-varianten-d… ∗∗∗ Vollzugriff durch Hintertür in WordPress-Erweiterungen ∗∗∗ --------------------------------------------- Bei einem Servereinbruch landete Hintertür-Schadcode in Plugins und Themes von AccessPress. Angreifer könnten dadurch WordPress-Instanzen übernehmen. --------------------------------------------- https://heise.de/-6337344 ∗∗∗ Jetzt patchen! Attacken auf Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer derzeit Sonicwall Secure Mobile Access im Visier haben. Dagegen lässt sich etwas tun. --------------------------------------------- https://heise.de/-6337222 ∗∗∗ Verkaufen auf willhaben, ebay & Co: Zahlung und Versand nicht über „Kurierdienst Post“ oder „ebay Selling“ abwickeln ∗∗∗ --------------------------------------------- Auf ebay, willhaben, Shpock und Co. treiben momentan vermehrt betrügerische KäuferInnen ihr Unwesen. Diese können aber rasch entlarvt werden: Betrügerische KäuferInnen wollen die Zahlung und Versendung Ihres Produktes über spezielle Dienstleistungen abwickeln. Dabei handelt es sich um angebliche Kurierdienste der Post oder ebay. Diese sind aber Fake! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-willhaben-ebay-co-zahl… ∗∗∗ BRATA Android Trojan Updated with ‘Kill Switch’ that Wipes Devices ∗∗∗ --------------------------------------------- Researchers identify three new versions of the banking trojan that include various new features, including GPS tracking and novel obfuscation techniques. --------------------------------------------- https://threatpost.com/brata-android-trojan-kill-switch-wipes/177921/ ∗∗∗ TrickBot Malware Using New Techniques to Evade Web Injection Attacks ∗∗∗ --------------------------------------------- The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products. --------------------------------------------- https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html ∗∗∗ Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks ∗∗∗ --------------------------------------------- A previously undocumented cyber-espionage malware aimed at Apples macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with "strong technical capabilities," [...] --------------------------------------------- https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.h… ∗∗∗ Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies ∗∗∗ --------------------------------------------- We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent Tesla.The post Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent… ∗∗∗ Microsoft warns about this phishing attack that wants to read your emails ∗∗∗ --------------------------------------------- Attackers have targeted hundreds of organisations, says Microsoft security. --------------------------------------------- https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-th… ∗∗∗ Introducing Scanning Made Easy ∗∗∗ --------------------------------------------- A joint effort between the i100 and the NCSC, Scanning Made Easy (SME) will be a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. In this blog post I want to give you an idea of the motivation behind the project, and its capabilities. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/introducing-scanning-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ PHOENIX CONTACT: FL SWITCH 2xxx series incorrect privilege assignment ∗∗∗ --------------------------------------------- CVE ID: CVE-2022-22509; CVSS 3.1: 8.8 In Phoenix Contact FL SWITCH Series 2xxx an incorrect privilege assignment allows an unprivileged user to enable full access to the device configuration. Solution: Upgrade to firmware 3.10 or higher --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-001/ ∗∗∗ Kritische Sicherheitslücke in Unisys Messaging Integration Services ∗∗∗ --------------------------------------------- Unbefugte Nutzer könnten aufgrund fehlerhafter Passwort-Prüfungen in den Messaging Integration Services (NTSI) von Unisys Zugang zu Servern erhalten. --------------------------------------------- https://heise.de/-6337226 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan). --------------------------------------------- https://lwn.net/Articles/882552/ ∗∗∗ PrinterLogic Patches Code Execution Flaws in Printer Management Suite ∗∗∗ --------------------------------------------- PrinterLogic has released security updates to address a total of nine vulnerabilities in Web Stack and Virtual Appliance, including three security defects that carry "high severity" ratings. --------------------------------------------- https://www.securityweek.com/printerlogic-patches-code-execution-flaws-prin… ∗∗∗ Trend Micro Worry Free Business Security Critical Patch 2380 und der freie Disk-Speicher ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat ein kritisches Update 2380 für seine Worry Free Business Security (WFBS) freigegeben. Der Patch soll ein Sicherheitsproblem in einer Komponente beseitigen, die die Virenschutzlösung angreifbar macht. Was aber nicht verraten wird: Um diesen kritischen Patch zu installieren, müssen mindestens 13 Gigabyte Festplattenspeicher auf dem Systemlaufwerk vorhanden sein. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/trend-micro-worry-free-business-se… ∗∗∗ XSA-395 ∗∗∗ --------------------------------------------- Insufficient cleanup of passed-through device IRQs --------------------------------------------- https://xenbits.xen.org/xsa/advisory-395.html ∗∗∗ XSA-394 ∗∗∗ --------------------------------------------- A PV guest could DoS Xen while unmapping a grant --------------------------------------------- https://xenbits.xen.org/xsa/advisory-394.html ∗∗∗ XSA-393 ∗∗∗ --------------------------------------------- arm: guest_physmap_remove_page not removing the p2m mappings --------------------------------------------- https://xenbits.xen.org/xsa/advisory-393.html ∗∗∗ GNU libc: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0097 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0096 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0094 ∗∗∗ Mattermost security updates 6.3.1, 6.2.2, 6.1.2, 5.37.7 released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Studio Client (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2022
by Daily end-of-shift report 24 Jan '22

24 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-01-2022 18:00 − Montag 24-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erfolgreicher Angriff auf Nutzerkonten bei Thalia ∗∗∗ --------------------------------------------- Um Schaden von den Kunden abzuwenden, wurden die Kennwörter der betroffenen Konten von Thalia geändert. Die entsprechenden Kunden wurden per E-Mail darüber informiert. Der Buchhändler ruft in der E-Mail auch dazu auf, das Thalia-Kennwort bei anderen Diensten zu ändern, falls dieses auch bei anderen Anbietern mit dem gleichen Benutzernamen verwendet wird. --------------------------------------------- https://www.golem.de/news/sicherheit-erfolgreicher-angriff-auf-nutzerkonten… ∗∗∗ Backup-Software: Dell EMC AppSync kompromittierbar ∗∗∗ --------------------------------------------- Durch mehrere Sicherheitslücken in der Backup-Software EMC AppSync von Dell hätten Angreifer in betroffene Systeme eindringen und sie manipulieren können. --------------------------------------------- https://heise.de/-6334745 ∗∗∗ SonicWall explains why firewalls were caught in reboot loops ∗∗∗ --------------------------------------------- In a weekend update, SonicWall said the widespread reboot loops that impacted next-gen firewalls worldwide were caused by signature updates published on Thursday evening not being correctly processed. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/sonicwall-explains-why-fir… ∗∗∗ Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd) ∗∗∗ --------------------------------------------- Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack. --------------------------------------------- https://isc.sans.edu/diary/rss/28264 ∗∗∗ Microsoft is now disabling Excel 4.0 macros by default ∗∗∗ --------------------------------------------- Microsoft says that all Excel 4.0 (XLM) macros will now be disabled by default. [...] Sometimes good news in the security world comes later than expected. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is making it the default. --------------------------------------------- https://blog.malwarebytes.com/reports/2022/01/microsoft-is-now-disabling-ex… ∗∗∗ Emotet Now Using Unconventional IP Address Formats to Evade Detection ∗∗∗ --------------------------------------------- Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers, [...] --------------------------------------------- https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html ∗∗∗ GoWard A robust and rapidly-deployable Red Team proxy ∗∗∗ --------------------------------------------- Generally, Red Teams and adversarys redirect their traffic through proxies to protect their backend infrastructure. GoWard proxies HTTP C2 traffic to specified Red Team servers based on the HTTP header of the traffic. GoWards intent is to help obfuscate Red Team traffic and provide some level of resiliency against Blue Team investigation and mitigation. --------------------------------------------- https://github.com/chdav/GoWard ∗∗∗ Crime Shop Sells Hacked Logins to Other Crime Shops ∗∗∗ --------------------------------------------- Up for the "Most Meta Cybercrime Offering" award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites. --------------------------------------------- https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other… ∗∗∗ Dark Souls servers taken offline over hacking fears ∗∗∗ --------------------------------------------- We look at trouble in Dark Souls land after PvP servers were turned off to combat what looked like a nasty exploit. [...] It all begins with a popular streamer playing a Souls game in PvP mode. [...] You’ll also hear the incredibly confused streamer in the background, talking about seeing “powershell.exe” on their screen. This is, it has to be said, not a good sign. --------------------------------------------- https://blog.malwarebytes.com/hacking-2/2022/01/dark-souls-servers-taken-of… ∗∗∗ Cobalt Strike, a Defender’s Guide – Part 2 ∗∗∗ --------------------------------------------- Our previous article on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this post, we will focus on the network traffic it produced, and [...] --------------------------------------------- https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity Rust Programming Bug Could Lead to File, Directory Deletion ∗∗∗ --------------------------------------------- The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldnt otherwise access or delete, [...] --------------------------------------------- https://thehackernews.com/2022/01/high-severity-rust-programming-bug.html ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ CVE-2021-45467: CWP CentOS Web Panel – preauth RCE ∗∗∗ --------------------------------------------- CentOS Web Panel or commonly known as CWP is a popular web hosting management software, used by over 200,000 unique servers, that can be found on Shodan or Census. The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities. In this post we hope to cover our vulnerability research journey, and how we approached this particular target. --------------------------------------------- https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-pre… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird). --------------------------------------------- https://lwn.net/Articles/882396/ ∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0089 ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netcool-agile-service… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Sensitive information in logs vulnerability affects IBM Sterling Gentran:Server for Windows (CVE-2021-39032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… ∗∗∗ Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2022
by Daily end-of-shift report 21 Jan '22

21 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-01-2022 18:00 − Freitag 21-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iOS 15.3 & Co: Wichtige Bugfixes für iPhones, Macs und Watches in Vorbereitung ∗∗∗ --------------------------------------------- Apples anstehende Betriebssystem-Updates schließen ein schweres Datenschutzleck im Browser Safari und sollen Ladeprobleme bei der Apple Watch ausräumen. --------------------------------------------- https://heise.de/-6334675 ∗∗∗ Netzwerkausrüster F5 sichert BIG-IP & Co. gegen mögliche Attacken ab ∗∗∗ --------------------------------------------- Über Schwachstellen in verschiedenen BIG-IP Appliances könnte Schadcode auf Systeme gelangen. --------------------------------------------- https://heise.de/-6334437 ∗∗∗ Vorsicht: Gefälschte Europol-Vorladungen im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als Europol aus und versenden eine „Einberufung“, die für viele EmpfängerInnen sehr bedrohlich wirkt: So behaupten die Kriminellen, dass mehrere Gerichtsverfahren gegen die Betroffenen laufen würden. Konkret ginge es um Kinderpornografie, Pädophile und Ähnliches. Auch wenn die Mail sehr beängstigend klingt, besteht kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-gefaelschte-europol-vorladu… ∗∗∗ SonicWall Gen7 Firewall Inaccessible/ Reboot Loop (20. Jan. 2022) ∗∗∗ --------------------------------------------- Aktuell sieht es so aus, als ob die SonicWall Gen7 Firewalls seit dem 20. Januar 2022 ein Problem verursachen. Es gibt Berichte, dass kein Zugriff mehr möglich ist oder die Gen7 Firewall in eine Neustart-Schleife fallen. Von SonicWall gibt es dazu bereits einen Supportbeitrag mit einem Workaround. --------------------------------------------- https://www.borncity.com/blog/2022/01/21/sonicwall-gen7-firewall-inaccessib… ∗∗∗ Over 90 WordPress themes, plugins backdoored in supply chain attack ∗∗∗ --------------------------------------------- A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plu… ∗∗∗ Doctor Web’s overview of virus activity on mobile devices in 2021 ∗∗∗ --------------------------------------------- In 2021, making illegal profit remained one of the top cybercriminals’ priorities. That’s why adware trojans, malware that downloaded and installed other software, and trojans capable of downloading and executing arbitrary code, were among the most common threats on Android. Banking trojans also posed a significant threat whilst their activity increased. Moreover, users often encountered various adware apps. --------------------------------------------- https://news.drweb.com/show/?i=14395&lng=en&c=9 ∗∗∗ Doctor Web’s annual virus activity review for 2021 ∗∗∗ --------------------------------------------- Among the most popular threats in 2021 were numerous malware. Among them were trojan droppers destined to distribute malicious malware, and trojan downloader modifications–they download and run executable files with various payloads on the victims computer. Besides that, cybercriminals were actively distributing backdoors. Among the email threats, the most popular were stealers and various backdoor modifications written in VB.NET. --------------------------------------------- https://news.drweb.com/show/?i=14393&lng=en&c=9 ∗∗∗ Spyware Blitzes Compromise, Cannibalize ICS Networks ∗∗∗ --------------------------------------------- The brief spearphishing campaigns spread malware and use compromised networks to steal credentials that can be sold or used to commit financial fraud. --------------------------------------------- https://threatpost.com/spyware-blitzes-compromise-cannibalize-ics-networks/… ∗∗∗ AccessPress Themes Hit With Targeted Supply Chain Attack ∗∗∗ --------------------------------------------- Security researchers at Automattic recently reported that the popular WordPress plugin and theme authors AccessPress were compromised and their software replaced with backdoored versions. The compromise appears to have taken place in September of last year and was only recently made public. Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites. --------------------------------------------- https://blog.sucuri.net/2022/01/accesspress-themes-hit-with-targeted-supply… ∗∗∗ A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations ∗∗∗ --------------------------------------------- Microsoft reported evidence of destructive malware targeting organizations in Ukraine starting from January 13 [1]. The LIFARS threat intelligence team have analyzed the malicious samples and provided a detailed analysis of the execution flow. The main objective of this technical brief is to reveal the sophisticated TTPs demonstrated by threat actors. --------------------------------------------- https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#287178: McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/287178 ∗∗∗ Plugin "Email Template Designer" reißt Sicherheitslücke in WordPress ∗∗∗ --------------------------------------------- Durch eine Schwachstelle im WordPress-Plugin "WordPress Email Template Designer - WP HTML Mail" könnten Angreifer dem Administrator Schadcode unterschieben. --------------------------------------------- https://heise.de/-6334308 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aide, flatpak, kernel, libspf2, and usbview), Fedora (kernel, libreswan, nodejs, texlive-base, and wireshark), openSUSE (aide, cryptsetup, grafana, permissions, rust1.56, and stb), SUSE (aide, apache2, cryptsetup, grafana, permissions, rust1.56, and webkit2gtk3), and Ubuntu (aide, thunderbird, and usbview). --------------------------------------------- https://lwn.net/Articles/882119/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0001.html ∗∗∗ Lexmark Laser Printers: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0087 ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Operational Decision Manager (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to a denial of service vulnerability in Apache log4j2 component (CVE-2021-45105 & CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Java Batch affects WebSphere Application Server Liberty (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-bat… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: IBM Cognos Controller has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-has… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender and Modules have various vulnerabilities (CVE-2021-22924, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2022
by Daily end-of-shift report 20 Jan '22

20 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-01-2022 18:00 − Donnerstag 20-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Revamped Community-Based DDoS Defense Tool Improves Filtering ∗∗∗ --------------------------------------------- Team Cymru updates its Unwanted Traffic Removal Service (UTRS), adding more granular controls and greater ranges of both IPv4 and IPv6 addresses. --------------------------------------------- https://www.darkreading.com/perimeter/revamped-community-based-ddos-defense… ∗∗∗ MoonBounce: the dark side of UEFI firmware ∗∗∗ --------------------------------------------- At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. --------------------------------------------- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ ∗∗∗ What Should You do if Your WordPress Site was Hacked? ∗∗∗ --------------------------------------------- This article will provide insight on what to do if your website is hacked and how to move forward. WordPress sites can be hacked due to a variety of reasons, which we cover in Why are WordPress sites targeted by hackers? --------------------------------------------- https://blog.sucuri.net/2022/01/what-should-you-do-if-your-wordpress-site-w… ∗∗∗ Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks ∗∗∗ --------------------------------------------- Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets. Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an " input validation vulnerability that could allow attackers to build a query given some input and [..] --------------------------------------------- https://thehackernews.com/2022/01/microsoft-hackers-exploiting-new.html ∗∗∗ New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets ∗∗∗ --------------------------------------------- "BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researcher said in a technical report on Wednesday. --------------------------------------------- https://thehackernews.com/2022/01/new-bhunt-password-stealer-malware.html ∗∗∗ RedLine Stealer Delivered Through FTP ∗∗∗ --------------------------------------------- Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that the payload is delivered through FTP! It’s pretty unusual because FTP is today less and less used for multiple reasons (lack of encryption by default, complex to filter with those passive/active modes). --------------------------------------------- https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-thr… ∗∗∗ Kritische Sicherheitslücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- In der aktualisierten Version von Google Chrome schließt das Unternehmen zahlreiche Schwachstellen. Mindestens eine davon stuft der Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-6332812 ∗∗∗ Knapp 7 Millionen Passwörter von Open Subtitles entwendet ∗∗∗ --------------------------------------------- Die Webseiten und das Forum von Open Subtitles wurden Opfer von Cyberkriminellen. Die konnten alle Zugangsdaten erbeuten. Nutzer müssen jetzt aktiv werden. --------------------------------------------- https://heise.de/-6332951 ∗∗∗ Zahlreiche Facebook-Seiten bewerben Fernseher um 1,95€ ∗∗∗ --------------------------------------------- Einen QLED-Fernseher um nur 1,95 Euro? Das versprechen derzeit zahlreiche Facebook-Seiten. Alles was Sie dafür machen müssen, ist an einer kurzen Umfrage teilnehmen. Anschließend sollen Sie noch die Kreditkartendaten eingeben, um 1,95 Euro zu bezahlen und schon wird ein hochwertiger Fernseher zu Ihnen nach Hause geliefert. Wie so oft gilt: Das Angebot ist zu gut, um wahr zu sein. Tatsächlich landen Ihre Kreditkartendaten in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-facebook-seiten-bewerben-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross site scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. --------------------------------------------- https://www.drupal.org/sa-core-2022-002 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7 --------------------------------------------- https://www.drupal.org/sa-core-2022-001 ∗∗∗ jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004 ∗∗∗ --------------------------------------------- Project: jQuery UI Datepicker Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-004 ∗∗∗ Improper copy algorithm and component validation in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated attacker to execute code ∗∗∗ --------------------------------------------- CVE-2021-22282: RCE through Project Upload from Target All versions of Automation Studio 4 are affected. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16405293… ∗∗∗ Local file inclusion Schwachstelle in Land Software - FAUST iServer ∗∗∗ --------------------------------------------- Der von Land Software entwickelte Webserver namens FAUST iServer ist anfällig auf eine local file inclusion Schwachstelle. Ein Angreifer kann alle lokalen Dateien des zugrunde liegenden Betriebssystems im Kontext der aktuellen Festplatte lesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-file-inclusion-… ∗∗∗ Rechenfehler im Linux-Kernel erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Vor allem in Cloud-Systemen problematisch: An Linux-Systemen angemeldete Nutzer könnten aufgrund eines potenziellen Pufferüberlaufs ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-6333365 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (kernel, libreswan, nodejs, and wireshark), openSUSE (busybox, firefox, kernel, and python-numpy), Oracle (gegl, gegl04, httpd, java-17-openjdk, kernel, kernel-container, and libreswan), Red Hat (kernel, kernel-rt, and libreswan), Slackware (wpa_supplicant), SUSE (busybox, firefox, htmldoc, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container, openstack-monasca-agent, spark, spark-kit, zookeeper, python-numpy) and Ubuntu (curl, linux, linux-aws, linux-aws-5.11, linux-aws-5.4, linux-azure, linux-azure-5.11, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.11, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oem-5.10, linux-oem-5.13, linux-oem-5.14, linux-oracle, linux-oracle-5.11, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, openvswitch, qtsvg-opensource-src). --------------------------------------------- https://lwn.net/Articles/881956/ ∗∗∗ Canon: “Log4j” RCE [CVE-2021-44228], “Log4j” RCE [CVE-2021-45046] and “Log4j” DOS [CVE-2021-45105] vulnerabilities ∗∗∗ --------------------------------------------- We are currently in the process of investigating the impact of the ‘Log4j’ https://logging.apache.org/log4j/2.x/security.html vulnerability on Canon products. As information comes to light, we will update this article. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Canon: Cross-site scripting vulnerability for laser printers and multifunction devices for small offices ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability has been identified in the Remote UI function of Canon laser printers and multifunction devices for small office – see the affected models below (vulnerability identification number: JVN # 64806328). --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Conductor is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Symphony is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: IBM® Security SOAR could be vulnerable to a downgrade attack because of missing Strict-Transport-Security headers for some endpoints (CVE-2021-29785). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-b… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Apache log4j Vulnerability Affects IBM Sterling Global Mailbox (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: IBM® Disconnected Log Collector is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-coll… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ Endress+Hauser: Multiple products affected by log4net vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-044/ ∗∗∗ ICONICS and Mitsubishi Electric HMI SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2022
by Daily end-of-shift report 19 Jan '22

19 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-01-2022 18:00 − Mittwoch 19-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th) ∗∗∗ --------------------------------------------- [..] Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18. --------------------------------------------- https://isc.sans.edu/diary/rss/28254 ∗∗∗ Project Zero: Zooming in on Zero-click Exploits ∗∗∗ --------------------------------------------- In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom. --------------------------------------------- https://googleprojectzero.blogspot.com//2022/01/zooming-in-on-zero-click-ex… ∗∗∗ Introducing TREVORproxy and TREVORspray 2.0 - Increasing the Speed and Effectiveness of Password Sprays ∗∗∗ --------------------------------------------- Classically, password spraying has been the single lowest-effort and highest-yield technique for gaining an initial foothold in an organization. [...] But alas, with increasing Multi-Factor coverage and defensive countermeasures like Smart Lockout, password spraying is becoming more and more of a chore. [...] When I set out to write these tools, the biggest problem I wanted to solve was Smart Lockout. Smart Lockout tries to lock out attackers without locking out legitimate users. So basically, --------------------------------------------- https://blog.blacklanternsecurity.com/p/introducing-trevorproxy-and-trevors… ∗∗∗ Betrügerische Geldversprechen auf Instagram ∗∗∗ --------------------------------------------- Kriminelle richten sich mit ihren betrügerischen Anfragen insbesondere an junge Frauen und Männer. Sie versprechen ihnen hohe Geldbeträge für anzügliche Fotos oder spielen vor, an der Finanzierung des Lifestyles der betroffenen Personen interessiert zu sein. Wer solche Angebote bekommt, sollte unbedingt Abstand nehmen. Denn es handelt sich um einen Vorschussbetrug, bei dem vorab Zahlungen verlangt werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-geldversprechen-auf-i… ∗∗∗ The Perfect Cyber Crime ∗∗∗ --------------------------------------------- [..] what if criminals were able to acquire large amounts of victims’ credentials without infecting any victim, without the need to build or purchase anything, and without the risk of getting caught? We recently set out to explore this topic and validate our theory that this type of “perfect crime” could be a new reality in cyber security. In this blog, we’ll explain how we were able to obtain large amounts of sensitive data using Google’s VirusTotal service in combination with other known malware services and hacker forums. --------------------------------------------- https://safebreach.com/blog/2022/the-perfect-cyber-crime/ ∗∗∗ CVE-2022-21661: Exposing Database Info via WordPress SQL Injection ∗∗∗ --------------------------------------------- In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 (ZDI-22-220). This blog covers the root cause of the bug and looks at how the WordPress team chose to address it. --------------------------------------------- https://www.thezdi.com/blog/2022/1/18/cve-2021-21661-exposing-database-info… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin WP Visitor Statistics 4.7 SQL Injection ∗∗∗ --------------------------------------------- The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks CVE: CVE-2021-24750 --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010098 ∗∗∗ Oracle Critical Patch Update Advisory - January 2022 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 497 new security patches across the (Anm.: 165) product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2022.html ∗∗∗ The ace(r) up your sleeve! Privilege Escalation vulnerability in Acer Care Center (CVE-2021-45975) ∗∗∗ --------------------------------------------- Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3038 included, one of the suite’s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in. --------------------------------------------- https://aptw.tf/2022/01/20/acer-care-center-privesc.html ∗∗∗ Sicherheitsupdate: Mediaplayer Nvidia Shield TV für Schadcode-Attacke anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben mehrere Lücken in der Android-Version für Nvidia Shield TV geschlossen. Insgesamt gilt das Risiko als hoch. --------------------------------------------- https://heise.de/-6332144 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gegl, kernel, and thunderbird), Debian (nvidia-graphics-drivers), Fedora (btrbk and thefuck), Mageia (clamav, kernel, kernel-linus, vim, and wpa_supplicant), openSUSE (java-1_8_0-ibm, jawn, nodejs12, nodejs14, SDL2, and virglrenderer), Red Hat (gegl, gegl04, java-17-openjdk, and kernel-rt), Scientific Linux (gegl and httpd), SUSE (apache2, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libvirt, nodejs12, nodejs14, openstack-monasca-agent, spark, spark-kit, zookeeper, python-Django, python-Django1, python-numpy, virglrenderer), Ubuntu (byobu, clamav, ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/881810/ ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ConfD CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in OptiX OSN 9800 U32 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus V10 (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Multicloud Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM TRIRIGA Connector for Esri ArcGIS Indoors a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-connector-for… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Cloud PAK for Watson AI Ops is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ K61112120: BIG-IP ASM and Advanced WAF TMUI vulnerability CVE-2022-23031 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61112120 ∗∗∗ K96924184: F5 HTTP profile vulnerability CVE-2022-23022 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96924184 ∗∗∗ K82793463: BIG-IP MRF Diameter vulnerability CVE-2022-23019 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82793463 ∗∗∗ K41503304: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature bypass security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41503304 ∗∗∗ K53442005: BIG-IP VE vulnerability CVE-2022-23030 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53442005 ∗∗∗ K16101409: BIG-IP AFM vulnerability CVE-2022-23028 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16101409 ∗∗∗ K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28042514 ∗∗∗ K91013510: SSL Forward Proxy vulnerability CVE-2022-23016 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91013510 ∗∗∗ K08476614: BIG-IP Client SSL profile vulnerability CVE-2022-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08476614 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K93526903: BIG-IP APM portal access vulnerability CVE-2022-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93526903 ∗∗∗ K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30525503 ∗∗∗ K54892865: BIG-IP AFM vulnerability CVE-2022-23024 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54892865 ∗∗∗ K29500533: TMUI XSS vulnerability CVE-2022-23013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29500533 ∗∗∗ K50343028: BIG-IP FastL4 profile vulnerability CVE-2022-23029 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50343028 ∗∗∗ K68755210: BIG-IP SYN Cookie Protection vulnerability CVE-2022-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68755210 ∗∗∗ K26310765: HTTP/2 profile vulnerability CVE-2022-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26310765 ∗∗∗ K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34360320 ∗∗∗ K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check failure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30911244 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K41415626: Transparent DNS Cache can consume excessive resources ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41415626 ∗∗∗ K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44110411 ∗∗∗ K08402414: BIG-IP ASM and Advanced WAF REST API endpoint vulnerability CVE-2022-23026 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08402414 ∗∗∗ K11742742: iControl REST vulnerability CVE-2022-23023 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11742742 ∗∗∗ K30573026: BIG-IP virtual server with FastL4 profile vulnerability CVE-2022-23027 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30573026 ∗∗∗ K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24358905 ∗∗∗ Multiple vulnerabilities in Bosch AMC2 (Access Modular Controller) ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-940448-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2022
by Daily end-of-shift report 18 Jan '22

18 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 17-01-2022 18:00 − Dienstag 18-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft releases emergency fixes for Windows Server, VPN bugs ∗∗∗ --------------------------------------------- Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2022 Patch Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergenc… ∗∗∗ Telenot-Schließanlage: Schwacher Zufall sorgt für offene Türen ∗∗∗ --------------------------------------------- Ein Alarmanlagen- und Schließsystem erstellte Zufallszahlen mit einer dafür nicht geeigneten C-Funktion. --------------------------------------------- https://www.golem.de/news/telenot-schliessanlage-schwacher-zufall-sorgt-fue… ∗∗∗ Understanding Website SQL Injections ∗∗∗ --------------------------------------------- SQL injection is one of the most common types of web hacking techniques used today. As data breaches continue to happen to some of the most high-profile corporations and brands, it’s become more important for web users to adapt to these increased breaches with changes in behavior like system generated passwords and 2FA. In this post, we’ll be discussing SQL Injections in further detail, and why, as a website owner, you should care about this kind of attack. --------------------------------------------- https://blog.sucuri.net/2022/01/understanding-website-sql-injections.html ∗∗∗ Zoho Patches Critical Vulnerability in Endpoint Management Solutions ∗∗∗ --------------------------------------------- Zoho Corp on Monday said it has released patches for a critical vulnerability affecting Desktop Central and Desktop Central MSP, the endpoint management solutions from ManageEngine. --------------------------------------------- https://www.securityweek.com/zoho-patches-critical-vulnerability-endpoint-m… ∗∗∗ Kreditbetrug auf globalekredit-fin.com & darlehenexpert.com ∗∗∗ --------------------------------------------- Sie möchten einen Kredit aufnehmen und suchen im Internet nach günstigen Konditionen? Wir raten zur Vorsicht. In den Suchergebnissen lauern auch betrügerische Angebote wie globalekredit-fin.com oder darlehenexpert.com. Wer dort eine Anfrage stellt, läuft Gefahr viel Geld zu verlieren. Und: Kredite gibt es hier keine! --------------------------------------------- https://www.watchlist-internet.at/news/kreditbetrug-auf-globalekredit-finco… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2022-0002 ∗∗∗ --------------------------------------------- VMware Workstation and Horizon Client for Windows updates address a denial-of-service vulnerability (CVE-2022-22938) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0002.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (slurm-llnl), openSUSE (apache2, ghostscript, and watchman), Red Hat (kernel and telnet), SUSE (apache2, ghostscript, and kernel), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/881648/ ∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-36160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-34798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects Cloud Pak for Security (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Host header injection vulnerability in Business Automation Studio in Cloud Pak for Automation (CVE-2021-29872) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-host-header-injection-vul… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-39275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-42013) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-33193) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Cloudera Data Platform is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-is… ∗∗∗ Security Bulletin: A vulnerability in Apache log4j (CVE-2021-45105) affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j CVE-2021-45046 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-44224) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities fixed in Cloud Pak for Automation components ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-40438) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-35560, CVE-2021-35586, CVE-2021-35578, CVE-2021-35564, CVE-2021-35559, CVE-2021-35556, CVE-2021-35565, CVE-2021-35588, CVE-2021-41035) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2022
by Daily end-of-shift report 17 Jan '22

17 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-01-2022 18:00 − Montag 17-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge v97 ∗∗∗ --------------------------------------------- We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 97! We have reviewed the settings in Microsoft Edge version 97 and updated our guidance with the addition of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 97 package from the Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Log4Shell Attacks Getting "Smarter", (Mon, Jan 17th) ∗∗∗ --------------------------------------------- Ever since news of the Log4Shell vulnerability broke, we saw a stream of attacks attempting to exploit this vulnerability in log4j (CVE-2021-44228). --------------------------------------------- https://isc.sans.edu/diary/rss/28246 ∗∗∗ New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking ∗∗∗ --------------------------------------------- A software bug introduced in Apple Safari 15s implementation of the IndexedDB API could be abused by a malicious website to track users online activity in the web browser and worse, even reveal their identity. The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021. --------------------------------------------- https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.ht… ∗∗∗ Domain Persistence – Machine Account ∗∗∗ --------------------------------------------- Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence. This involves either the addition of an arbitrary machine account to a high privilege group such as the domain admins or the modification of the “userAccountControl” attribute [...] --------------------------------------------- https://pentestlab.blog/2022/01/17/domain-persistence-machine-account/ ∗∗∗ "Smishing"-Masche: Weiter massenhaft Betrugs-SMS auf Handys ∗∗∗ --------------------------------------------- Wer eine SMS von unbekannt mit einem Link bekommt, sollte vorsichtig sein. Es könnte sich um eine Betrugs-SMS handeln. "Smishing" ist noch immer nicht vorbei. --------------------------------------------- https://heise.de/-6328158 ∗∗∗ Capturing RDP NetNTLMv2 Hashes: Attack details and a Technical How-To Guide ∗∗∗ --------------------------------------------- The GoSecure Titan Labs team saw an opportunity to further explore the topic of hash capturing (which is a must in the arsenal of any offensive team). This blog will examine RDP security modes, how they work and how to put that into action to capture NetNTLMv2 hashes via the RDP protocol using PyRDP—a library created by GoSecure. --------------------------------------------- https://www.gosecure.net/blog/2022/01/17/capturing-rdp-netntlmv2-hashes-att… ===================== = Vulnerabilities = ===================== ∗∗∗ Serious Security: Linux full-disk encryption bug fixed – patch now! ∗∗∗ --------------------------------------------- Imagine if someone who didnt have your password could sneakily modify data that was encrypted with it. --------------------------------------------- https://nakedsecurity.sophos.com/2022/01/14/serious-security-linux-full-dis… ∗∗∗ Über drei Millionen PCs in Deutschland mit unsicherem Windows-System ∗∗∗ --------------------------------------------- Vor zwei Jahren stellte Microsoft den Support für Windows 7 ein. Trotzdem schaffen es viele Anwender nicht, sich von dem unsicheren System zu trennen. --------------------------------------------- https://heise.de/-6328189 ∗∗∗ Virenschutz: Microsoft Defender erleichtert Einnisten von Schädlingen ∗∗∗ --------------------------------------------- Eine kleine Schwachstelle bei Zugriffsrechten des Microsoft Defender unter Windows 10 ermöglicht Angreifern, Malware vor Scans zu verstecken. --------------------------------------------- https://heise.de/-6329300 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, ghostscript, libreswan, prosody, sphinxsearch, thunderbird, and uriparser), Fedora (cryptsetup, flatpak, kernel, mingw-uriparser, python-celery, python-kombu, and uriparser), Mageia (htmldoc, mbedtls, openexr, perl-CPAN, systemd, thunderbird, and vim), openSUSE (chromium and prosody), Red Hat (httpd, kernel, and samba), Scientific Linux (kernel), Slackware (expat), SUSE (ghostscript), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/881545/ ∗∗∗ Oracle to Release Nearly 500 New Security Patches ∗∗∗ --------------------------------------------- Oracle is preparing the release of nearly 500 new security patches with its Critical Patch Update (CPU) for January 2022. --------------------------------------------- https://www.securityweek.com/oracle-release-nearly-500-new-security-patches ∗∗∗ Microsoft Januar 2022 Patchday-Revisionen (14.1.2022) ∗∗∗ --------------------------------------------- Zum 11. Januar 2022 hat Microsoft eine Reihe Sicherheitsupdates für Windows und Office freigegeben, die Schwachstellen beseitigen sollen. Einige dieser Updates führten aber zu Problemen, so dass Funktionen in Windows gestört wurden. Am 14. Januar 2022 hat Microsoft eine Liste [...] --------------------------------------------- https://www.borncity.com/blog/2022/01/17/microsoft-januar-2022-patchday-rev… ∗∗∗ ZDI-22-081: TP-Link TL-WA1201 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-081/ ∗∗∗ ZDI-22-080: TP-Link Archer C90 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-080/ ∗∗∗ OpenBMCS 2.4 Secrets Disclosure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php ∗∗∗ OpenBMCS 2.4 Unauthenticated SSRF / RFI ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php ∗∗∗ OpenBMCS 2.4 Create Admin / Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-041/ ∗∗∗ GNU libc: Mehrere Schwachstellen ermöglichen Codeausführung und Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0054 ∗∗∗ Stored Cross-Site Scripting Schwachstelle in Typo3 Extension "femanager" ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2022
by Daily end-of-shift report 14 Jan '22

14 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-01-2022 18:00 − Freitag 14-01-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Defender weakness lets hackers bypass malware detection ∗∗∗ --------------------------------------------- Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-defender-weakness-… ∗∗∗ Nach Log4J: Google will zusammen mit Regierungen Open Source absichern ∗∗∗ --------------------------------------------- Seit langem sucht Google nach Wegen, Open-Source-Software besser abzusichern. Nach der Log4J-Lücke kommen nun auch Regierungen ins Spiel. --------------------------------------------- https://www.golem.de/news/nach-log4j-google-will-zusammen-mit-regierungen-o… ∗∗∗ Microsoft Yanks Buggy Windows Server Updates ∗∗∗ --------------------------------------------- Since their release on Patch Tuesday, the updates have been breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable. --------------------------------------------- https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/ ∗∗∗ A closer look at Flubot’s DoH tunneling ∗∗∗ --------------------------------------------- [...] The following blog post will take a closer look at Flubot version 4.9, and in particular its Command and Control (C&C) communication, based on the data F-Secure gathered during that campaign. --------------------------------------------- https://blog.f-secure.com/flubot_doh_tunneling/ ∗∗∗ Verwundbare Exchange-Server der öffentlichen Verwaltung ∗∗∗ --------------------------------------------- 20 Exchange-Server in öffentlicher Hand waren für eine Sicherheitslücke anfällig. Kriminelle hätten die Kontrolle übernehmen können. --------------------------------------------- https://heise.de/-6320504 ∗∗∗ Citrix liefert Sicherheitsupdates für Workspace App und Hypervisor ∗∗∗ --------------------------------------------- Sicherheitslücken in der Citrix Workspace App for Linux und im Hypervisor ermöglichten Angreifern die Rechteausweitung oder DoS-Attacken auf den Host. --------------------------------------------- https://heise.de/-6327171 ∗∗∗ Aus für iOS 14? Verwirrung über fehlende Sicherheits-Updates ∗∗∗ --------------------------------------------- Neben iOS 15 stellte Apple erstmals Updates für die Vorjahresversion des Betriebssystems in Aussicht. Es fehlen aber wichtige Patches für iOS 14. --------------------------------------------- https://heise.de/-6327709 ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Unified Contact Manager ∗∗∗ --------------------------------------------- Admins von Cisco-Hard- und -Software sind gefragt, ihre Systeme abzusichern. --------------------------------------------- https://heise.de/-6327050 ∗∗∗ Schadcode-Schlupflöcher in Qnap NAS geschlossen ∗∗∗ --------------------------------------------- Die Qnap-Entwickler haben ihr NAS-Betriebssystem und zwei Apps gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6327201 ∗∗∗ Juniper Networks stopft zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- In Geräten und Diensten von Juniper hätten Angreifer Schwachstellen etwa für DoS-Angriffe, die Ausweitung von Rechten oder Schlimmeres missbrauchen können. --------------------------------------------- https://heise.de/-6327645 ∗∗∗ Signierte Kernel‑Treiber – unbewachte Zugänge zum Windows‑Kern ∗∗∗ --------------------------------------------- ESET Forscher untersuchen Schwachstellen in signierten Windows-Treibern, die trotz Gegenmaßnahmen immer noch ein Sicherheitsproblem darstellen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/01/13/signierte-kernel-treiber-… ∗∗∗ Telefon-Betrug: Drücken Sie nicht die Taste 1! ∗∗∗ --------------------------------------------- LeserInnen der Watchlist Internet melden uns derzeit betrügerische Anrufe: Dabei werden willkürlich Personen angerufen und mit einer Bandansage darauf hingewiesen, dass es einen Haftbefehl gegen sie gäbe. Um mehr zu erfahren, solle die Taste 1 gedrückt werden. Machen Sie das auf keinen Fall! Die BetrügerInnen wollen Sie damit in eine Kostenfalle locken. --------------------------------------------- https://www.watchlist-internet.at/news/telefon-betrug-druecken-sie-nicht-di… ∗∗∗ Schwachstellen in AWS Glue und AWS Cloud Formation entdeckt ∗∗∗ --------------------------------------------- Das Orca Security Research Team hat Sicherheitslücken im Amazon Web Services AWS Glue-Service sowie zur Zero-Day-Schwachstelle BreakingFormation erkannt. Beide Unternehmen konnten binnen weniger Tagen die Fehler beheben. --------------------------------------------- https://www.zdnet.de/88398803/schwachstellen-in-aws-glue-und-aws-cloud-form… ∗∗∗ Detection Rules for Sysjoker (and How to Make Them With Osquery) ∗∗∗ --------------------------------------------- On January 11, 2022, we released a blog post on a new malware called SysJoker. SysJoker is a malware targeting Windows, macOS, and Linux. At the time of the publication, the Linux and macOS versions were not detected by any scanning engines on VirusTotal. As a consequence to this, we decided to release a followup [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/detection-rules-sysjoker-osquer… ∗∗∗ Adobe Acrobat (Reader) DC 21.011.20039, Installationsfehler und offene Bugs ∗∗∗ --------------------------------------------- Kurzer Sammelbeitrag zum Acrobat Gelump, was Adobe auf die Rechner der Nutzer kippt. Zum 11. Januar 2022 gab es ein Sicherheitsupdate für den Adobe Acrobat (Reader) DC auf die Version 21.011.20039. Weiterhin haben mich die letzten Tage einige Nutzer auf eine Latte an offenen Bugs hingewiesen, die ich hier mal einfach einstellen will. Soll ja niemand behaupten, ich ließe die "Qualitätsupdates" von Adobe zum Acrobat unerwähnt. --------------------------------------------- https://www.borncity.com/blog/2022/01/14/adobe-acrobat-reader-dc-21-011-200… ===================== = Vulnerabilities = ===================== ∗∗∗ Positive Technologies Uncovers Vulnerability in IDEMIA Biometric Identification Devices That Can Unlock Doors and Turnstiles ∗∗∗ --------------------------------------------- Positive Technologies researchers, Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered a critical vulnerability (VU-2021-004) in IDEMIA biometric identification devices used in the world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities. By exploiting the flaw, which received a score of 9.1 on the CVSS v3 scale, attackers can unlock doors and turnsites. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (cockpit, python-cvxopt, and vim), openSUSE (libmspack), Oracle (webkitgtk4), Scientific Linux (firefox and thunderbird), SUSE (kernel and libmspack), and Ubuntu (firefox and pillow). --------------------------------------------- https://lwn.net/Articles/881407/ ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Lack of Administrator Control Over Security vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-013-01 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Initialization vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block, --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-013-07 ∗∗∗ Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update B) ∗∗∗ --------------------------------------------- [...] 4.1 AFFECTED PRODUCTS [...] Begin Update B Part 1 of 1 - L 02/06/26 CPU (-P), L 26 CPU - (P) BT, serial number 23121 and earlier End Update B Part 1 of 1 --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-20-303-01 ∗∗∗ Trane Symbio (Update B) ∗∗∗ --------------------------------------------- [...] 3. RISK EVALUATION Begin Update B Part 1 of 1 Successful exploitation of this vulnerability could allow a user to execute arbitrary code on the controller. End Update B Part 1 of 1 --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-21-266-01 ∗∗∗ Ivanti Updates Log4j Advisory with Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Ivanti has updated its Log4j Advisory with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Ivanti security advisories pages for Avalanche; File Director; and MobileIron Core, MobileIron Sentry (Core/Cloud), and MobileIron Core Connector and apply the necessary updates and workarounds. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-lo… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0050 ∗∗∗ ClamAV: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0052 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2022
by Daily end-of-shift report 13 Jan '22

13 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-01-2022 18:00 − Donnerstag 13-01-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ 19-jähriger Hacker kann Teslas in 13 Ländern fernsteuern ∗∗∗ --------------------------------------------- Der junge IT-Sicherheitsexperte kann die Autos lokalisieren, Türen öffnen und das Entertainment-System fernsteuern. [..] In einem Twitter-Beitrag, den er am Montag veröffentlichte, erklärte er auch, dass es sich bei dem Fehler nicht um eine Schwachstelle in der Infrastruktur von Tesla handelt. Es sei der Fehler der Besitzer*innen. Weiters schreibt Colombo, dass er das Problem an das Sicherheitsteam von Tesla gemeldet hat, das die Angelegenheit untersucht. --------------------------------------------- https://futurezone.at/digital-life/19-jaehriger-hacker-25-teslas-in-13-laen… ∗∗∗ Adobe Cloud Abused to Steal Office 365, Gmail Credentials ∗∗∗ --------------------------------------------- Threat actors are creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate to target Office 365 and Gmail users, researchers from Avanan discovered. --------------------------------------------- https://threatpost.com/adobe-cloud-steal-office-365-gmail-credentials/17762… ∗∗∗ Decrypting Qakbot’s Encrypted Registry Keys ∗∗∗ --------------------------------------------- One new skill is to insert encrypted data into the registry. One of the requests we received from Trustwave’s DFIR and Global Threats Operations teams is for us to decrypt the registry data that Qakbot created. We duly jumped into this task, and, as it was a bit of fun, decided to blog about it. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-… ∗∗∗ Viele Lücken im Software-System Jenkins entdeckt – und noch nicht geschlossen ∗∗∗ --------------------------------------------- Entwickler sollten ihre Jenkins-Umgebung aus Sicherheitsgründen auf den aktuellen Stand bringen. Viele Updates sind jedoch noch nicht verfügbar. --------------------------------------------- https://heise.de/-6326362 ∗∗∗ 84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability ∗∗∗ --------------------------------------------- We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of “Login/Signup Popup” was released on November 24, 2021, while patched versions of “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” were released on December 17, 2021. We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins.. --------------------------------------------- https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-th… ∗∗∗ Free Micropatches for "RemotePotato0", a "WONT FIX" Local Privilege Escalation Affecting all Windows Systems ∗∗∗ --------------------------------------------- [..] a local privilege escalation vulnerability they had found in Windows and reported to Microsoft, who decided not to fix because "Servers must defend themselves against NTLM relay attacks." As far as real world goes, many servers do not, in fact, defend themselves against NTLM relay attacks. Since the vulnerability is present on all supported Windows versions as of today (as well as all unsupported versions which we had security-adopted), we decided to fix it ourselves. --------------------------------------------- https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html ∗∗∗ Code-Signatur-Prozesse sichern ∗∗∗ --------------------------------------------- DevOps steht unter Druck, wie unter anderem bei der Attacke auf SolarWinds offenkundig wurde. Fünf Wege zur Absicherung von Code-Signatur-Prozessen schildert Tony Hadfield, Director Solutions Architect bei Venafi, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88398761/code-signatur-prozesse-sichern/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master" ∗∗∗ --------------------------------------------- * Cross-site request forgery (CWE-352) - CVE-2022-0180 * Reflected cross-site scripting (CWE-79) - CVE-2022-0181 * Stored cross-site scripting (CWE-79) - CVE-2022-0182 Solution: Update the plugin --------------------------------------------- https://jvn.jp/en/jp/JVN72788165/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper hat 34 Security Advisories veröffentlicht. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… ∗∗∗ Klartextspeicherung des Kennwortes in Cisco IP Telefonen ∗∗∗ --------------------------------------------- Mehrere Cisco IP Telefone speichern das konfigurierte Verwalterkennwort als Klartext im unverschlüsselten Flash Speicher. Somit ist die Extrahierung des Kennworts bei physischem Zugriff auf ein Telefon problemlos möglich. Wird dieses Kennwort nun bei mehreren Telefonen verwendet, bekommt ein Angreifer Zugriff auf die administrativen Einstellungen aller Geräte im Netzwerk. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/klartextspeicherung-d… ∗∗∗ Apache Log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗ --------------------------------------------- Product / System line - Potentially affected products and versions * B&R Products - See further details in specific advisory * ABB Remote Service - ABB Remote Access Platform (RAP) --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language… ∗∗∗ iOS 15.2.1 und iPadOS 15.2.1: Wartungsupdates für iPhone und iPad ∗∗∗ --------------------------------------------- Apple hat eine Bugfix- und Sicherheitsaktualisierung für seine Handys und Tablets. Neben einigen Fehler wird auch ein Sicherheitsproblem behoben. --------------------------------------------- https://heise.de/-6325566 ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht Computer mit HP-UX ∗∗∗ --------------------------------------------- HPE-Entwickler haben eine kritische Schwachstelle im Unix-Betriebssystem HP-UX geschlossen. --------------------------------------------- https://heise.de/-6326104 ∗∗∗ IBM sichert sein Server- und Workstation-System AIX ab ∗∗∗ --------------------------------------------- Angreifer könnten AIX-Systeme von IBM attackieren und Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6326080 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, lxml, and roundcube), Fedora (gegl04, mingw-harfbuzz, and mod_auth_mellon), openSUSE (openexr and python39-pip), Oracle (firefox and thunderbird), Red Hat (firefox and thunderbird), SUSE (apache2, openexr, python36-pip, and python39-pip), and Ubuntu (apache-log4j1.2, ghostscript, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, and systemd). --------------------------------------------- https://lwn.net/Articles/881303/ ∗∗∗ Cisco Patches Critical Vulnerability in Contact Center Products ∗∗∗ --------------------------------------------- Cisco on Wednesday announced patches for a critical vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited remotely to elevate privileges to administrator. --------------------------------------------- https://www.securityweek.com/cisco-patches-critical-vulnerability-contact-c… ∗∗∗ Citrix Hypervisor Security Update - CTX335432 ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor, that may each allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues have the following identifiers: CVE-2021-28704, CVE-2021-28705, CVE-2021-28714, CVE-2021-28715 All of these issues affect all currently supported versions of Citrix Hypervisor. Citrix has released hotfixes to address these issues --------------------------------------------- https://support.citrix.com/article/CTX335432 ∗∗∗ CVE-2022-0015 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: HIGH) ∗∗∗ --------------------------------------------- A local privilege escalation (PE) vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables an authenticated local user to execute programs with elevated privileges. This issue impacts: * Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; * Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0015 ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Archive Enterprise Edition (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Archive Enterprise Edition (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable to allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Security Bulletin: IBM Db2 Big SQL for Hortonworks Data Platform, for Cloudera Data Platform Private Cloud, and IBM Db2 Big SQL on Cloud Pak for Data are affected by critical vulnerability in Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-for-horto… ∗∗∗ Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ibm-i-extended-dynami… ∗∗∗ January 12, 2022 TNS-2022-03 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1 ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-03 ∗∗∗ CVE-2022-0014 Cortex XDR Agent: Unintended Program Execution When Using Live Terminal Session (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0014 ∗∗∗ CVE-2022-0013 Cortex XDR Agent: File Information Exposure Vulnerability When Generating Support File (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0013 ∗∗∗ CVE-2022-0012 Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2022
by Daily end-of-shift report 12 Jan '22

12 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-01-2022 18:00 − Mittwoch 12-01-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TellYouThePass ransomware returns as a cross-platform Golang threat ∗∗∗ --------------------------------------------- TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re… ∗∗∗ Coming Soon: New Security Update Guide Notification System ∗∗∗ --------------------------------------------- Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected. --------------------------------------------- https://msrc-blog.microsoft.com:443/2022/01/11/coming-soon-new-security-upd… ∗∗∗ SysJoker, the first (macOS) malware of 2022! ∗∗∗ --------------------------------------------- Here, we analyze the macOS versions of a cross-platform backdoor. --------------------------------------------- https://objective-see.com/blog/blog_0x6C.html ∗∗∗ A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th) ∗∗∗ --------------------------------------------- Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise. --------------------------------------------- https://isc.sans.edu/diary/rss/28234 ∗∗∗ Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more ∗∗∗ --------------------------------------------- This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-… ∗∗∗ Kaufen Sie keine Immobilien über term-re.com oder den-home.com! ∗∗∗ --------------------------------------------- Aktuell beobachten wir vermehrt Betrug mit angeblichen Traum-Immobilien: Kriminelle bieten dabei günstige Immobilien über bekannte Internetplattformen an. Besichtigungen sollen über ein Treuhandunternehmen abgewickelt werden. Aber Achtung: Kriminelle versuchen so an Ihre Ausweiskopie und an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-immobilien-ueber-te… ∗∗∗ Check your SPF records: Wide IP ranges undo email security and make for tasty phishes ∗∗∗ --------------------------------------------- With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours. --------------------------------------------- https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-em… ∗∗∗ Signed kernel drivers – Unguarded gateway to Windows’ core ∗∗∗ --------------------------------------------- ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation. --------------------------------------------- https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-g… ∗∗∗ Ransomware-Angreifer leakten möglicherweise frühere Opfer ∗∗∗ --------------------------------------------- Kürzlich wurden wir damit beauftragt, einen Ransomware-Angriff zu untersuchen. Wir konnten den wahrscheinlichen Angriffsvektor rekonstruieren und die wahrscheinlich gestohlenen Daten identifizieren. Was diesen Fall besonders interessant machte, war der Mechanismus zum Exfiltrieren von Daten. --------------------------------------------- https://certitude.consulting/blog/de/ransomware-leak-de/ ∗∗∗ How to Analyze Malicious Microsoft Office Files ∗∗∗ --------------------------------------------- Most phishing attacks arrive via emails containing malicious attachments. A seemingly innocent Microsoft Word file, for example, can be the initial infection stage of a dangerous attack where a threat actor uses a document to deliver malware. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-o… ∗∗∗ Windows Server: Januar 2022-Sicherheitsupdates verursachen Boot-Schleife ∗∗∗ --------------------------------------------- Administratoren von Windows Domain Controllern sollten mit der Installation der Sicherheitsupdates von Januar 2022 vorsichtig sein.Mir liegen inzwischen zahlreiche Berichte vor, dass die Windows Server, die als Domain Controller fungieren, anschließend nicht mehr booten. --------------------------------------------- https://www.borncity.com/blog/2022/01/12/windows-server-januar-2022-sicherh… ∗∗∗ Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome ∗∗∗ --------------------------------------------- The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/30645/ ∗∗∗ Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure ∗∗∗ --------------------------------------------- Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users information. --------------------------------------------- http://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spr… ===================== = Vulnerabilities = ===================== ∗∗∗ Make sure youre up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out ∗∗∗ --------------------------------------------- Nothing like topping off unauthd remote code execution with a su password of ... password. Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/01/11/sonicwall_mu… ∗∗∗ Cisco Security Advisories 2022-01-12 ∗∗∗ --------------------------------------------- 1 Critical, 8 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM published 14 Security Bulletins --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Trojaner könnte sich über kritische Windows-Lücke wurmartig verbreiten ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Der Großteil der geschlossenen Lücken ist mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-6323634 ∗∗∗ Patchday Adobe: Acrobat und Reader bekommen jede Menge Sicherheitsupdates ∗∗∗ --------------------------------------------- Angreifer könnten auf Computern mit Adobe-Anwendungen Schadcode platzieren. Dagegen abgesicherte Versionen schaffen Abhilfe. --------------------------------------------- https://heise.de/-6323723 ∗∗∗ Patchday: SAP schließt in mehreren Anwendungen Lücke mit Höchstwertung ∗∗∗ --------------------------------------------- Der deutsche Software-Hersteller SAP kümmert sich unter anderem um eine kritische Lücke in seinem Portfolio. --------------------------------------------- https://heise.de/-6323843 ∗∗∗ Firefox, Thunderbird: Angreifer könnten Opfer im Vollbildmodus gefangen halten ∗∗∗ --------------------------------------------- Mozillas Mailclient und Webrowser sind Versionen erschienen, die gegen verschiedene Attacken gewappnetet sind. --------------------------------------------- https://heise.de/-6323936 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cfrpki, gdal, and lighttpd), Fedora (perl-CPAN and roundcubemail), Mageia (firefox), openSUSE (jawn, kernel, and thunderbird), Oracle (kernel, openssl, and webkitgtk4), Red Hat (cpio, idm:DL1, kernel, kernel-rt, openssl, virt:av and virt-devel:av, webkit2gtk3, and webkitgtk4), Scientific Linux (openssl and webkitgtk4), SUSE (kernel and thunderbird), and Ubuntu (apache-log4j2, ghostscript, and lxml). --------------------------------------------- https://lwn.net/Articles/881144/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities ∗∗∗ --------------------------------------------- The first round of security advisories released by Siemens and Schneider Electric in 2022 address a total of 40 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ Credential Disclosure in Web Interface of Crestron Device ∗∗∗ --------------------------------------------- When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are validto authenticate to the web interface. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/ ∗∗∗ Released: January 2022 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released security updates for vulnerabilities found in any version of: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-… ∗∗∗ QNX-2022-001 Vulnerability in QNX Neutrino Kernel Impacts QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ Apache Guacamole: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0037 ∗∗∗ Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-57 ∗∗∗ Stack Overflow Vulnerability in QVR Elite, QVR Pro, and QVR Guard ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-59 ∗∗∗ XSS and Open Redirect Vulnerabilities in QcalAgent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-60 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2022
by Daily end-of-shift report 11 Jan '22

11 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 10-01-2022 18:00 − Dienstag 11-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ l+f: Malware-Entwickler kuscheln etwas zu eng mit ihrem Trojaner ∗∗∗ --------------------------------------------- Sicherheitsforscher bekommen unerwartet Hilfe. [...] Einem Bericht von Malwarebytes zufolge gehen alle gesammelten Informationen auf ein Missgeschick der Hintermänner der Kampagne zurück: Die Malware-Entwickler haben ihre Entwicklungsumgebung mit dem eigenen Trojaner infiziert. --------------------------------------------- https://heise.de/-6323191 ∗∗∗ macOS-Lücke: Spionieren über Teams und andere Apps ∗∗∗ --------------------------------------------- Microsoft hat Details zu einem Bug publiziert, mit dem es möglich war, den Systemschutz TCC zu umgehen, der eigentlich Mac-Nutzer vor Datenabgriff bewahrt. --------------------------------------------- https://heise.de/-6322269 ∗∗∗ Facebook-Währung „Diem“ nicht bei thediemtoken.com kaufen ∗∗∗ --------------------------------------------- Diem – eine Kryptowährung, die ursprünglich Libra hieß, wird vermutlich bald verfügbar sein. Kriminelle bieten Diem aber schon jetzt auf ihren betrügerischen Trading-Plattformen wie „thediemtoken.com“ an. Auf Facebook, Instagram und Co werden diese dann beworben, um möglichst viele AnlegerInnen in die Falle zu locken. Vorsicht: Wer dort investiert, verliert sein Geld! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-waehrung-diem-nicht-bei-the… ∗∗∗ Linux version of AvosLocker ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-avoslocker-… ∗∗∗ Night Sky ransomware uses Log4j bug to hack VMware Horizon servers ∗∗∗ --------------------------------------------- The Night Sky ransomware gang has started to exploit the critical CVE-2021-4422 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-lo… ∗∗∗ Millions of Routers Exposed to RCE by USB Kernel Bug ∗∗∗ --------------------------------------------- The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al. --------------------------------------------- https://threatpost.com/millions-routers-exposed-bug-usb-module-kcodes-netus… ∗∗∗ Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters ∗∗∗ --------------------------------------------- TL;DR This research led to: * Five high severity vulnerabilities: CVE-2021-28847, CVE-2021-28848, CVE-2021-32198, CVE-2021-33500 and CVE-2021-42095. We found a way to cause a remote DoS on the terminal client’s host. * An ANSI escape characters injection vulnerability in OpenShift and Kubernetes (CVE-2021-25743). * Three additional vulnerabilities: CVE-2021-31701, CVE-2021-37326 and CVE-2021-40147. We found a way to bypass the bracket paste mode mechanism inside the terminals. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-tit… ∗∗∗ Domain Escalation – sAMAccountName Spoofing ∗∗∗ --------------------------------------------- Microsoft has released patches in order to prevent successful exploitation. However, there are many occasions where patches are not applied on time which creates a time period which this technique could be leveraged during a red team assessment. The prerequisites of the technique are the following: * A domain controller which is missing the KB5008380 and KB5008602 security patches * A valid domain user account * The machine account quota to be above 0 --------------------------------------------- https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofin… ∗∗∗ What Is FIM (File Integrity Monitoring)? ∗∗∗ --------------------------------------------- Change is prolific in organizations’ IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during an organization’s regular patching cycle, while others cause concern by popping up unexpectedly. Organizations commonly respond to this dynamism by investing in asset discovery and secure configuration management [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/securit… ∗∗∗ SFile (Escal) ransomware ported for Linux attacks ∗∗∗ --------------------------------------------- The operators of the SFile ransomware, also known as Escal, have ported their malware to work and encrypt files on Linux-based operating systems. --------------------------------------------- https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/ ∗∗∗ New SysJoker Backdoor Targets Windows, Linux, and macOS ∗∗∗ --------------------------------------------- Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical SonicWall NAC Vulnerability Stems from Apache Mods ∗∗∗ --------------------------------------------- Researchers offer more detail on the bug, which can allow attackers to completely take over targets. --------------------------------------------- https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/ ∗∗∗ Microsoft: macOS Powerdir Flaw Could Let Attackers Gain Access to User Data ∗∗∗ --------------------------------------------- Microsoft today disclosed a vulnerability in Apples macOS that could enable an attacker to gain unauthorized access to protected user data through bypassing the Transparency, Consent, and Control (TCC) technology in the operating system. [...] Apple addressed CVE-2021-30970, dubbed "Powerdir," in a rollout of security updates released on Dec. 13. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/microsoft-macos-powerdi… ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens hat am 2022-01-11 5 neue und 7 aktualiserte Advisories veröffentlicht. (CVSS Scores von 3.4 bis 9.9) --------------------------------------------- https://new.siemens.com/de/de/produkte/services/cert.html#SecurityVeroffent… ∗∗∗ PHOENIX CONTACT: BLUEMARK X1 / LED / CLED printers utilizing the Siemens Nucleus RTOS TCP/IP Stack ∗∗∗ --------------------------------------------- The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED. The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-059/ ∗∗∗ HPESBUX04206 rev.1 - HP-UX Telnetd, Remote Execution of Arbitrary Code ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified with HP-UX telnetd which allows remote attackers to execute arbitrary code via short writes or urgent data. This is due to a remote buffer overflow involving the netclear and nextitem functions. --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739&elq_cid=67018… ∗∗∗ SAP Security Patch Day - January 2022 ∗∗∗ --------------------------------------------- On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously. Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035 ∗∗∗ Citrix Workspace App for Linux Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux. --------------------------------------------- https://support.citrix.com/article/CTX338435 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- Update on IBM’s response: IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, vim, and wordpress), Mageia (ghostscript, osgi-core, apache-commons-compress, python-django, squashfs-tools, and suricata), openSUSE (libsndfile, net-snmp, and systemd), Oracle (httpd:2.4, kernel, and kernel-container), SUSE (libsndfile, libvirt, net-snmp, and systemd), and Ubuntu (exiv2, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.10, linux-oracle, [...] --------------------------------------------- https://lwn.net/Articles/881005/ ∗∗∗ Synology-SA-22:01 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_01 ∗∗∗ Johnson Controls VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Handling of Syntactically Invalid Structure vulnerability in the Sensormatic Electronics VideoEdge network video recorder. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-011-01 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-know… ∗∗∗ January 10th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2022
by Daily end-of-shift report 10 Jan '22

10 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-01-2022 18:00 − Montag 10-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI-Warnung: FIN7-Bande verschickt USB-Sticks mit Ransomware ∗∗∗ --------------------------------------------- Die Speichermedien mit der Malware erreichen US-Firmen etwa in der Rüstungsindustrie laut dem FBI getarnt als Geschenkbox oder Covid-19-Leitlinien. --------------------------------------------- https://heise.de/-6321079 ∗∗∗ FluBot malware now targets Europe posing as Flash Player app ∗∗∗ --------------------------------------------- The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-e… ∗∗∗ Trojanized dnSpy app drops malware cocktail on researchers, devs ∗∗∗ --------------------------------------------- Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-m… ∗∗∗ Wheres the Interpreter!? ∗∗∗ --------------------------------------------- CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why! --------------------------------------------- https://objective-see.com/blog/blog_0x6A.html ∗∗∗ TShark & jq, (Sat, Jan 8th) ∗∗∗ --------------------------------------------- TShark (Wireshark's command-line version) can output JSON data, as shown in diary entry "Quicktip: TShark's Options -e and -T". --------------------------------------------- https://isc.sans.edu/diary/rss/28194 ∗∗∗ Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th) ∗∗∗ --------------------------------------------- There is also a video of this analysis. --------------------------------------------- https://isc.sans.edu/diary/rss/28200 ∗∗∗ BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks ∗∗∗ --------------------------------------------- Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science. --------------------------------------------- https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.h… ∗∗∗ Sophisticated phishing scheme spent years robbing authors of their unpublished work ∗∗∗ --------------------------------------------- The FBI says a multi-year phishing attack targeting authors and book publishers, and stole unpublished novels, manuscripts and other books. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/01/sophisticated-phishing-scheme-s… ∗∗∗ Tool Release - insject: A Linux Namespace Injector ∗∗∗ --------------------------------------------- tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. --------------------------------------------- https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-names… ∗∗∗ U.S. Government Issues Warning Over Commercial Surveillance Tools ∗∗∗ --------------------------------------------- The U.S. State Department and the National Counterintelligence and Security Center (NCSC) on Friday issued a warning over the use of commercial surveillance tools. --------------------------------------------- https://www.securityweek.com/us-government-issues-warning-over-commercial-s… ∗∗∗ Abcbot botnet is linked to Xanthe cryptojacking group ∗∗∗ --------------------------------------------- Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks. --------------------------------------------- https://www.zdnet.com/article/abcbot-botnet-has-now-been-linked-to-xanthe-c… ∗∗∗ Kernel Karnage - Part 8 (Getting Around DSE) ∗∗∗ --------------------------------------------- When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar. --------------------------------------------- https://blog.nviso.eu/2022/01/10/kernel-karnage-part-8-getting-around-dse/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities ∗∗∗ --------------------------------------------- Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications. --------------------------------------------- https://kb.cert.org/vuls/id/142629 ∗∗∗ Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries ∗∗∗ --------------------------------------------- A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, [...] --------------------------------------------- https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html ∗∗∗ Qnap warnt vor Ransomware-Attacken auf Netzwerkspeicher ∗∗∗ --------------------------------------------- Es gibt wichtige Tipps zur Absicherung von NAS-Geräten von Qnap und aktuelle Sicherheitsupdates. --------------------------------------------- https://heise.de/-6321485 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/880807/ ∗∗∗ SonicWall Patches Y2K22 Bug in Email Security, Firewall Products ∗∗∗ --------------------------------------------- Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates. --------------------------------------------- https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-fir… ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. Chitubox is 3-D printing software for users to download and process models and send them [...] --------------------------------------------- http://blog.talosintelligence.com/2022/01/vulnerability-spotlight-buffer-ov… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2022
by Daily end-of-shift report 07 Jan '22

07 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-01-2022 18:00 − Freitag 07-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Docs commenting feature exploited for spear-phishing ∗∗∗ --------------------------------------------- A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-docs-commenting-featu… ∗∗∗ Night Sky is the latest ransomware targeting corporate networks ∗∗∗ --------------------------------------------- Its a new year, and with it comes a new ransomware to keep an eye on called Night Sky that targets corporate networks and steals data in double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-rans… ∗∗∗ New Mac Malware Samples Underscore Growing Threat ∗∗∗ --------------------------------------------- A handful of malicious tools that emerged last year showed threat actors may be getting more serious about attacking Apple macOS and iOS environments. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/new-mac-malware-samples… ∗∗∗ Custom Python RAT Builder, (Fri, Jan 7th) ∗∗∗ --------------------------------------------- This week I already wrote a diary about "code reuse" in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. --------------------------------------------- https://isc.sans.edu/diary/rss/28224 ∗∗∗ NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance ∗∗∗ --------------------------------------------- When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point. --------------------------------------------- https://thehackernews.com/2022/01/nist-cybersecurity-framework-quick.html ∗∗∗ iPhone-Angriff: Hacker könnten Reboot verunmöglichen ∗∗∗ --------------------------------------------- Malware wie die iOS-Version der Spyware Pegasus gehen nach einem Neustart verloren. Dieser lässt sich allerdings unterbinden, wie eine Sicherheitsfirma zeigt. --------------------------------------------- https://heise.de/-6319430 ∗∗∗ Patchday Android: Angreifer könnten sich weitreichende Berechtigungen aneignen ∗∗∗ --------------------------------------------- Google und weitere Smartphone-Hersteller haben wichtige Sicherheitsupdates für Android 9, 10, 11 und 12 veröffentlicht. --------------------------------------------- https://heise.de/-6320248 ∗∗∗ Vermeintlicher Amazon-Kundendienst verschickt betrügerische Mails zu Kundenprämienprogramm ∗∗∗ --------------------------------------------- LeserInnen melden uns derzeit eine E-Mail, die angeblich vom Amazon-Kundendienst stammt. Tatsächlich stecken Kriminelle dahinter. --------------------------------------------- https://www.watchlist-internet.at/news/vermeintlicher-amazon-kundendienst-v… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns of ransomware targeting Internet-exposed NAS devices ∗∗∗ --------------------------------------------- QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-tar… ∗∗∗ NHS warns of hackers exploiting Log4Shell in VMware Horizon ∗∗∗ --------------------------------------------- UKs National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploit… ∗∗∗ Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console ∗∗∗ --------------------------------------------- Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month. --------------------------------------------- https://thehackernews.com/2022/01/log4shell-like-critical-rce-flaw.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 36 Security Bulletins veröffentlicht --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten sich auf WordPress-Websites einnisten ∗∗∗ --------------------------------------------- In der aktuellen Version des Content Management System WordPress haben die Entwickler vier Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6320363 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, [...] --------------------------------------------- https://lwn.net/Articles/880564/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sphinxsearch), Fedora (chromium and vim), Red Hat (rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and Ubuntu (apache2 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/880672/ ∗∗∗ January 5, 2022 TNS-2022-01 [R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-01 ∗∗∗ January 5, 2022 TNS-2022-02 [R1] Nessus Network Monitor 6.0.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-02 ∗∗∗ VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Log-Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0006 ∗∗∗ Drupal Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0014 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-01 ∗∗∗ Fernhill SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-02 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03 ∗∗∗ Philips Engage Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-006-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2022
by Daily end-of-shift report 05 Jan '22

05 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-01-2022 18:00 − Mittwoch 05-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iOS malware can fake iPhone shut downs to snoop on camera, microphone ∗∗∗ --------------------------------------------- Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ios-malware-can-fake-iphone-… ∗∗∗ Code Reuse In the Malware Landscape, (Wed, Jan 5th) ∗∗∗ --------------------------------------------- Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? --------------------------------------------- https://isc.sans.edu/diary/rss/28216 ∗∗∗ New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification ∗∗∗ --------------------------------------------- An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsofts digital signature verification to siphon user credentials and sensitive information. --------------------------------------------- https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html ∗∗∗ Elephant Beetle: Uncovering an organized financial-theft operation ∗∗∗ --------------------------------------------- Using an arsenal of over 80 unique tools & scripts, the group executes its attacks patiently over long periods of time, blending in with the target’s environment and going completely undetected while it quietly liberates organizations of large amounts of money. --------------------------------------------- https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operati… ∗∗∗ „Media Markt Exclusive Giveaway“ Aktion ist Fake! ∗∗∗ --------------------------------------------- Auf Facebook werden derzeit Links zu einer nachgeahmten Media Markt Seite verbreitet. Dort heißt es, dass Media Markt landesweit Filialen schließt und daher eine „Online-Aktion“ durchführt. KonsumentInnen hätten so die Chance, Produkte wie iPhones, Macbooks, Playstations und mehr günstig zu kaufen. Wer bei dieser Aktion mitmacht, verliert jedoch Geld und erhält keine der versprochenen Produkte. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-exclusive-giveaway-aktio… ∗∗∗ Malware Reverse Engineering for Beginners – Part 1: From 0x0 ∗∗∗ --------------------------------------------- Malware researchers require a diverse skill set usually gained over time through experience and self-training. Reverse engineering (RE) is an integral part of malware analysis and research but it is also one of the most advanced skills a researcher can have. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/malware-reverse-engineering-b… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-01-05 ∗∗∗ --------------------------------------------- IBM hat 26 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ VMware-Sicherheitsupdates: Virtuelles CD-ROM-Laufwerk als Angreifer-Schlupfloch ∗∗∗ --------------------------------------------- VMware warnt vor einer Lücke in seinen Anwendungen für virtuelle Maschinen Cloud Foundation, ESXi, Fusion und Workstation. Einige Patches fehlen noch. --------------------------------------------- https://heise.de/-6318269 ∗∗∗ Sicherheitspatches: Angreifer könnten Datenbanken in IBM Db2 manipulieren ∗∗∗ --------------------------------------------- IBM hat Sicherheitslücken in mehreren Anwendungen wie Cloud Private, Db2 und Elastic Search geschlossen. Außerdem gibt es Neuigkeiten zu Log4j-Anfälligkeiten. --------------------------------------------- https://heise.de/-6318740 ∗∗∗ Entwickler schließen 37 Sicherheitslücken in Chrome 97 ∗∗∗ --------------------------------------------- Die Vorgängerversion von Chrome 97 enthielt mindestens eine kritische Sicherheitslücke. Angreifer hätten vermutlich eingeschleusten Code ausführen können. --------------------------------------------- https://heise.de/-6318885 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xorg-x11-server), Debian (apache2), openSUSE (libvirt), Oracle (grafana, qemu, and xorg-x11-server), Red Hat (idm:DL1, samba, and telnet), SUSE (libvirt), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/880454/ ∗∗∗ Google Patches 48 Vulnerabilities With First Set of 2022 Android Updates ∗∗∗ --------------------------------------------- Google this week published information on the first set of 2022 security updates for Android, describing a total of 48 vulnerabilities that were addressed across Android OS, Pixel devices, and Android Automotive OS. --------------------------------------------- https://www.securityweek.com/google-patches-48-vulnerabilities-first-set-20… ∗∗∗ K10396196: Linux RPM vulnerability CVE-2021-20271 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10396196 ∗∗∗ WAGO: Smart Script affected by Log4Shell Vulnerability ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2022
by Daily end-of-shift report 04 Jan '22

04 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 03-01-2022 18:00 − Dienstag 04-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A Simple Batch File That Blocks People, (Tue, Jan 4th) ∗∗∗ --------------------------------------------- I found another script that performs malicious actions. Its a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). --------------------------------------------- https://isc.sans.edu/diary/rss/28212 ∗∗∗ Purple Fox rootkit now bundled with Telegram installer ∗∗∗ --------------------------------------------- The Purple Fox malware family has been found to combine its payload with trusted apps in an interesting way. --------------------------------------------- https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundle… ∗∗∗ Mails zu Hacks von einer Telefonnummer? Nicht zurückrufen! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell E-Mails, bei denen als Absender eine Telefonnummer angezeigt wird. Angeblich wurden die Systeme der EmpfängerInnen gehackt und mit Viren infiziert. Deshalb müsse dringend die Nummer zurückgerufen werden. Achtung: Hier lauert eine Falle und die E-Mail kann ignoriert werden. --------------------------------------------- https://www.watchlist-internet.at/news/mails-zu-hacks-von-einer-telefonnumm… ∗∗∗ A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain ∗∗∗ --------------------------------------------- A supply chain attack leveraging a cloud video platform to distribute web skimmer campaigns compromised more than 100 real estate sites. --------------------------------------------- https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/ ∗∗∗ Log4j flaw attack levels remain high, Microsoft warns ∗∗∗ --------------------------------------------- Organizations mights not realize their environments are already compromised. --------------------------------------------- https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-proble… ∗∗∗ State-of-the-art EDRs are not perfect, fail to detect common attacks ∗∗∗ --------------------------------------------- A team of Greek academics has tested endpoint detection & response (EDR) software from 11 of todays top cybersecurity firms and found that many fail to detect some of the most common attack techniques used by advanced persistent threat actors, such as state-sponsored espionage groups and ransomware gangs. --------------------------------------------- https://therecord.media/state-of-the-art-edrs-are-not-perfect-fail-to-detec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (salt and thunderbird), Red Hat (xorg-x11-server), and Scientific Linux (xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/880327/ ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Copy Data Management (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Apache Log4j vulnerabilities impact IBM Sterling Connect:Direct for UNIX (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ VMSA-2022-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0001.html ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2022
by Daily end-of-shift report 03 Jan '22

03 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-12-2021 18:00 − Montag 03-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dont copy-paste commands from webpages — you can get hacked ∗∗∗ --------------------------------------------- Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal risk having their system compromised. Wizers Gabriel Friedlander demonstrates an obvious, simple yet stunning trick that'll make you think twice before copying-pasting text from web pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-fro… ∗∗∗ Do you want your Agent Tesla in the 300 MB or 8 kB package?, (Fri, Dec 31st) ∗∗∗ --------------------------------------------- Since today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over the course of the year. --------------------------------------------- https://isc.sans.edu/diary/rss/28202 ∗∗∗ McAfee Phishing Campaign with a Nice Fake Scan, (Mon, Jan 3rd) ∗∗∗ --------------------------------------------- I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared. --------------------------------------------- https://isc.sans.edu/diary/rss/28208 ∗∗∗ Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations ∗∗∗ --------------------------------------------- Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis. --------------------------------------------- https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html ∗∗∗ Nach Ransomware-Angriff: Webseiten mehrerer Medien aus Portugal offline ∗∗∗ --------------------------------------------- Eine neue Ransomware-Gruppe hat den portugiesischen Medienkonzern Impresa angegriffen. Mehrere Medien können aktuell nur über Social Media Meldungen verbreiten. --------------------------------------------- https://heise.de/-6316020 ∗∗∗ Y2K22-Bug stoppt Exchange-Mailzustellung: Antimalware-Engine stolpert über 2022 ∗∗∗ --------------------------------------------- Zum Jahreswechsel streiken weltweit zahlreiche Exchange-Server, weil die FIP-FS-Scan-Engine sich an der Jahreszahl verhebt. Immerhin gibt es temporäre Abhilfe. --------------------------------------------- https://heise.de/-6315605 ∗∗∗ On the malicious use of large language models like GPT-3 ∗∗∗ --------------------------------------------- Or, “Can large language models generate exploits?” --------------------------------------------- https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-lang… ∗∗∗ Detecting anomalous Vectored Exception Handlers on Windows ∗∗∗ --------------------------------------------- We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous. --------------------------------------------- https://research.nccgroup.com/2022/01/03/detecting-anomalous-vectored-excep… ∗∗∗ Shodan Verified Vulns 2022-01-01 ∗∗∗ --------------------------------------------- Auch dieses Monat sehen wir wieder einen deutlichen Rückgang der verwundbaren Exchange-Server. Neu hinzugekommen ist die Grafana Path Traversal Schwachstelle CVE-2021-43798, welche am 7. Dezember veröffentlicht wurde. --------------------------------------------- https://cert.at/de/aktuelles/2022/1/shodan-verified-vulns-2022-01-01 ∗∗∗ Log4j Scanners ∗∗∗ --------------------------------------------- There are 19 tools, and each has certain stipulations with it. I would suggest take a look. --------------------------------------------- https://securitythreatnews.com/2022/01/03/log4j-scanners/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple: Sicherheitslücke kann iPhones und iPads unbenutzbar machen ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke in Apples Homekit lassen sich iPhones erst nach einem Reset wieder nutzen. Ein Update hat Apple verschoben. --------------------------------------------- https://www.golem.de/news/apple-sicherheitsluecke-kann-iphones-und-ipads-un… ∗∗∗ Rootkit schlüpft durch Lücke in HPEs Fernwartung iLO ∗∗∗ --------------------------------------------- Eine Iranische Security-Firma hat ein Rootkit entdeckt, das sich in Hewlett Packards Fernwartungstechnik "Integrated Lights-Out" (iLO) eingenistet hat. --------------------------------------------- https://heise.de/-6315714 ∗∗∗ Jetzt patchen: Netgear-Router Nighthawk R6700v3 könnte Passwörter leaken ∗∗∗ --------------------------------------------- Angreifer könnten Nighthawk-Router von Netgear attackieren. Es könnten noch weitere Modelle betroffen sein. Aktuelle Firmware-Versionen sollen Abhilfe schaffen. --------------------------------------------- https://heise.de/-6316037 ∗∗∗ Trend Micro Apex One und Worry-Free Business Security gefährden Windows-PCs ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Schutzlösungen Apex One und Worry-Free Business Security von Trend Micro erschienen. --------------------------------------------- https://heise.de/-6316263 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (agg, aria2, fort-validator, and lxml), Fedora (libgda, pgbouncer, and xorg-x11-server-Xwayland), Mageia (calibre, e2guardian, eclipse, libtpms/swtpm, nodejs, python-lxml, and toxcore), openSUSE (c-toxcore, gegl, getdata, kernel-firmware, log4j, postrsd, and privoxy), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/880100/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (kernel, libopenmpt, and xorg-x11-server), Mageia (gegl, libgda5.0, log4j, ntfs-3g, and wireshark), openSUSE (log4j), and Red Hat (grafana). --------------------------------------------- https://lwn.net/Articles/880232/ ∗∗∗ Security Bulletin: IBM Insurance Information Warehouse is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-insurance-information… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Banking and Financial Markets Data Warehouse (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Unified Data Model for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-unified-data-model-fo… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Data Model for Energy and Utilities is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-model-for-energy… ∗∗∗ Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-apac… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-ibm-i2… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale for IBM Elastic Storage Server (CVE-2021-45105,CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Elastic Storage System (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus (CVE-2021-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2021
by Daily end-of-shift report 30 Dec '21

30 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-12-2021 18:00 − Donnerstag 30-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hiding malware inside the flex capacity space on modern SSDs ∗∗∗ --------------------------------------------- Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location thats beyond the reach of the user and security solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hiding-malware-inside-the-fl… ∗∗∗ Agent Tesla Updates SMTP Data Exfiltration Technique, (Thu, Dec 30th) ∗∗∗ --------------------------------------------- Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data. This malware has been around since 2014, and SMTP is its most common method for data exfiltration. --------------------------------------------- https://isc.sans.edu/diary/rss/28190 ∗∗∗ LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ∗∗∗ --------------------------------------------- Users of the popular LastPass password manager are being targeted in so-called “credential stuffing” attacks that use email addresses and passwords obtained from third-party breaches. --------------------------------------------- https://www.securityweek.com/lastpass-automated-warnings-linked-%E2%80%98cr… ∗∗∗ Android 12: Samsung überrascht zum Jahresende mit regelrechter Update-Flut ∗∗∗ --------------------------------------------- Updates für praktisch alle High-End-Smartphones der vergangenen drei Jahre veröffentlicht. Selbst erste Tablets werden schon bedient. --------------------------------------------- https://www.derstandard.at/story/2000132240383/android-12-samsung-ueberrasc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (advancecomp, apache-log4j2, postgis, spip, uw-imap, and xorg-server), Mageia (kernel and kernel-linus), Scientific Linux (log4j), and SUSE (kernel-firmware and mariadb). --------------------------------------------- https://lwn.net/Articles/880039/ ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Guardium Data Encryption (GDE) (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Trend Micro Apex One und Trend Micro Worry-Free Business Security: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1320 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2021
by Daily end-of-shift report 29 Dec '21

29 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-12-2021 18:00 − Mittwoch 29-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ RedLine malware shows why passwords shouldnt be saved in browsers ∗∗∗ --------------------------------------------- The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-pa… ∗∗∗ Microsoft Defender Log4j scanner triggers false positive alerts ∗∗∗ --------------------------------------------- Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the companys newly deployed Microsoft 365 Defender scanner for Log4j processes. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-sc… ∗∗∗ Wieder Sicherheitslücken in Herzschrittmachern gefunden ∗∗∗ --------------------------------------------- Auf der Online-Konferenz RC3 zeigten zwei Sicherheitsforscher, wie sie Cardio-Geräte unter die Lupe genommen haben. --------------------------------------------- https://futurezone.at/digital-life/herzschrittmacher-sicherheitsluecken-rc3… ∗∗∗ Responsible Disclosure: Deine Software, die Sicherheitslücken und ich ∗∗∗ --------------------------------------------- Wie meldet man Sicherheitslücken eigentlich richtig? Und wie sollten Unternehmen damit umgehen? Zerforschung und CCC klären auf. Ein Bericht von Moritz Tremmel (rC3, API) --------------------------------------------- https://www.golem.de/news/responsible-disclosure-deine-software-die-sicherh… ∗∗∗ LotL Classifier tests for shells, exfil, and miners, (Tue, Dec 28th) ∗∗∗ --------------------------------------------- A supervised learning approach to Living off the Land attack classification from Adobe SI --------------------------------------------- https://isc.sans.edu/diary/rss/28184 ∗∗∗ Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics ∗∗∗ --------------------------------------------- An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed. [...] Initial attacks involved executing a malicious command upon running a vanilla image named "alpine:latest" that resulted in the download of a shell script named "autom.sh." "Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," --------------------------------------------- https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html ∗∗∗ Turning bad SSRF to good SSRF: Websphere Portal ∗∗∗ --------------------------------------------- In this blog post, we will explain how we discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how we turned a restrictive, bad SSRF to a good SSRF. --------------------------------------------- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/ ∗∗∗ Storage Devices of Major Vendors Impacted by Encryption Software Flaws ∗∗∗ --------------------------------------------- Earlier this month, SecurityWeek reported that Western Digital had updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks. SanDisk SecureAccess, recently rebranded SanDisk PrivateAccess, is a piece of software that allows users to encrypt files and folders stored in a protected vault on SanDisk USB flash drives.[...] Pelissier detailed his findings this week at the Chaos Computer Club’s Remote Chaos Experience (rC3) virtual conference, where he revealed that the vulnerabilities were actually discovered in the DataVault encryption software made by ENC Security. --------------------------------------------- https://www.securityweek.com/storage-devices-major-vendors-impacted-encrypt… ∗∗∗ Sicher kaufen auf Willhaben, Shpock & Co. ∗∗∗ --------------------------------------------- Sie sind auf der Suche nach gebrauchten Schnäppchen? Mit Kleinanzeigenplattformen wie willhaben, Shpock oder den Facebook Marketplace gibt es zahlreiche Möglichkeiten, um zu stöbern und das perfekte Schnäppchen zu finden. Allerdings sollten Sie beim Shoppen auf solchen Plattformen einige Punkte beachten. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-kaufen-auf-willhaben-shpock-c… ∗∗∗ Threat actor uses HP iLO rootkit to wipe servers ∗∗∗ --------------------------------------------- An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations. --------------------------------------------- https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Log4Shell vulnerability Number Four: “Much ado about something” ∗∗∗ --------------------------------------------- CVE-2021-44832; Its a Log4j bug, and you ought to patch it. But we dont think its a critical crisis like the last one. --------------------------------------------- https://nakedsecurity.sophos.com/2021/12/29/log4shell-vulnerability-number-… ∗∗∗ SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products ∗∗∗ --------------------------------------------- This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities, the impact of which is documented in SSA-661247. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-784507.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, python-gnupg, resiprocate, and ruby-haml), Fedora (mod_auth_mellon), openSUSE (thunderbird), Slackware (wpa_supplicant), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/879995/ ∗∗∗ D-LINK Router (DIR-2640 <= 1.11B02): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen und beliebigen Code als root auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1313 ∗∗∗ Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. ∗∗∗ --------------------------------------------- Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. - Citrix Endpoint Management (Citrix XenMobile Server): Impacted – Customers are advised to apply the latest CEM rolling patch updates - Citrix Virtual Apps and Desktops (XenApp & XenDesktop): Impacted - Linux VDA (non-LTSR versions only) --------------------------------------------- https://support.citrix.com/article/CTX335705 ∗∗∗ Exposure of Sensitive Information in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- CVE identifier: CVE-2021-34347 Affected products: All QNAP NAS A vulnerability involving exposure of sensitive information has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-53 ∗∗∗ Security Advisory - Cross-Site Scripting(XSS) Vulnerability in Huawei WS318n Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211229-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM SANnav software used by IBM b-type SAN directors and switches (CVE-2021-45105 and CV-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2021
by Daily end-of-shift report 28 Dec '21

28 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 27-12-2021 18:00 − Dienstag 28-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature thats dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group. --------------------------------------------- https://thehackernews.com/2021/12/experts-detail-logging-tool-of.html ∗∗∗ V8 Heap pwn and /dev/memes - WebOS Root LPE ∗∗∗ --------------------------------------------- This is a writeup for my latest WebOS local root exploit chain, which Im calling WAMpage. ... This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want RootMyTV, which offers a reliable 1-click persistent root. --------------------------------------------- https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html ∗∗∗ Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution ∗∗∗ --------------------------------------------- Recently observed malicious campaigns have abused Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines. [...] The threat actors typically gain access to the target environment using a valid remote desktop protocol (RDP) account, leverage remote Windows Services (SCM) for lateral movement, and abuse MSBuild to execute the Cobalt Strike Beacon payload. --------------------------------------------- https://www.securityweek.com/threat-actors-abuse-msbuild-cobalt-strike-beac… ===================== = Vulnerabilities = ===================== ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- Update December 28, 10:01am The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated. --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre, libzip, monit, novnc, okular, paramiko, postgis, rdflib, ruby2.3, and zziplib), openSUSE (chromium, kafka, and permissions), and SUSE (net-snmp and permissions). --------------------------------------------- https://lwn.net/Articles/879952/ ∗∗∗ Security Bulletin:IBM SPSS Modeler is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-spss-modeler-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SSA-661247 V2.0 (Last Update: 2021-12-27): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2021
by Daily end-of-shift report 27 Dec '21

27 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-12-2021 18:00 − Montag 27-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rook ransomware is yet another spawn of the leaked Babuk code ∗∗∗ --------------------------------------------- A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make "a lot of money" by breaching corporate networks and encrypting devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rook-ransomware-is-yet-anoth… ∗∗∗ QNAP NAS devices hit in surge of ech0raix ransomware attacks ∗∗∗ --------------------------------------------- Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-nas-devices-hit-in-surg… ∗∗∗ Example of how attackers are trying to push crypto miners via Log4Shell, (Fri, Dec 24th) ∗∗∗ --------------------------------------------- While following Log4Shell's exploit attempts hitting our honeypots, I came across another campaign trying to push a crypto miner on the victims machines. --------------------------------------------- https://isc.sans.edu/diary/rss/28172 ∗∗∗ More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild ∗∗∗ --------------------------------------------- A team of academics said it found more than 1,200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. --------------------------------------------- https://therecord.media/more-than-1200-phishing-toolkits-capable-of-interce… ∗∗∗ QNAP Firmware-Update Version QTS 5.0.0.1891 build 20211221 und log4j-Schwachstelle ∗∗∗ --------------------------------------------- Der Hersteller QNAP hat kurz vor Weihnachten ein Firmware-Update für sein QTS 5 freigegeben. Das Update schließt einige Schwachstellen. Zudem wurde eine log4j-Schwachstelle in QNAP-Software gemeldet. --------------------------------------------- https://www.borncity.com/blog/2021/12/26/qnap-firmware-update-version-qts-5… ===================== = Vulnerabilities = ===================== ∗∗∗ Garrett Walk-Through Metal Detectors Can Be Hacked Remotely ∗∗∗ --------------------------------------------- A number of security flaws have been uncovered in a networking component in Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, tamper with metal detector configurations, and even execute arbitrary code on the devices. --------------------------------------------- https://thehackernews.com/2021/12/garrett-walk-through-metal-detectors.html ∗∗∗ Remote Code Execution Vulnerabilities in Veritas Enterprise Vault ∗∗∗ --------------------------------------------- Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault Server. CVSS v3.1 Base Score 9.8 CVEs: CVE-2021-44679, CVE-2021-44680, CVE-2021-44678, CVE-2021-44677, CVE-2021-44682, CVE-2021-44681 --------------------------------------------- https://www.veritas.com/content/support/en_US/security/VTS21-003 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 33 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (httpd and singularity), Mageia (ldns, netcdf, php, ruby, thrift/golang-github-apache-thrift, thunderbird, and webkit2), openSUSE (go1.16, go1.17, libaom, and p11-kit), and SUSE (go1.16, go1.17, htmldoc, libaom, libvpx, logstash, openssh-openssl1, python3, and runc). --------------------------------------------- https://lwn.net/Articles/879791/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2, libextractor, libpcap, and wireshark), Fedora (grub2, kernel, libopenmpt, log4j, mingw-binutils, mingw-python-lxml, and seamonkey), Mageia (golang, lapack/openblas, and samba), and openSUSE (go1.16, libaom, log4j12, logback, and runc). --------------------------------------------- https://lwn.net/Articles/879891/ ∗∗∗ SolarWinds - multiple advisories ∗∗∗ --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ K16090693: Apache HTTP server vulnerability CVE-2021-44224 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16090693 ∗∗∗ Moxa MGate Protocol Gateways ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-357-01 ∗∗∗ Johnson Controls exacq Enterprise Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-357-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2021
by Daily end-of-shift report 23 Dec '21

23 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-12-2021 18:00 − Donnerstag 23-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Dridex malware trolls employees with fake job termination emails ∗∗∗ --------------------------------------------- A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a seasons greeting message. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employ… ∗∗∗ Microsoft Azure App Service flaw exposed customer source code ∗∗∗ --------------------------------------------- A security flaw found in Azure App Service, a Microsoft-managed platform for building and hosting web apps, led to the exposure of PHP, Node, Python, Ruby, or Java customer source code for at least four years, since 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-azure-app-service-… ∗∗∗ Honeypot experiment reveals what hackers want from IoT devices ∗∗∗ --------------------------------------------- A three-year-long honeypot experiment featuring simulated low-interaction IoT devices of various types and locations gives a clear idea of why actors target specific devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/honeypot-experiment-reveals-… ∗∗∗ Attackers, CSIRTs and Individual Rights: Clarified ∗∗∗ --------------------------------------------- A few years ago I wrote a post on how the GDPR copes with situations when there was a conflict between the obligation to prevent, detect and investigate incidents and the obligation to inform all those whose personal data you process. GDPR Article 14(5) provides a general tool for resolving that conflict: you don’t need to inform if doing so “is likely to render impossible or seriously impair the achievement of the objectives of that processing”. --------------------------------------------- https://regulatorydevelopments.jiscinvolve.org/wp/2021/12/22/attackers-csir… ∗∗∗ Microsoft Teams blockiert Notrufe mit Android-Handys – Update einspielen ∗∗∗ --------------------------------------------- Die Android-App für Microsoft Teams kann unter Umständen Notrufe vom Handy verhindern. Die aktuelle Version soll das unterlassen. [...] Wie es überhaupt dazu kommen kann, dass eine App ohne Root-Rechte die wichtigste Funktion des Telefons sabotieren kann, verraten weder Google noch Microsoft. [...] Das zugrundeliegende Sicherheitsproblem in Android möchte Google mit dem ersten Android-Sicherheitsupdate im neuen Jahr beheben. --------------------------------------------- https://heise.de/-6306221 ∗∗∗ Audio bugging with the Fisher Price Chatter Bluetooth Telephone ∗∗∗ --------------------------------------------- The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute! Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances. --------------------------------------------- https://www.pentestpartners.com/security-blog/audio-bugging-with-the-fisher… ∗∗∗ This new ransomware has simple but very clever tricks to evade PC defenses ∗∗∗ --------------------------------------------- One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target's intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe. --------------------------------------------- https://www.zdnet.com/article/this-new-ransomware-has-simple-but-very-cleve… ∗∗∗ Log4j Vulnerabilities: Attack Insights ∗∗∗ --------------------------------------------- Symantec [..] has observed numerous variations in attack requests primarily aimed at evading detection. [..] Attackers are predominantly using the LDAP and RMI protocols to download malicious payloads. We have also recorded vulnerability scans using protocols such as IIOP, DNS, HTTP, NIS etc. Payloads: Muhstik Botnet, XMRig miner, Malicious class file backdoor, Reverse Bash shell. Other publicly reported payloads include the Khonsari and Conti ransomware threats, the Orcus remote access Trojan (RAT), and the Dridex malware, among others. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ===================== = Vulnerabilities = ===================== ∗∗∗ Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047 ∗∗∗ --------------------------------------------- Project: Mail Login Security risk: Moderately critical Description: This modules enables users to login via email address.This module does not sufficiently check user status when authenticating.Solution: Install the latest version If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5 --------------------------------------------- https://www.drupal.org/sa-contrib-2021-047 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 46 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ CVE-2021-44790: Apache HTTP Server / mod_lua ∗∗∗ --------------------------------------------- A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. --------------------------------------------- https://www.openwall.com/lists/oss-security/2021/12/20/4 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-11), Fedora (keepalived and tang), openSUSE (openssh, p11-kit, runc, and thunderbird), Oracle (postgresql:12, postgresql:13, and virt:ol and virt-devel:ol), Red Hat (rh-maven36-log4j12), and SUSE (ansible, chrony, logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh, openssh, p11-kit, python-Babel, and thunderbird). --------------------------------------------- https://lwn.net/Articles/879675/ ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- A malicious privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1304 ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ SSA-661247 V1.8 (Last Update: 2021-12-22): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2021
by Daily end-of-shift report 22 Dec '21

22 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-12-2021 18:00 − Mittwoch 22-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ CISA releases Apache Log4j scanner to find vulnerable apps ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by& two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-releases-apache-log4j-s… ∗∗∗ The Biggest Cyber Security Developments in 2021 ∗∗∗ --------------------------------------------- As we charge towards another new year, we decided to pulse our threat intelligence team (@teamcymru_s2) for their views on what they perceive to be the biggest developments in cyber security over the past twelve months. --------------------------------------------- https://team-cymru.com/blog/2021/12/21/the-biggest-cyber-security-developme… ∗∗∗ Vorsicht vor betrügerischer BAWAG-SMS ∗∗∗ --------------------------------------------- Eine SMS-Falle kursiert, die dazu aufruft eine angebliche Sicherheits-App von der BAWAG-Bank zu installieren. --------------------------------------------- https://futurezone.at/digital-life/betrug-bawag-sms-phishing/401851228 ∗∗∗ Java Code Repository Riddled with Hidden Log4j Bugs; Here’s Where to Look ∗∗∗ --------------------------------------------- There are 17,000 unpatched Log4j packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits. --------------------------------------------- https://threatpost.com/java-supply-chain-log4j-bug/177211/ ∗∗∗ December 2021 Forensic Contest: Answers and Analysis, (Wed, Dec 22nd) ∗∗∗ --------------------------------------------- Thanks to everyone who participated in our December 2021 forensic challenge! You can still find the pcap for our December 2021 forensic contest here. --------------------------------------------- https://isc.sans.edu/diary/rss/28160 ∗∗∗ Vorsicht beim Autokauf: Privatkäufe nicht über easycarpay.net abwickeln ∗∗∗ --------------------------------------------- Wer auf der Suche nach günstigen Gebrauchtautos ist, wird oft auf Kleinanzeigenplattformen fündig. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich plötzlich im Ausland befindet oder andere Ausreden erfindet, wieso eine Besichtigung des Fahrzeugs nicht möglich sei. Spätestens wenn die Verkäuferin oder der Verkäufer vorschlägt, den Kauf über die Webseite easycarpay.net abzuwickeln, sollten Sie den Kontakt abbrechen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-autokauf-privatkaeufe-… ∗∗∗ Ubisoft erneut Opfer eines Cyberangriffs ∗∗∗ --------------------------------------------- Der Spielegigant Ubisoft hat einen Cyberangriff auf seine IT-Infrastruktur bestätigt, der auf das beliebte Spiel Just Dance abzielte. Laut Ubisoft gab es einen Einbruch in die IT-Infrastruktur des Unternehmens. --------------------------------------------- https://www.zdnet.de/88398543/ubisoft-erneut-opfer-eines-cyberangriffs/ ∗∗∗ Mitigating Log4Shell and Other Log4j-Related Vulnerabilities ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/22/mitigating-log4sh… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA discloses applications impacted by Log4j vulnerability ∗∗∗ --------------------------------------------- NVIDIA has released a security advisory detailing what products are affected by the Log4Shell vulnerability that is currently exploited in a wide range of attacks worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-discloses-application… ∗∗∗ VU#692873: Saviynt Enterprise Identity Cloud vulnerable to local user enumeration and authentication bypass ∗∗∗ --------------------------------------------- Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password reset feature. Together, these vulnerabilities could allow a remote, unauthenticated attacker to gain administrative privileges if an SSO solution is not configured for authentication. --------------------------------------------- https://kb.cert.org/vuls/id/692873 ∗∗∗ Active Directory: Microsoft warnt vor einfacher Domain-Übernahme ∗∗∗ --------------------------------------------- Zwei bekannte und bereits behobene Fehler in Active Directory ließen sich leicht ausnutzen, warnt Microsoft und empfiehlt dringend Updates. --------------------------------------------- https://www.golem.de/news/active-directory-microsoft-warnt-vor-einfacher-do… ∗∗∗ Four Bugs in Microsoft Teams Left Platform Vulnerable Since March ∗∗∗ --------------------------------------------- Attackers exploiting bugs in the “link preview” feature in Microsoft Teams could abuse the flaws to spoof links, leak an Android user’s IP address and launch a DoS attack. --------------------------------------------- https://threatpost.com/microsoft-teams-bugs-vulnerable-march/177225/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 68 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ WordPress-Plug-in: Kritische Lücke in All In One SEO bedroht Millionen Websites ∗∗∗ --------------------------------------------- Angreifer könnten WordPress-Websites mit All in One SEO mit Schadcode attackieren. Eine abgesicherte Version schafft Abhilfe. --------------------------------------------- https://heise.de/-6304412 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ipa, log4j, and samba), Debian (sogo, spip, and xorg-server), Fedora (jansi and log4j), Mageia (apache, apache-mod_security, kernel, kernel-linus, and x11-server), openSUSE (log4j and xorg-x11-server), Oracle (kernel, log4j, and openssl), and SUSE (libqt4 and xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/879492/ ∗∗∗ Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 (UPDATE) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-479842: Apache Log4j Vulnerabilities - Impact to Siemens Energy Sensformer (Platform, Basic and Advanced) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-479842.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2021
by Daily end-of-shift report 21 Dec '21

21 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 20-12-2021 18:00 − Dienstag 21-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware: Wer hat Angst vor Androids Barrierefreiheit? ∗∗∗ --------------------------------------------- Schadsoftware unter Android nutzt häufig die Accessibility Services, um Sicherheitsfunktionen auszuhebeln. Doch Apps können sich schützen. --------------------------------------------- https://www.golem.de/news/malware-wer-hat-angst-vor-androids-barrierefreihe… ∗∗∗ Xcode: Hotfix soll Log4j-Lücke umfahren ∗∗∗ --------------------------------------------- Apples Entwicklungsumgebung enthält eine angreifbare Version der Java-Logging-Bibliothek log4j. Beim Upload von iOS-Apps soll aber ein Fix greifen. --------------------------------------------- https://heise.de/-6301988 ∗∗∗ Have I Been Pwned: 225 Millionen neue Passwörter von britischer Polizeibehörde ∗∗∗ --------------------------------------------- Der Datensatz des Passwort-Prüfdiensts wächst immer weiter. Für Strafverfolgungsbehörden gibt es nun einen Weg, sichergestellte Daten direkt einzuspeisen. --------------------------------------------- https://heise.de/-6301963 ∗∗∗ Google entfernt Malware-infizierte SMS-App aus Play Store ∗∗∗ --------------------------------------------- Auf mehr als 500.000 Installationen kam eine Messages-App in Googles App-Store, die die Malware Joker einschleppte. Inzwischen hat Google die App entfernt. --------------------------------------------- https://heise.de/-6302544 ∗∗∗ Sicher verkaufen auf Willhaben, Shpock & Co ∗∗∗ --------------------------------------------- Sie möchten ungenutzte Gegenstände weiterverkaufen? Mit Plattformen wie willhaben, shpock oder Facebook haben Sie zahlreiche Möglichkeiten, alte Möbel, vernachlässigte Sportausrüstung oder Elektrogeräte an den Mann oder die Frau zu bringen. Dabei gibt es aber einiges zu beachten! Wir zeigen Ihnen, wie Sie sicher über Kleinanzeigenplattformen verkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-verkaufen-auf-willhaben-shpoc… ∗∗∗ Backdoor CVE-2021-40859 in Auerswald Telefonanlagen (z.B. COMpact 5500R 7.8A & 8.0B) gefixt ∗∗∗ --------------------------------------------- Auerswald ist ein deutscher Hersteller von Telefonanlagen für den Unternehmenseinsatz. Sicherheitsforscher haben in der Firmware von Auerswald Telefonanlagen (z.B. COMpact 5500R) Hintertüren entdeckt, über die man das Administrator-Passwort zurücksetzen konnte. Dies wurde zum 20.12.2021 offen gelegt. Hier einige Informationen dazu. --------------------------------------------- https://www.borncity.com/blog/2021/12/21/backdoor-cve-2021-40859-in-auerswa… ∗∗∗ Two Active Directory Bugs Lead to Easy Windows Domain Takeover ∗∗∗ --------------------------------------------- Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12. --------------------------------------------- https://threatpost.com/active-directory-bugs-windows-domain-takeover/177185/ ∗∗∗ Day 10: where we are with log4j from honeypot’s perspective ∗∗∗ --------------------------------------------- Our team spent great deal of effort on simulating different protocols, applications and vulnerabilities with our honeypot (Anglerfish and Apacket) system. When big event happens, we are always curious what we see from the honeypot side. Since log4j came to light 10 days ago, we have published two related blogs, --------------------------------------------- https://blog.netlab.360.com/apache-log4j2-vulnerability-attack-trend-from-t… ∗∗∗ [SANS ISC] More Undetected PowerShell Dropper ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “More Undetected PowerShell Dropper“: Last week, I published a diary about a PowerShell backdoor running below the radar with a VT score of 0! This time, it’s a dropper with multiple obfuscation techniques in place. --------------------------------------------- https://blog.rootshell.be/2021/12/21/sans-isc-more-undetected-powershell-dr… ∗∗∗ Velociraptor & Loki ∗∗∗ --------------------------------------------- Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server [...] --------------------------------------------- https://blog.rootshell.be/2021/12/21/velociraptor-loki/ ∗∗∗ RCE in Visual Studio Codes Remote WSL for Fun and Negative Profit ∗∗∗ --------------------------------------------- The Visual Studio Code server in Windows Subsystem for Linux uses a local WebSocket WebSocket connection to communicate with the Remote WSL extension. JavaScript in websites can connect to this server and execute arbitrary commands on the target system. --------------------------------------------- https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-f… ∗∗∗ Log4j vulnerability: what should boards be asking? ∗∗∗ --------------------------------------------- Advice for board members of medium to large organisations that are at risk from the Apache Log4j vulnerability. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be… ∗∗∗ FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability in Zoho’s ManageEngine Desktop Central product. --------------------------------------------- https://www.securityweek.com/fbi-sees-apts-exploiting-recent-manageengine-d… ∗∗∗ After ransomware attack, global logistics firm Hellmann warns of scam calls and mail ∗∗∗ --------------------------------------------- Hellmann said customers need to make sure they are really communicating with an employee through all calls or mail. --------------------------------------------- https://www.zdnet.com/article/after-ransomware-attack-global-logistics-firm… ∗∗∗ Why vulnerabilities are like buses ∗∗∗ --------------------------------------------- How organisations can address the growing trend in which multiple vulnerabilities within a single product are exploited over a short period. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/why-vulnerabilities-are-like-buses ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 30 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (log4j), openSUSE (chromium, log4j, netdata, and nextcloud), Oracle (kernel and kernel-container), Red Hat (kernel, kernel-rt, log4j, openssl, postgresql:12, postgresql:13, and virt:rhel and virt-devel:rhel), Slackware (httpd), SUSE (xorg-x11-server), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/879360/ ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass Using an Alternate Path or Channel, Use of Password Hash with Insufficient Computational Effort, Hidden Functionality, and OS Command Injection vulnerabilities in the mySCADA myPRO HMI/SCADA system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-01 ∗∗∗ Horner Automation Cscape EnvisionRV ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Horner Automation Cscape EnvisionRV industrial remote viewing software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-02 ∗∗∗ WECON LeviStudioU ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow, and Heap-based Buffer Overflow vulnerabilities in WECON LeviStudioU HMI programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-03 ∗∗∗ Emerson DeltaV ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authentication for Critical Function, and Uncontrolled Search Path Element vulnerabilities in the Emerson DeltaV control system controllers and workstations. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-04 ∗∗∗ Schneider Electric Rack PDU (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-348-02 Schneider Electric Rack PDU that was published December 14, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Schneider Electric Rack Power Distribution Unit (PDU). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02 ∗∗∗ Fresenius Kabi Agilia Connect Infusion System ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in the Fresenius Kabi Agilia Connect Infusion System. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-355-01 ∗∗∗ Apache Log4j Vulnerabilities - Impact on Bosch Rexroth Products ∗∗∗ --------------------------------------------- BOSCH-SA-572602: The Apache Software Foundation has published information about a vulnerability in the Java logging framework *log4j*, which allows an attacker to execute arbitrary code loaded from LDAP or JNDI related endpoints which are under control of the attacker. \[1\]Additionally, a further vulnerability might allow an attacker to cause a denial of service by sending a crafted string to the framework. From Bosch Rexroth, only the IoT Gateway software has been identified as affected. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-572602.html ∗∗∗ SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-397453.txt ∗∗∗ Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache Log4j vulnerability (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-10-… ∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ CVE-2021-44228 Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2021-44228 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2021
by Daily end-of-shift report 20 Dec '21

20 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-12-2021 18:00 − Montag 20-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== *** News zu Log4j *** --------------------------------------------- Upgraded to log4j 2.16? Surprise, theres a 2.17 fixing DoS: https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surpri… Log4j vulnerability now used to install Dridex banking malware: https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used… Log4Shell: Mehrheit der Java-Pakete hat noch kein Log4J-Update: https://www.golem.de/news/log4shell-mehrheit-der-java-pakete-hat-noch-kein-… Answering Log4Shell-related questions: https://securelist.com/answering-log4shell-related-questions/105402/ Third Log4J Bug Can Trigger DoS; Apache Issues Patch: https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/ TellYouThePass ransomware revived in Linux, Windows Log4j attacks: https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re… New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability: https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.ht… Second Log4j Vulnerability (CVE-2021-45046) Discovered - New Patch Released: https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html Google: OSS-Fuzz soll Log4j-Fehler in Open-Source-Software finden: https://heise.de/-6298560 Erster Wurm "kriecht" durch Log4j-Sicherheitslücke: https://heise.de/-6299080 Was Geschäftsführer jetzt über Log4Shell wissen sollten: https://www.welivesecurity.com/deutsch/2021/12/17/was-geschaeftsfuehrer-ueb… Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerability: https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to… Log4j-Infos, belgisches Verteidigungsministerium betroffen?: https://www.borncity.com/blog/2021/12/20/log4j-infos-belgisches-verteidigun… --------------------------------------------- https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-ap… ∗∗∗ Western Digital warns customers to update their My Cloud devices ∗∗∗ --------------------------------------------- Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support. --------------------------------------------- https://www.bleepingcomputer.com/news/security/western-digital-warns-custom… ∗∗∗ Office 2021: VBA Project Version, (Sun, Dec 19th) ∗∗∗ --------------------------------------------- 2 years ago, in diary entry "VBA Office Document: Which Version?", I listed all internal VBA project version numbers for the Office versions I had access to. --------------------------------------------- https://isc.sans.edu/diary/rss/28150 ∗∗∗ Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store ∗∗∗ --------------------------------------------- A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge. --------------------------------------------- https://thehackernews.com/2021/12/over-500000-android-users-downloaded.html ∗∗∗ Inside a PBX - Discovering a Firmware Backdoor ∗∗∗ --------------------------------------------- This blog post illustrates how RedTeam Pentesting discovered a real-world backdoor in a widely used Auerswald phone system (see also the advisory and CVE-2021-40859). --------------------------------------------- https://blog.redteam-pentesting.de/2021/inside-a-pbx/ ∗∗∗ Weniger Datenklau am Geldautomaten: "Skimming nicht mehr interessant" ∗∗∗ --------------------------------------------- Kriminelle können mit per Skimming erbeuteten Daten von Bankkunden immer weniger anfangen. Weitaus größere Schäden richten inzwischen andere Methoden an. --------------------------------------------- https://heise.de/-6298777 ∗∗∗ Erpressergruppe Conti nutzt Sicherheitslücke "Log4Shell" für ihre Ransomware ∗∗∗ --------------------------------------------- Der Erpressungstrojaner der bekannten Conti-Gang wird bereits auf die Lücke "Log4Shell" losgelassen. Damit wächst das Bedrohungspotenzial deutlich. --------------------------------------------- https://heise.de/-6298874 ∗∗∗ Sicherheitsrisiko: Support für einige NAS-Systeme von Western Digital läuft aus ∗∗∗ --------------------------------------------- Mehrere NAS-Modelle der My-Cloud-Serie bekommen bald keine Sicherheitsupdates mehr. Diese Geräte sollten nicht mehr am Internet hängen. --------------------------------------------- https://heise.de/-6299386 ∗∗∗ Analyse, wie TeamTNT Docker-Hub-Konten kompromittiert ∗∗∗ --------------------------------------------- Und schon sind wir beim 19. Türchen im Security-Adventskalender meines Blogs und ich schiebe mal ein weiteres Sicherheitsthema hinter dieses Türchen. Der Sicherheitsanbieter Trend Micro hat einen Bericht veröffentlicht, der beleuchtet, wie der Bedrohungsakteur TeamTNT vorgeht, um Konten von Docker-Hubs [...] --------------------------------------------- https://www.borncity.com/blog/2021/12/19/analyse-wie-teamtnt-docker-hub-kon… ∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.5 ∗∗∗ --------------------------------------------- A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.5 & 4.4. --------------------------------------------- https://blog.zsec.uk/cobalt-strike-profiles/ ∗∗∗ Kernel Karnage – Part 7 (Out of the Lab and Back to Reality) ∗∗∗ --------------------------------------------- This week I emerge from the lab and put on a different hat. 1. Switching hats With Interceptor being successful in blinding $vendor2 sufficiently to run a meterpreter reverse shell, it is time to put on the red team hat and get out of the perfect lab environment. --------------------------------------------- https://blog.nviso.eu/2021/12/20/kernel-karnage-part-7-out-of-the-lab-and-b… ∗∗∗ Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password ∗∗∗ --------------------------------------------- After analyzing the infected systems of the company that suffered damage from the recent Lockis ransomware infection, the ASEC analysis team discovered that the attacker executed the ransomware after RDP accessing the infected systems with local Administrator accounts. An investigation of local Administrator information of the infected systems showed that their passwords have not been changed for 1-2 years and that they were all set with the same password. --------------------------------------------- https://asec.ahnlab.com/en/29871/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2021-0029 ∗∗∗ --------------------------------------------- VMware Workspace ONE UEM console patches address SSRF vulnerability (CVE-2021-22054) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0029.html ∗∗∗ VMSA-2021-0030 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0030.html ∗∗∗ XSA-392 ∗∗∗ --------------------------------------------- Guest can force Linux netback driver to hog large amounts of kernel memory --------------------------------------------- https://xenbits.xen.org/xsa/advisory-392.html ∗∗∗ XSA-391 ∗∗∗ --------------------------------------------- Rogue backends can cause DoS of guests via high frequency events --------------------------------------------- https://xenbits.xen.org/xsa/advisory-391.html ∗∗∗ XSA-376 ∗∗∗ --------------------------------------------- frontends vulnerable to backends --------------------------------------------- https://xenbits.xen.org/xsa/advisory-376.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2, firefox-esr, libssh2, modsecurity-apache, and tang), Fedora (lapack, log4j, rust-libsqlite3-sys, rust-rusqlite, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (bind, botan2, chromium-browser-stable, dovecot, hiredis, keepalived, log4j, matio, mediawiki, olm, openssh, pjproject, privoxy, vim, and watchdog), openSUSE (barrier, nim, and python-pip), Oracle (ipa and samba), Scientific Linux (ipa and samba), SUSE (log4j), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/879228/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0007.html ∗∗∗ Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector [...] --------------------------------------------- http://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-dete… *** Log4j Security Advisories *** --------------------------------------------- Security Advisory - Apache Log4j2 CVE 2021-44228 (Log4Shell): https://www.beyondtrust.com/blog/entry/security-advisory-apache-log4j2-cve-… Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… Log4j Vulnerability CVE-2021-45105: What You Need to Know: https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-… An update on the Apache Log4j CVE-2021-44228 vulnerability: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… Citrix Security Advisory for Apache CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105: https://support.citrix.com/article/CTX335705 Log4j Zero-Day Vulnerability: https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90… CVE-2021-45105: Denial of Service via Uncontrolled Recursion in Log4j StrSubstitutor: https://www.thezdi.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via… CVE-2021-44228 Impact of Log4j Vulnerability CVE-2021-44228 and CVE-2021-45046 (Severity: CRITICAL): https://security.paloaltonetworks.com/CVE-2021-44228 SSA-661247 V1.5 (Last Update: 2021-12-19): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt SSA-501673 V1.0: Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-501673.txt Apache Log4j Vulnerability: http://security.googleblog.com/2021/12/apache-log4j-vulnerability.html Log4j Update Patches New Vulnerability That Allows DoS Attacks: https://www.securityweek.com/log4j-update-patches-new-vulnerability-allows-… --------------------------------------------- https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-ap… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1296 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2021
by Daily end-of-shift report 17 Dec '21

17 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-12-2021 18:00 − Freitag 17-12-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Log4j attackers switch to RMI to inject code and mine Monero ∗∗∗ --------------------------------------------- Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success. --------------------------------------------- https://www.bleepingcomputer.com/news/security/log4j-attackers-switch-to-rm… ∗∗∗ Log4j Scanning and CVE-2021-44228 Exploitation - Latest Observations (2021-12-16) ∗∗∗ --------------------------------------------- After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the “log4shell” mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution. --------------------------------------------- https://www.shadowserver.org/news/log4j-scanning-and-cve-2021-44228-exploit… ∗∗∗ How to Find and Fix a WordPress Pharma Hack ∗∗∗ --------------------------------------------- Did you know that one quarter of all spam emails are accredited to pharmaceutical ads? Pharma hacks go beyond the inbox and spam websites by redirecting traffic and adding fake keywords and subdomains to the search results. Why, and how did the medical world get tangled up in spam emails, SEO spam, redirects, and website spam injection? The answer is - money. --------------------------------------------- https://blog.sucuri.net/2021/12/how-to-find-and-fix-a-wordpress-pharma-hack… ∗∗∗ SWITCH Security Report November/December 2021 ∗∗∗ --------------------------------------------- Dear Reader The latest issue of our bi-monthly SWITCH Security Report is available. The main topics of the current report are: GoldDust but no nuggets: seven REvil partners caught, but the real orchestrators are still out there / EasyHack? Data belonging to COVID-19 loan recipients stolen from EasyGov platform / Tor under siege: massive de-anonymisation attacks target Tor network [...] --------------------------------------------- https://securityblog.switch.ch/2021/12/17/switch-security-report-2021-10-11/ ∗∗∗ Kritische Lücke bedroht Desktop-Management-System VMware Workspace ONE UEM ∗∗∗ --------------------------------------------- Angreifer könnten auf Servern liegende Informationen einsehen. Dagegen abgesicherte Versionen von VMwares Management-Software sind erschienen. --------------------------------------------- https://heise.de/-6297742 ∗∗∗ CISA orders federal agencies to mitigate Log4J vulnerabilities in emergency directive ∗∗∗ --------------------------------------------- CISA had previously given civilian federal agencies until December 24 to apply any patches. --------------------------------------------- https://www.zdnet.com/article/cisa-orders-federal-agencies-to-mitigate-log4… ∗∗∗ NSA and CISA Release Final Part IV of Guidance on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- CISA has announced the joint National Security Agency (NSA) and CISA publication of the final of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part IV: Ensure Integrity of Cloud Infrastructure focuses on platform integrity, microservices infrastructure integrity, launch time integrity, and build time security to ensure that 5G cloud resources are not modified without authorization. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/16/nsa-and-cisa-rele… ∗∗∗ Conti ransomware group adopts Log4Shell exploit ∗∗∗ --------------------------------------------- The Conti gang has become the first professional ransomware operation to adopt and incorporate the Log4Shell vulnerability in their daily operations. --------------------------------------------- https://therecord.media/conti-ransomware-group-adopts-log4shell-exploit/ ∗∗∗ Insides zu Irlands Health Service Executive Ransomware-Fall im Mai 2021 ∗∗∗ --------------------------------------------- Heute ist Türchen Nummer 17 im Sicherheits-Adventskalender dran. Ich habe da einen besonderen "Leckerbissen" für Administratoren hinterlegt. Im Mai 2021 gab es einen Ransomware-Angriff auf die Gesundheitsbehörden Irlands (Health Service Executive, HSE). PricewaterhouseCoopers hat kürzlich eine Analyse vorgelegt, was da [...] --------------------------------------------- https://www.borncity.com/blog/2021/12/17/insides-zu-irlands-health-service-… ===================== = Vulnerabilities = ===================== ∗∗∗ UNIVERGE DT Series vulnerable to missing encryption of sensitive data ∗∗∗ --------------------------------------------- UNIVERGE IP Phone DT Series and PC tools for DT Series maintainers (IP Phone Manager and Data Maintenance Tool) provided by NEC Platforms, Ltd. contain a missing encryption vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN13464252/ ∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗ --------------------------------------------- Update December 17, 11:37 am IBM is focused on the original CVE-2021-44228 as the prevalent risk, requiring our attention and our customers’ attention. With so much active industry research on Log4j, we will continually see mitigation and remediation recommendations. We continue to review the latest information and share updates accordingly. --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ VMSA-2021-0028 ∗∗∗ --------------------------------------------- Revised advisory with updates to multiple products. In addition, added CVE-2021-45046 information and noted alignment with new Apache Software Foundation guidance. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (dr_libs, libsndfile, and podman), openSUSE (fetchmail, log4j, log4j12, logback, python3, and seamonkey), Oracle (go-toolset:ol8, idm:DL1, and nodejs:16), Red Hat (go-toolset-1.16 and go-toolset-1.16-golang, ipa, rh-postgresql12-postgresql, rh-postgresql13-postgresql, and samba), Slackware (xorg), SUSE (log4j, log4j12, and python3), and Ubuntu (apache-log4j2 and openjdk-8, openjdk-lts). --------------------------------------------- https://lwn.net/Articles/879020/ ∗∗∗ Xylem AquaView ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Xylem AquaView SCADA system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-01 ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Read vulnerability in Delta Electronics CNCSoft industrial automation software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-02 ∗∗∗ Wibu-Systems CodeMeter Runtime ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerability in the Wibu-Systems CodeMeter Runtime server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-03 ∗∗∗ Mitsubishi Electric GX Works2 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Handling of Length Parameter Inconsistency vulnerability in #Mitsubishi Electrics GX Works2 engineering software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-04 ∗∗∗ Mitsubishi Electric FA Engineering Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software engineering software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05 ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM MQ Blockchain bridge dependencies are vulnerable to an issue in Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-blockchain-bridge-… ∗∗∗ Security Bulletin: Apache Log4J vulnerabilities affect IBM Cloud Object Storage File Access (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ K32171392: Apache Log4j2 vulnerability CVE-2021-45046 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32171392 ∗∗∗ Logback: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily