- Daily - CERT.at

Tageszusammenfassung - 09.03.2022
by Daily end-of-shift report 09 Mar '22

09 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-03-2022 18:00 − Mittwoch 09-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Betrug auf Discord: „Sorry, ich habe deinen Steam-Account gemeldet!“ ∗∗∗ --------------------------------------------- Gamerinnen und Gamer aufgepasst: Auf Discord kommt es momentan zu Kontaktaufnahmen durch Kriminelle, die sich für das Melden des Steam-Accounts entschuldigen. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-auf-discord-sorry-ich-habe-de… ∗∗∗ Daxin Backdoor: In-Depth Analysis, Part Two ∗∗∗ --------------------------------------------- In the second of a two-part series of blogs, we examine the communications and networking features of Daxin. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ===================== = Vulnerabilities = ===================== ∗∗∗ Guidance for CVE-2022-23278 spoofing in Microsoft Defender for Endpoint ∗∗∗ --------------------------------------------- Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. --------------------------------------------- https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoo… ∗∗∗ New 16 High-Severity UEFI Firmware Flaws Discovered in Millions of HP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday disclosed 16 new high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices. --------------------------------------------- https://thehackernews.com/2022/03/new-16-high-severity-uefi-firmware.html ∗∗∗ Critical RCE Bugs Found in Pascom Cloud Phone System Used by Businesses ∗∗∗ --------------------------------------------- Researchers have disclosed three security vulnerabilities affecting Pascom Cloud Phone System (CPS) that could be combined to achieve a full pre-authenticated remote code execution of affected systems. --------------------------------------------- https://thehackernews.com/2022/03/critical-rce-bugs-found-in-pascom-cloud.h… ∗∗∗ TLStorm: Three critical vulnerabilities discovered in APC Smart-UPS devices ∗∗∗ --------------------------------------------- Armis has discovered a set of three critical zero-day vulnerabilities in APC Smart-UPS devices that can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. --------------------------------------------- https://www.armis.com/research/tlstorm/ ∗∗∗ Patchday: SAP behebt 16 Schwachstellen ∗∗∗ --------------------------------------------- Zum März-Patchday bei SAP liefert das Unternehmen Aktualisierungen für zwölf neue Sicherheitslücken aus. Zudem aktualisiert es vier ältere Sicherheitsmeldungen. --------------------------------------------- https://heise.de/-6543439 ∗∗∗ Alte Lücke in Pulse Connect Secure-VPN wird angegriffen ∗∗∗ --------------------------------------------- Schon Mitte 2020 hat Pulse Secure in seiner VPN-Lösung Aktualisierungen veröffentlicht, die Sicherheitslücken schließen. Die Lücken werden jetzt angegriffen. --------------------------------------------- https://heise.de/-6544328 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-4.19, spip, and thunderbird), Fedora (cyrus-sasl and libxml2), Mageia (firefox and thunderbird), openSUSE (buildah and tcpdump), Red Hat (cyrus-sasl, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (buildah, kernel, libcaca, and tcpdump), and Ubuntu (linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oem-5.14, linux-oracle, linux-oracle-5.13, [...] --------------------------------------------- https://lwn.net/Articles/887309/ ∗∗∗ Microsoft Releases March 2022 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/microsoft-release… ∗∗∗ SAP Releases March 2022 Security Updates ∗∗∗ --------------------------------------------- SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/sap-releases-marc… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/adobe-releases-se… ∗∗∗ ZDI-22-492: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-492/ ∗∗∗ ZDI-22-491: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-491/ ∗∗∗ ZDI-22-490: (0Day) Ecava IntegraXor Inkscape WMF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-490/ ∗∗∗ ZDI-22-489: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Uninitialized Pointer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-489/ ∗∗∗ ZDI-22-488: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Uninitialized Pointer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-488/ ∗∗∗ ZDI-22-487: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-487/ ∗∗∗ ZDI-22-486: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-486/ ∗∗∗ ZDI-22-485: (0Day) Ecava IntegraXor Inkscape PCX File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-485/ ∗∗∗ AMD: LFENCE/JMP Mitigation Update for CVE-2017-5715 ∗∗∗ --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 ∗∗∗ Intel Processor Advisory: INTEL-SA-00598 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in ISC BIND affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-isc-bind… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer Content Analytics Studio ( CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ XSA-398 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-398.html ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0279 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0276 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341586 ∗∗∗ NetApp SnapCenter Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500477-NETAPP-SNAPCENTER-INFOR… ∗∗∗ Brocade Fabric OS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500476-BROCADE-FABRIC-OS-VULNE… ∗∗∗ Lenovo Thin Installer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500475-LENOVO-THIN-INSTALLER-D… ∗∗∗ Glance by Mirametrix Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500474-GLANCE-BY-MIRAMETRIX-VU… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2022
by Daily end-of-shift report 08 Mar '22

08 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-03-2022 18:00 − Dienstag 08-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fernverwaltung mit Sicherheitslücke gefährdet medizinische Geräte ∗∗∗ --------------------------------------------- Viele medizinische IoT-Geräte enthalten Fernverwaltungssoftware von Axeda/PTC. Sicherheitslücken ermöglichen Angreifern das Einschleusen von Schadcode. --------------------------------------------- https://heise.de/-6542436 ∗∗∗ Stecker zum Stromsparen auf „getecotex.com“ ist Betrug ∗∗∗ --------------------------------------------- Auf getecotex.com wird ein Stecker zum Stromsparen angeboten. Für 59 Euro kann angeblich der Stromfluss stabilisiert, hochfrequenter Strom entfernt und die Energierechnung reduziert werden. Vorsicht: Diese Versprechen sind frei erfunden - ein solches Gerät existiert nicht. Sie werden betrogen und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/stecker-zum-stromsparen-auf-getecote… ∗∗∗ CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector ∗∗∗ --------------------------------------------- A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet. --------------------------------------------- https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-… ∗∗∗ Emotet growing slowly but steadily since November resurgence ∗∗∗ --------------------------------------------- The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-growing-slowly-but-st… ∗∗∗ An attackers toolchest: Living off the land ∗∗∗ --------------------------------------------- If you’ve been keeping up with the information security world, you’ve certainly heard that recent ransomware attacks and other advanced persistent threats are sometimes using special kind of tools. But for the most part, the tools will be very familiar to you. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37248-living-off-the-land ∗∗∗ Androids March 2022 Security Updates Patch 39 Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced the release of patches for 39 vulnerabilities as part of the March 2022 security update for Android. The most serious vulnerability is CVE-2021-39708, a remotely exploitable elevation of privilege issue identified in the System component. --------------------------------------------- https://www.securityweek.com/androids-march-2022-security-updates-patch-39-… ∗∗∗ Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities ∗∗∗ --------------------------------------------- We disclosed several GKE Autopilot vulnerabilities and attack techniques to Google. The issues are now fixed - we provide a technical analysis. --------------------------------------------- https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/ ∗∗∗ Phishing attempts from FancyBear and Ghostwriter stepping up says Google ∗∗∗ --------------------------------------------- Google TAG also sees Chinese Mustang Panda going after Europeans and DDoS attempts against Ukrainian targets. --------------------------------------------- https://www.zdnet.com/article/phishing-attempts-from-fancybear-and-ghostwri… ∗∗∗ Daxin Backdoor: In-Depth Analysis, Part One ∗∗∗ --------------------------------------------- In the first of a two-part series of blogs, we will delve deeper into Daxin, examining the driver initialization, networking, key exchange, and backdoor functionality of the malware. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ∗∗∗ FBI Releases Indicators of Compromise for RagnarLocker Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000163-MW and apply the recommended mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/fbi-releases-indi… ∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- 08.03.2022 16:40 Bereich "Indirekte Angriffsfläche" erweitert --------------------------------------------- https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Kritische Sicherheitslecks in APC Smart-UPS ∗∗∗ --------------------------------------------- In den APC Smart-UPS von Schneider Electric könnten Angreifer Sicherheitslücken ausnutzen, um Schadcode einzuschleusen oder die Geräte außer Funktion zu setzen. --------------------------------------------- https://heise.de/-6542950 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis). --------------------------------------------- https://lwn.net/Articles/887159/ ∗∗∗ AVEVA System Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Storage of Sensitive Information in Memory vulnerability in the AVEVA System Platform, a software management product. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-067-02 ∗∗∗ Sensormatic PowerManage (Update A) ∗∗∗ --------------------------------------------- This update advisory is a follow-up to the original advisory titled ICSA-22-034-01 Sensormatic PowerManage that was published February 3, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. Update A (Part 1 of 1): Upgrade PowerManage to Version 4.10 --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0268 ∗∗∗ Citrix Federated Authentication Service (FAS) Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341587 ∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guar… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: IBM Security Directory Integrator has upgraded log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-in… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Virtualization Engine TS7700 (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ SSA-250085: Multiple Vulnerabilities in SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-250085.txt ∗∗∗ SSA-223353: Multiple Vulnerabilities in Nucleus RTOS based SIMOTICS CONNECT 400 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-223353.txt ∗∗∗ SSA-166747: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-166747.txt ∗∗∗ SSA-155599: File Parsing Vulnerabilities in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-155599.txt ∗∗∗ SSA-148641: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-148641.txt ∗∗∗ SSA-134279: Vulnerability in Mendix Forgot Password Appstore module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-134279.txt ∗∗∗ SSA-764417: Multiple Vulnerabilities in RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-764417.txt ∗∗∗ SSA-594438: Remote Code Execution and Denial-of-Service Vulnerability in multiple RUGGEDCOM ROX products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-594438.txt ∗∗∗ SSA-562051: Cross-Site Scripting Vulnerability in Polarion ALM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-562051.txt ∗∗∗ SSA-415938: Improper Access Control Vulnerability in Mendix ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-415938.txt ∗∗∗ SSA-406691: Buffer Vulnerabilities in DHCP function of RUGGEDCOM ROX products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-406691.txt ∗∗∗ SSA-389290: Third-Party Component Vulnerabilities in SINEC INS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-389290.txt ∗∗∗ SSA-337210: Privilege Escalation Vulnerability in SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-337210.txt ∗∗∗ SSA-256353: Third-Party Component Vulnerabilities in RUGGEDCOM ROS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-256353.txt ∗∗∗ SSA-252466: Multiple Vulnerabilities in Climatix POL909 (AWM and AWB) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-252466.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2022
by Daily end-of-shift report 07 Mar '22

07 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-03-2022 18:00 − Montag 07-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ E-Mail vom "Zoll Kundenservice" ist Fake ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail von "[email protected]" wird behauptet, dass Ihr Paket nicht geliefert werden kann, da Zollgebühren nicht bezahlt wurden. Um die Zollgebühren zu begleichen, werden Sie aufgefordert, einen Paysafecard-Pin um 75 Euro zu schicken. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-zoll-kundenservice-ist-fa… ∗∗∗ Notfallupdate: Sicherheitslücken in Firefox und Thunderbird werden angegriffen ∗∗∗ --------------------------------------------- Die Mozilla-Stiftung hat außer der Reihe Sicherheitsupdates für Firefox, Klar und Thunderbird herausgegeben, die bereits aktiv angegriffene Lücken schließen. --------------------------------------------- https://heise.de/-6540649 ∗∗∗ Sicherheitsprobleme bei Samsung: Quellcode geklaut, unsichere Kryptografie ∗∗∗ --------------------------------------------- Einbrecher haben bei Samsung Quellcode entwendet. Zudem patzte der Hersteller bei Kryptografie in der Trusted Execution Environment von Flaggschiff-Smartphones. --------------------------------------------- https://heise.de/-6540849 ∗∗∗ Dirty Pipe: Linux-Kernel-Lücke erlaubt Schreibzugriff mit Root-Rechten ∗∗∗ --------------------------------------------- Ein Fehler bei der Verarbeitung von Pipes im Linux-Kernel lässt sich ausnutzen, um Root-Rechte zu erlangen. --------------------------------------------- https://www.golem.de/news/dirty-pipe-linux-kernel-luecke-erlaubt-schreibzug… ∗∗∗ Microsoft fixes critical Azure bug that exposed customer data ∗∗∗ --------------------------------------------- Microsoft has addressed a critical vulnerability in the Azure Automation service that could have allowed attackers to take full control over other Azure customers data. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-critical-az… ∗∗∗ Massive Meris Botnet Embeds Ransomware Notes from REvil ∗∗∗ --------------------------------------------- Notes threatening to tank targeted companies stock price were embedded into the DDoS ransomware attacks as a string_of_text directed to CEOs and webops_geeks in the URL. --------------------------------------------- https://threatpost.com/massive-meris-botnet-embeds-ransomware-notes-revil/1… ∗∗∗ Scam E-Mail Impersonating Red Cross, (Fri, Mar 4th) ∗∗∗ --------------------------------------------- Earlier today, I received a scam email that impersonates the Ukrainian Red Cross. It attempts to solicit donations via Bitcoin. The email is almost certainly not related to any valid Red Cross effort. --------------------------------------------- https://isc.sans.edu/diary/rss/28404 ∗∗∗ oledumps Extra Option, (Sat, Mar 5th) ∗∗∗ --------------------------------------------- A colleague asked if it was possible with oledump.py, to search through a set of malicious documents and filter out all streams that have identical VBA source code. --------------------------------------------- https://isc.sans.edu/diary/rss/28406 ∗∗∗ Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking ∗∗∗ --------------------------------------------- Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage (TNAS) devices that could be chained to attain unauthenticated remote code execution with the highest privileges. The issues reside in TOS, an abbreviation for TerraMaster Operating System, and "can grant unauthenticated attackers access to the victims box simply by knowing the IP [...] --------------------------------------------- https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.ht… ∗∗∗ Backdooring WordPress using PyShell ∗∗∗ --------------------------------------------- PyShell is new tool made for bug bounty, ethical hacking, penetration testers or red-teamers. This tool helps you to obtain a shell-like interface on a web server to be remotely accessed. --------------------------------------------- https://blog.wpsec.com/backdooring-wordpress-using-pyshell/ ∗∗∗ Beware of malware offering “Warm greetings from Saudi Aramco” ∗∗∗ --------------------------------------------- A new Formbook campaign is targeting oil and gas companies. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware… ∗∗∗ Amcache contains SHA-1 Hash – It Depends! ∗∗∗ --------------------------------------------- If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. --------------------------------------------- https://blog.nviso.eu/2022/03/07/amcache-contains-sha-1-hash-it-depends/ ∗∗∗ Webhook Party – Malicious packages caught exfiltrating data via legit webhook services ∗∗∗ --------------------------------------------- Checkmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages attempting to use a dependency confusion attack. Those packages were detected by the team’s malicious package detection system. Findings show all packages caught contained malicious payload [...] --------------------------------------------- https://checkmarx.com/blog/webhook-party-malicious-packages-caught-exfiltra… ===================== = Vulnerabilities = ===================== ∗∗∗ New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances ∗∗∗ --------------------------------------------- Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8. --------------------------------------------- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, containerd, cyrus-sasl2, expat, firefox-esr, freecad, kernel, and tiff), Fedora (seamonkey, swtpm, and webkit2gtk3), Mageia (docker-containerd, firefox, flac, libtiff, libxml2, and mc), openSUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, libeconf, shadow and util-linux, mariadb, nodejs14, perl-App-cpanminus, vim, wireshark, wpa_supplicant, and zsh), SUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, java-11-openjdk, [...] --------------------------------------------- https://lwn.net/Articles/887055/ ∗∗∗ Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device ∗∗∗ --------------------------------------------- Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device. --------------------------------------------- https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte… ∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nims… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38988) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: Some unspecified vulnerabilities in Java SE result in the unauthenticated attacker to take control of the system or some impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-some-unspecified-vulnerab… ∗∗∗ Bitdefender Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0264 ∗∗∗ Webmin: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0267 ∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0266 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0265 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2022
by Daily end-of-shift report 04 Mar '22

04 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-03-2022 18:00 − Freitag 04-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 8-Character Passwords Can Be Cracked in Less than 60 Minutes ∗∗∗ --------------------------------------------- Researchers say passwords with less than seven characters can be hacked "instantly." --------------------------------------------- https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-c… ∗∗∗ 5 Risks That Can Cause Your Website to Get Reinfected ∗∗∗ --------------------------------------------- Re-infections are one of the most frustrating encounters site owners experience. Like a game of whack-a-mole, when you think you’ve found and removed everything malicious, more malicious content pops up. --------------------------------------------- https://blog.sucuri.net/2022/03/5-risks-that-can-cause-your-website-to-get-… ∗∗∗ SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store ∗∗∗ --------------------------------------------- NCC Group, as well as many other researchers noticed a rise in Android malware last year, especillay Android banking malware. --------------------------------------------- https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-bankin… ∗∗∗ Nvidias geleakte Code-Signing-Zertifikate missbraucht ∗∗∗ --------------------------------------------- Die Einbrecher haben bei Nvidia auch Code-Signing-Zertifikate entwendet und veröffentlicht. Mit denen werden nun Angriffs-Tools signiert. --------------------------------------------- https://heise.de/-6537255 ∗∗∗ Betrügerische Spendenaufrufe: Kriminelle missbrauchen Krieg in der Ukraine ∗∗∗ --------------------------------------------- Um Menschen in der Ukraine finanziell zu unterstützen, gibt es derzeit zahlreiche Möglichkeiten. Doch auch Kriminelle missbrauchen diese Situation und erstellen betrügerische Webseiten mit Spendenaufrufen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-spendenaufrufe-krimin… ∗∗∗ A Backdoor Lockpick ∗∗∗ --------------------------------------------- In early September, 2021, a fairly ordinary and inexpensive residential router came into the Zero Day research team’s possession. --------------------------------------------- https://medium.com/tenable-techblog/a-backdoor-lockpick-d847a83f4496 ∗∗∗ Die Renaissance des Cybervigilantismus ∗∗∗ --------------------------------------------- Der Krieg zwischen Russland und der Ukraine hat als - bis zu einem gewissen Grad überraschenden - Nebeneffekt die Renaissance von Software, die der durch Anonymous bekannt und populär gemachten, zu DDoS-Zwecken verwendeten "Low Orbit Ion Cannon" ähnelt. Dutzende solcher Programme oder auf dem selben Prinzip basierende Webseiten werden aktuell auf den sozialen Netzwerken verteilt und fast schon begeistert von vielen Menschen genutzt. --------------------------------------------- https://cert.at/de/blog/2022/3/die-renaissance-des-cybervigilantismus ∗∗∗ NSA Releases Network Infrastructure Security Guidance ∗∗∗ --------------------------------------------- The report captures best practices based on the depth and breadth of experience in supporting customers and responding to threats. Recommendations include perimeter and internal network defenses to improve monitoring and access controls throughout the network. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/03/nsa-releases-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Amazon Alexa can be hijacked via commands from own speaker ∗∗∗ --------------------------------------------- Without a critical update, Amazon Alexa devices could wake themselves up and start executing audio commands issued by a remote attacker, according to infosec researchers at Royal Holloway, University of London. --------------------------------------------- https://www.theregister.com/2022/03/03/amazon_alexa_speaker_vuln/ ∗∗∗ New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape? ∗∗∗ --------------------------------------------- CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/ ∗∗∗ Kritische Root-Lücken gefährden Ciscos Fernzugriff-Software Expressway Series ∗∗∗ --------------------------------------------- Der Netzwerkhersteller Cisco hat wichtige Sicherheitsupdates für Expressway Series, StarOS & Co. veröffentlicht. --------------------------------------------- https://heise.de/-6537019 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (varnish), Fedora (barrier and polkit), openSUSE (bitcoin, conmon, libcontainers-common, libseccomp, podman, firefox, nodejs-electron, nodejs8, php7, and webkit2gtk3), SUSE (conmon, libcontainers-common, libseccomp, podman, cyrus-sasl, expat, firefox, nodejs8, php7, tomcat, and webkit2gtk3), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/886792/ ∗∗∗ pfSense-pkg-WireGuard vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85572374/ ∗∗∗ B&R APROL and B&R APROL: A flaw in Chainsaw component of Log4j can lead to code execution ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16449471… ∗∗∗ Security Bulletin: IBM Security QRadar SOAR is using a component vulnerable to Cross Site Scripting (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-soar-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security QRadar SOAR ( CVE-2021-35560, CVE-2021-35578, CVE-2021-35564, CVE-2021-35565, CVE-2021-35588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ Trailer Power Line Communications (PLC) J2497 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-063-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2022
by Daily end-of-shift report 03 Mar '22

03 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-03-2022 18:00 − Donnerstag 03-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Free decryptor released for HermeticRansom victims in Ukraine ∗∗∗ --------------------------------------------- Avast Threat Labs has released a decryptor for the HermeticRansom ransomware strain used predominately in targeted attacks against Ukrainian systems in the past ten days. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ Researchers Devise Attack for Stealing Data During Homomorphic Encryption ∗∗∗ --------------------------------------------- A vulnerability in a Microsoft crypto library gives attackers a way to figure out what data is being encrypted in lockpicker-like fashion. --------------------------------------------- https://www.darkreading.com/application-security/researchers-devise-attack-… ∗∗∗ Threat landscape for industrial automation systems, H2 2021 ∗∗∗ --------------------------------------------- By 2021 everyone got used to pandemic limitations – industrial organization employees and IT security professionals and threat actors. If we compare the numbers from 2020 and 2021, we see that 2021 looks more stable, particularly in H2. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ The Truth About USB Device Serial Numbers – (and the lies your tools tell) ∗∗∗ --------------------------------------------- Evidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry. The difficulty comes in attempting to make sense of all this data. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity. --------------------------------------------- https://www.sans.org/blog/the-truth-about-usb-device-serial-numbers?msc=rss ∗∗∗ Vorsicht vor diesen betrügerischen Handwerksdiensten! ∗∗∗ --------------------------------------------- Ihnen ist die Tür zugefallen, der Schlüssel abgebrochen, oder ein Abflussrohr ist verstopft? Solche Notsituationen werden zunehmend von Kriminellen ausgenutzt: Sie bieten schnelle und einfache Hilfe an, doch Vorsicht! Diese unseriösen Anbieter verlangen Wucherpreise in bar und beheben oft nicht einmal das Problem! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-diesen-betruegerischen-… ∗∗∗ Update: Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- Version 1.3 03.03.2022 15:45 * Weitere Empfehlungen, "Weitere Lektüre" Sektion * Aufgrund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifische Gefährdung für Österreich ist aktuell noch nicht auszumachen. --------------------------------------------- https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4). --------------------------------------------- https://lwn.net/Articles/886683/ ∗∗∗ Zoho ManageEngine Desktop Central: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Zoho ManageEngine Desktop Central ausnutzen, um Informationen offenzulegen. CVE Liste: CVE-2022-23779 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0253 ∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Autodesk AutoCAD ausnutzen, um beliebigen Programmcode auszuführen. CVE Liste: CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25795 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0252 ∗∗∗ Security Bulletin: IBM i is vulnerable to bypass security restrictions due to Samba SMB1 (CVE-2021-43566 and CVE-2021-44141) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-is-vulnerable-to-by… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-components-are-affe… ∗∗∗ Security Bulletin: IBM DataPower affected by vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-affected-by… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ K73200428: Linux kernel vulnerability CVE-2022-0185 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73200428?utm_source=f5support&utm_mediu… ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-062-01 ∗∗∗ BD Viper LT ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-062-02 ∗∗∗ IPCOMM ipDIO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-062-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2022
by Daily end-of-shift report 02 Mar '22

02 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-03-2022 18:00 − Mittwoch 02-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing attacks target countries aiding Ukrainian refugees ∗∗∗ --------------------------------------------- A spear-phishing campaign likely coordinated by a state-backed threat actor has been targeting European government personnel providing logistics support to Ukrainian refugees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attacks-target-coun… ∗∗∗ Geoblocking when you cant Geoblock, (Tue, Mar 1st) ∗∗∗ --------------------------------------------- Given recent events, I've gotten a flood of calls from clients who want to start blocking egress traffic to specific countries, or block ingress traffic from specific countries (or both). --------------------------------------------- https://isc.sans.edu/diary/rss/28392 ∗∗∗ TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps ∗∗∗ --------------------------------------------- An Android banking trojan designed to steal credentials and SMS messages has been observed once again sneaking past Google Play Store protections to target users of more than 400 banking and financial apps, including those from Russia, China, and the U.S. --------------------------------------------- https://thehackernews.com/2022/03/teabot-android-banking-malware-spreads.ht… ∗∗∗ "Authority-Scam": Kriminelle imitieren Behörden für Investment-Betrug ∗∗∗ --------------------------------------------- Beim „Authority-Scam“ geben sich die Kriminellen als Behörde aus und fordern Zahlungen wegen der Investments. Nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-kriminelle-imitieren-… ∗∗∗ Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization ∗∗∗ --------------------------------------------- Scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations found 75% had known security gaps. --------------------------------------------- https://unit42.paloaltonetworks.com/infusion-pump-vulnerabilities/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Bugs Reported in Popular Open Source PJSIP SIP and Media Stack ∗∗∗ --------------------------------------------- As many as five security vulnerabilities have been disclosed in the PJSIP open-source multimedia communication library that could be abused by an attacker to trigger arbitrary code execution and denial-of-service (DoS) in applications that use the protocol stack. --------------------------------------------- https://thehackernews.com/2022/03/critical-bugs-reported-in-popular-open.ht… ∗∗∗ IBM warnt vor zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- IBM hat für diverse Produkte Updates veröffentlicht, die teils kritische Sicherheitslücken schließen. Administratoren sollten sie zeitnah installieren. --------------------------------------------- https://heise.de/-6531076 ∗∗∗ Sicherheitsupdates von Fortinet: Angreifer könnten Admin-Zugänge erraten ∗∗∗ --------------------------------------------- Unter anderen FortiMail und FortiWLC sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-6531249 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mingw-expat and seamonkey), openSUSE (mc, mysql-connector-java, nodejs12, and sphinx), Red Hat (kernel and kpatch-patch), SUSE (cyrus-sasl, kernel, nodejs12, and php74), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/886560/ ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in AIX CAA (CVE-2022-22350, CVE-2021-38996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-aix-ca… ∗∗∗ Security Bulletin: SQL injection vulnerability in PostgreSQL affects IBM Connect:Direct Web Services (CVE-2021-23214) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote attacker due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Bulletin: IBM InfoSphere Master Data Management Server vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-ibm-inf… ∗∗∗ Security Bulletin: Vulnerabilities with Expat, Spring Framework and Apache HTTP Server affect IBM Cloud Object Storage Systems (Feb 2022 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expa… ∗∗∗ VMSA-2022-0007 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0007.html ∗∗∗ K34519550: Linux kernel vulnerability CVE-2021-27364 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34519550 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2022
by Daily end-of-shift report 01 Mar '22

01 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-02-2022 18:00 − Dienstag 01-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Axis Communications shares details on disruptive cyberattack ∗∗∗ --------------------------------------------- Axis Communications has published a post mortem about a cyberattack that caused severe disruption in their systems, with some systems still partially offline. --------------------------------------------- https://www.bleepingcomputer.com/news/security/axis-communications-shares-d… ∗∗∗ Cyber threat activity in Ukraine: analysis and resources ∗∗∗ --------------------------------------------- Microsoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed activity in order to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts. We’ve brought together all our analysis and guidance for customers who may be impacted by events ... --------------------------------------------- https://msrc-blog.microsoft.com:443/2022/02/28/analysis-resources-cyber-thr… ∗∗∗ Instagram scammers as busy as ever: passwords and 2FA codes at risk ∗∗∗ --------------------------------------------- Instagram scams dont seem to be dying out - were seeing more variety and trickiness than ever... --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/28/instagram-scammers-as-busy-as-e… ∗∗∗ Triaging A Malicious Docker Container ∗∗∗ --------------------------------------------- Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting. In this article, we will walk through the triage of a malicious image containing a previously undetected-in-VirusTotal (at the time of this writing) piece of malware --------------------------------------------- https://sysdig.com/blog/triaging-malicious-docker-container/ ∗∗∗ How To Protect Magento Websites ∗∗∗ --------------------------------------------- As of recently, Magento1 has become outdated and no longer supported. Adobe’s goal is to move all users away to Magento2 instead, which has 2FA and a non-standard login URL enabled by default, being generally more secure. Migrating is very costly for an average business, however, so this article will hopefully shed some light on how you can still protect your site regardless of which version of Magento is currently being used. --------------------------------------------- https://blog.sucuri.net/2022/02/how-to-protect-magento-websites.html ∗∗∗ Trickbot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail ∗∗∗ --------------------------------------------- Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gangs AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail. --------------------------------------------- https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html ∗∗∗ Nein, Signal wurde nicht gehackt ∗∗∗ --------------------------------------------- Auf Twitter tritt Signal derzeit Gerüchten entgegen, die behaupten, der Messenger sei gehackt oder anderweitig kompromittiert worden. Die Gerüchte "sind falsch. Signal wurde nicht gehackt", betont Signal auf Twitter. "Wir glauben, dass diese Gerüchte Teil einer koordinierten Fehlinformationskampagne sind, die die Menschen dazu bringen soll, weniger sichere Alternativen zu nutzen." --------------------------------------------- https://www.golem.de/news/messenger-nein-signal-wurde-nicht-gehackt-2203-16… ∗∗∗ Unusual sign-in activity mail goes phishing for Microsoft account holders ∗∗∗ --------------------------------------------- We look at a phishing mail which may cause concern for users of Microsoft services as it claims theres been a suspicious login from Russia.The post Unusual sign-in activity mail goes phishing for Microsoft account holders appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/03/unusual-sign-in-activity-mail-g… ∗∗∗ DDoS Attacks Abuse Network Middleboxes for Reflection, Amplification ∗∗∗ --------------------------------------------- Threat actors specializing in distributed denial-of-service (DDoS) attacks have started abusing network middleboxes for reflection and amplification, Akamai warns. --------------------------------------------- https://www.securityweek.com/ddos-attacks-abuse-network-middleboxes-reflect… ∗∗∗ Betrügerische Investitionsplattformen: Checken Sie unsere Liste ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! In diesem Artikel listen wir betrügerische Investitionsplattformen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-investitionsplattform… ∗∗∗ Tales from the Field: Coin-Operated Culprit ∗∗∗ --------------------------------------------- Due to a lack of proper visibility and segmentation, a breakroom vending machine was provided unfettered access to an operational network worth billions of dollars. --------------------------------------------- https://claroty.com/2022/02/28/blog-tales-from-the-field-coin-operated-culp… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in VoipMonitor ∗∗∗ --------------------------------------------- I discovered and reported a few bugs in VoipMonitor ranging from a simple authentication bypass to a full RCE chain. Here I'll describe "most" of these bugs. The issues have been patched in VoipMonitor GUI version 24.97. --------------------------------------------- https://kerbit.io/research/read/blog/3 ∗∗∗ Cloud-Schutzlösung von Okta könnte Schadcode auf Server lassen ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt ein Schadcode-Schlupfloch in Okta Advanced Server Client. --------------------------------------------- https://heise.de/-6529223 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Oracle (kernel, kernel-container, and ruby:2.5), Red Hat (rh-ruby26-ruby), Slackware (libxml2 and libxslt), SUSE (htmldoc and SUSE Manager Server 4.2), and Ubuntu (mariadb-10.3, mariadb-10.5, policykit-1, qemu, virglrenderer, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/886472/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Lansweeper could lead to JavaScript, SQL injections ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Lansweeper IT asset management solution that could allow an attacker to inject JavaScript or SQL code on the targeted device. [..] Users are encouraged to update these affected products as soon as possible: Lansweeper version 9.1.20.2. Talos tested and confirmed this version is affected by these vulnerabilities. Lansweeper 9.2.0 incorporates fixes for these issues. --------------------------------------------- http://blog.talosintelligence.com/2022/03/vuln-spotlight-.html ∗∗∗ ZDI-22-424: (0Day) Delta Industrial Automation DIAEnergie AM_Handler SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-424/ ∗∗∗ ZDI-22-423: (0Day) Delta Industrial Automation DIAEnergie HandlerPage_KID Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-423/ ∗∗∗ ZDI-22-422: (0Day) Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-422/ ∗∗∗ ZDI-22-421: (0Day) Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-421/ ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to buffer overflow and denial of service (CVE-2021-44790, CVE-2021-34798, CVE-2021-39275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-http-server-as-use… ∗∗∗ Security Bulletin: Ansible vulnerability affects IBM Elastic Storage System (CVE-2021-3583) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ansible-vulnerability-aff… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management(CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an incorrect session invalidation vulnerability (CVE-2021-38986) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Dashboards may be vulnerable to a denial of service vulnerability due to IBM X-Force vulnerability 220063 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in AIX audit commands (CVE-2021-38955) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-audi… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a Java vulnerability (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for i is vulnerable to CVE-2021-44224 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow unauthorized viewing of logs and files (CVE-2022-22326) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27645) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by a password hash that provides insufficient protection (CVE-2022-22321) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Datacap is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ BECKHOFF: Null Pointer Dereference vulnerability in products with OPC UA technology ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-003/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2022
by Daily end-of-shift report 28 Feb '22

28 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-02-2022 18:00 − Montag 28-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Visual Voice Mail on Android may be vulnerable to eavesdropping ∗∗∗ --------------------------------------------- The security researcher, Chris Talbot, discovered the flaw on June 21, 2021, and filed the vulnerability under CVE-2022-23835. The bug is not a flaw in the Android operating system but rather how the service is implemented by mobile carriers. However, the flaw has a "disputed" status because AT&T and T-Mobile dismissed the report for describing a non-exploitable risk, while Sprint and Verizon have not responded. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visual-voice-mail-on-android… ∗∗∗ Reborn of Emotet: New Features of the Botnet and How to Detect it ∗∗∗ --------------------------------------------- One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotets executables. And it looked like the end of the trojans story. But the malware never ceased to surprise. November 2021, it was reported that TrickBot no longer works alone and delivers Emotet. --------------------------------------------- https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.h… ∗∗∗ CISA Warns of High-Severity Flaws in Schneider and GE Digitals SCADA Software ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system (ICS) advisory related to multiple vulnerabilities impacting Schneider Electrics Easergy medium voltage protection relays. --------------------------------------------- https://thehackernews.com/2022/02/cisa-warns-of-high-severity-flaws-in.html ∗∗∗ Rogue RDP – Revisiting Initial Access Methods ∗∗∗ --------------------------------------------- With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red teams that will inevitably make initial access a bit more difficult to achieve. Over the last year, I have invested some research time in pursuing the use of the Remote Desktop Protocol as an alternative initial access vector, which this post will cover. --------------------------------------------- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-metho… ∗∗∗ BSI liefert "Maßnahmenkatalog Ransomware" ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik stellt im "Maßnahmenkatalog Ransomware" für Unternehmen und Behörden wichtige Präventionsmaßnahmen vor. --------------------------------------------- https://heise.de/-6528055 ∗∗∗ BrokenPrint: A Netgear stack overflow ∗∗∗ --------------------------------------------- This blog post describes a stack-based overflow vulnerability found and exploited in September 2021 in the Netgear R6700v3 --------------------------------------------- https://research.nccgroup.com/2022/02/28/brokenprint-a-netgear-stack-overfl… ∗∗∗ Bestellungen bei herzens-mensch.de und heimfroh.com führen zu Problemen ∗∗∗ --------------------------------------------- Bei den Online-Shops herzens-mensch.de und heimfroh.com handelt es sich um sogenannte Dropshipping-Shops. Die Shops geben an, ein österreichisches Unternehmen zu sein, liefern jedoch aus Asien. Diese Vorgehensweise ist nicht unbedingt betrügerisch, eine Bestellung bei herzens-mensch.de oder heimfroh.com kann aber sehr teuer werden und zu zahlreichen Problemen führen. --------------------------------------------- https://www.watchlist-internet.at/news/bestellungen-bei-herzens-menschde-un… ∗∗∗ Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks ∗∗∗ --------------------------------------------- The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets. There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 [..] --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- Auf Grund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifsch hohe Gefährdung für Österreich ist aktuell noch nicht auszumachen. Wir sind in laufendem Kontakt mit unseren Kollegen im europäischen CSIRTs Network und in den nationalen Koordinierungsstrukturen. --------------------------------------------- https://cert.at/de/aktuelles/2022/2/ukraine-krise-aktuelle-informationen ∗∗∗ BlackCat ransomware ∗∗∗ --------------------------------------------- AT&T Alien Labs is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware ===================== = Vulnerabilities = ===================== ∗∗∗ Mozillas VPN-Client könnte Schadcode nachladen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für Mozilla VPN. Nach erfolgreichen Attacken könnten Angreifer Systeme übernehmen. --------------------------------------------- https://heise.de/-6527681 ∗∗∗ Programmiersprache: Sicherheitslücke ermöglicht Codeschmuggel in PHP ∗∗∗ --------------------------------------------- Mit neuen PHP-Versionen schließen die Entwickler Sicherheitslücken, die Angreifern unter Umständen das Einschleusen von Schadcode ermöglichen könnten. --------------------------------------------- https://heise.de/-6527558 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0). --------------------------------------------- https://lwn.net/Articles/886358/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Gerbv could lead to code execution, information disclosure ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Gerbv file viewing software that could allow an attacker to execute arbitrary remote code or disclose sensitive information. [..] Cisco Talos worked with Gerbv to responsibly disclose these vulnerabilities in adherence to Cisco’s vulnerability disclosure policy. However, an update is not available to fix these issues as of Feb. 28, 2022. CVE IDs: CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, CVE-2021-40401, CVE-2021-40400, CVE-2021-40402, CVE-2021-40403 --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-gerbv-g.html ∗∗∗ ABB CYBER SECURITY ADVISORY - AC 800M MMS - DENIAL OF SERVICE VULNERABILITY IN MMS COMMUNICATION ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=7PAA001499&Language… ∗∗∗ Security Bulletin: Vulnerability in Java SE -CVE-2021-2161 may affect IBM Watson Assistant for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE – 2021-22930 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Content Navigator is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution (CVE-2021-44142). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak… ∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE-2021-22959, CVE-2021-22960 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-… ∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak… ∗∗∗ Security Bulletin: A Vulnerability In Apache HttpClient Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2022
by Daily end-of-shift report 25 Feb '22

25 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-02-2022 18:00 − Freitag 25-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US and UK expose new malware used by MuddyWater hackers ∗∗∗ --------------------------------------------- MuddyWater is "targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-and-uk-expose-new-malware… ∗∗∗ Jester Stealer malware adds more capabilities to entice hackers ∗∗∗ --------------------------------------------- An infostealing piece of malware called Jester Stealer has been gaining popularity in the underground cybercrime community for its functionality and affordable prices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jester-stealer-malware-adds-… ∗∗∗ Cyberangriffe im Ukraine-Krieg: BSI warnt Behörden und Unternehmen nachdrücklich ∗∗∗ --------------------------------------------- Das BSI hat ein weiteres Warnschreiben an Unternehmen und Behörden geschickt. Demnach gibt es Netzwerkscans und erste Wiper in Partnerstaaten. --------------------------------------------- https://www.golem.de/news/cyberangriffe-im-ukraine-krieg-bsi-warnt-behoerde… ∗∗∗ Some details of the DDoS attacks targeting Ukraine and Russia in recent days ∗∗∗ --------------------------------------------- At 360Netlab, we continuously track botnets on a global scale through our BotMon system. In particular, for DDoS-related botnets, we further tap into their C2 communications to enable us really see the details of the attacks. --------------------------------------------- https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukra… ∗∗∗ Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure ∗∗∗ --------------------------------------------- The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years. --------------------------------------------- https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html ∗∗∗ „ID-app aktivieren“: Betrügerisches Mail im Namen der Volksbank im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische E-Mails im Namen der Volksbank, in der dazu aufgefordert wird die ID-app zu aktivieren. Diese App wird von der Volksbank tatsächlich angeboten, um mehr Sicherheit zu gewährleisten. In diesem Fall missbrauchen aber Kriminelle diese Sicherheitsmaßnahme, um an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/id-app-aktivieren-betruegerisches-ma… ∗∗∗ Russia-Ukraine Crisis: How to Protect Against the Cyber Impact (Updated Feb. 24 to Include New Information on DDoS, HermeticWiper and Defacement) ∗∗∗ --------------------------------------------- We provide an overview of known cyberthreats related to the Russia-Ukraine crisis including DDoS attacks, HermeticWiper and defacement and share recommendations for proactive defense. --------------------------------------------- https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukrai… ∗∗∗ Mac-Malware auf dem Vormarsch ∗∗∗ --------------------------------------------- Die Sicherheitsgefahren für mobile Geräte und Macs nehmen zu. Festgestellt wurden die Mac-Malware-Familien Cimpli, Pirrit, Imobie, Shlayer und Genieo. --------------------------------------------- https://www.zdnet.de/88399571/mac-malware-auf-dem-vormarsch/ ∗∗∗ Threat Update – Ukraine & Russia conflict ∗∗∗ --------------------------------------------- In this report, NVISO CTI describes the cyber threat landscape of Ukraine and by extension the current situation. --------------------------------------------- https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/ ∗∗∗ New Infostealer ‘ColdStealer’ Being Distributed ∗∗∗ --------------------------------------------- The ASEC analysis team has discovered the distribution of ColdStealer that appears to be a new type of infostealer. --------------------------------------------- https://asec.ahnlab.com/en/32090/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Java- und Kernel-Lücken in IBM AIX bedrohen Server ∗∗∗ --------------------------------------------- Angreifer könnten Server mit IBM AIX attackieren und im schlimmsten Fall die volle Kontrolle über Systeme erlangen. --------------------------------------------- https://heise.de/-6526120 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet6.0, kernel, libarchive, libxml2, and wireshark), openSUSE (opera), Oracle (cyrus-sasl), Red Hat (cyrus-sasl, python-pillow, and ruby:2.5), Scientific Linux (cyrus-sasl), and Ubuntu (snapd). --------------------------------------------- https://lwn.net/Articles/886124/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: CVE-2021-35550 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35550-may-affect… ∗∗∗ Security Bulletin: Vulnerabilities in Java SE affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-s… ∗∗∗ Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect… ∗∗∗ Security Bulletin: Vulnerability in the AIX smbcd daemon (CVE-2021-38993) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable to provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM PowerVM Novalink could allow a remote authenticated attacker to conduct an LDAP injection. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-coul… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM Application Server Liberty due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Mozilla VPN local privilege escalation via uncontrolled OpenSSL search path ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-08/ ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-01 ∗∗∗ Mitsubishi Electric EcoWebServerIII ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-02 ∗∗∗ Schneider Electric Easergy P5 and P3 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-03 ∗∗∗ Baker Hughes Bently Nevada 3500 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-231-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2022
by Daily end-of-shift report 24 Feb '22

24 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-02-2022 18:00 − Donnerstag 24-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware infiltrates Microsoft Store via clones of popular games ∗∗∗ --------------------------------------------- A malware named Electron Bot has found its way into Microsofts Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of 5,000 computers in Sweden, Israel, Spain, and Bermuda. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-infiltrates-microsof… ∗∗∗ Malware: Mit Wipern und DDoS gegen ukrainische IT-Systeme ∗∗∗ --------------------------------------------- Etliche Webseiten in der Ukraine sind nicht erreichbar. Zudem sind Hunderte Rechner von einer vernichtenden Schadsoftware befallen. --------------------------------------------- https://www.golem.de/news/malware-mit-wipern-und-ddos-gegen-ukrainische-it-… ∗∗∗ Ukraine & Russia Situation From a Domain Names Perspective , (Thu, Feb 24th) ∗∗∗ --------------------------------------------- Every time, something happens in the world like an earthquake, big floods, or even major sports events, it is followed by a peak of new domains registrations. --------------------------------------------- https://isc.sans.edu/diary/rss/28376 ∗∗∗ Shadowserver Special Reports - Cyclops Blink ∗∗∗ --------------------------------------------- In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter. --------------------------------------------- https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blin… ∗∗∗ HermeticWiper: New Destructive Malware Used In Cyber Attacks on Ukraine ∗∗∗ --------------------------------------------- On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations. --------------------------------------------- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ ∗∗∗ SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors ∗∗∗ --------------------------------------------- SockDetour is a custom backdoor being used to maintain persistence, designed to serve as a backup backdoor in case the primary one is removed. --------------------------------------------- https://unit42.paloaltonetworks.com/sockdetour/ ∗∗∗ Clang Checkers and CodeQL Queries for Detecting Untrusted Pointer Derefs and Tainted Loop Conditions ∗∗∗ --------------------------------------------- In this final blog of the series, we experiment with CodeQL’s IR and Clang checkers for detecting such bug classes. --------------------------------------------- https://www.thezdi.com/blog/2022/2/22/clang-checkers-and-codeql-queries-for… ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerabilities in Accusoft ImageGear could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in Accusoft ImageGear. --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-accusoft-code.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco schließt Root-Lücke in Netzwerk-OS, gibt wichtige Hinweise für Firewalls ∗∗∗ --------------------------------------------- Wer eine Firewall von Cisco nutzt, sollte diese aus Sicherheitsgründen bis Anfang März aktualisieren. Außerdem gibt es Patches für NX-OS. --------------------------------------------- https://heise.de/-6524029 ∗∗∗ Stored Cross-Site Scripting Vulnerability Patched in a WordPress Photo Gallery Plugin ∗∗∗ --------------------------------------------- On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2022/02/stored-cross-site-scripting-vulnerab… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat), Fedora (php and vim), Mageia (cpanminus, expat, htmldoc, nodejs, polkit, util-linux, and varnish), Red Hat (389-ds-base, curl, kernel, kernel-rt, openldap, python-pillow, rpm, sysstat, and unbound), Scientific Linux (389-ds-base, kernel, openldap, and python-pillow), and Ubuntu (cyrus-sasl2, linux-oem-5.14, and php7.0). --------------------------------------------- https://lwn.net/Articles/885885/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (php), openSUSE (jasper and thunderbird), Oracle (389-ds-base, kernel, openldap, and python-pillow), Red Hat (cyrus-sasl and samba), and SUSE (cyrus-sasl, firefox, jasper, kernel-rt, nodejs10, nodejs14, nodejs8, and thunderbird). --------------------------------------------- https://lwn.net/Articles/885997/ ∗∗∗ Security Bulletin: Datastax Enterprise with IBM is vulnerable to exploiting Apache Cassandra User-Defined Functions for Remote Code Execution ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datastax-enterprise-with-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities were detected in IBM Sterling External Authentication Server (CVE-2022-22333, CVE-2022-22349) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ Security Bulletin: IBM Operational Decision Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) . ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operational-decision-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerabilities in the AIX kernel (CVE-2021-38994, CVE-2021-38995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-ai… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Logback ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Sterling Secure Proxy (CVE-2022-22336, CVE-2022-22333) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ VMSA-2022-0006 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0006.html ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0232 ∗∗∗ XSS Vulnerabilities in Proxy Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2022
by Daily end-of-shift report 23 Feb '22

23 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-02-2022 18:00 − Mittwoch 23-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ LockBit, Conti most active ransomware targeting industrial sector ∗∗∗ --------------------------------------------- Ransomware attacks extended into the industrial sector last year to such a degree that this type of incident became the number one threat in the industrial sector. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-conti-most-active-ra… ∗∗∗ Entropy ransomware linked to Dridex malware downloader ∗∗∗ --------------------------------------------- Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general purpose Dridex malware that started as a banking trojan. --------------------------------------------- https://www.bleepingcomputer.com/news/security/entropy-ransomware-linked-to… ∗∗∗ Creaky Old WannaCry, GandCrab Top the Ransomware Scene ∗∗∗ --------------------------------------------- Nothing like zombie campaigns: WannaCrys old as dirt, and GandCrab threw in the towel years ago. Theyre on auto-pilot at this point, researchers say. --------------------------------------------- https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/ ∗∗∗ How to Fix the specialadves WordPress Redirect Hack ∗∗∗ --------------------------------------------- Attackers are regularly exploiting vulnerable plugins to compromise WordPress websites and redirect visitors to spam and scam websites. --------------------------------------------- https://blog.sucuri.net/2022/02/how-to-fix-the-specialadves-wordpress-redir… ∗∗∗ 25 Malicious JavaScript Libraries Distributed via Official NPM Package Repository ∗∗∗ --------------------------------------------- Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down. --------------------------------------------- https://thehackernews.com/2022/02/25-malicious-javascript-libraries.html ∗∗∗ Cisco warns firewall customers of four-day window for urgent updates ∗∗∗ --------------------------------------------- Firewalls are supposed to update so they block new threats – miss this deadline and they might not. --------------------------------------------- https://www.theregister.com/2022/02/23/cisco_firepower_rapid_update_require… ∗∗∗ SameSite: Hax – Exploiting CSRF With The Default SameSite Policy ∗∗∗ --------------------------------------------- Default SameSite settings are not the same as SameSite: Lax set explicitly. TLDR? A two-minute window from when a cookie is issued is open to exploit CSRF. --------------------------------------------- https://pulsesecurity.co.nz/articles/samesite-lax-csrf ∗∗∗ Shadowserver Starts Conducting Daily Scans to Help Secure ICS ∗∗∗ --------------------------------------------- The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks. --------------------------------------------- https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-hel… ∗∗∗ Investieren Sie nicht bei bottic.org! ∗∗∗ --------------------------------------------- Schnell, viel Geld verdienen mit Crypto-Investments, das verspricht eine Vielzahl an unseriösen Investitionsplattformen. Wir raten zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/investieren-sie-nicht-bei-botticorg/ ∗∗∗ Increased Phishing Attacks Disguised as Microsoft ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages. --------------------------------------------- https://asec.ahnlab.com/en/31994/ ∗∗∗ (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware ∗∗∗ --------------------------------------------- UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it’s exclusively used by the group. --------------------------------------------- https://www.mandiant.com/resources/unc2596-cuba-ransomware ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Planning Analytics, IBM Planning Analytics Workspace, IBM Cúram Social Program Management, IBM SDK Java Technology Edition, IBM Cloud Application Business Insights, IBM Sterling Global Mailbox, Content Collector, IBM WebSphere Application Server, CICS Transaction Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-02-23 ∗∗∗ --------------------------------------------- Cisco has published 4 Security Advisories: 3 High, 1 Medium Severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ ZDI-22-404: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr1 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-404/ ∗∗∗ ZDI-22-403: (0Day) WECON LeviStudioU UMP File Parsing XY Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-403/ ∗∗∗ ZDI-22-402: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr2 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-402/ ∗∗∗ ZDI-22-401: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-401/ ∗∗∗ ZDI-22-400: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-400/ ∗∗∗ ZDI-22-399: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-399/ ∗∗∗ ZDI-22-398: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-398/ ∗∗∗ ZDI-22-397: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-397/ ∗∗∗ ZDI-22-396: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-396/ ∗∗∗ ZDI-22-395: (0Day) WECON LeviStudioU UMP File Parsing Disc Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-395/ ∗∗∗ SSA-306654: Insyde BIOS Vulnerabilities in Siemens Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-306654.txt ∗∗∗ Remote Code Execution in pfSense <= 2.5.2 ∗∗∗ --------------------------------------------- https://www.shielder.it/advisories/pfsense-remote-command-execution/ ∗∗∗ CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool ∗∗∗ --------------------------------------------- https://www.securityweek.com/cisa-warns-attacks-exploiting-recent-vulnerabi… ∗∗∗ Trend Micro ServerProtect: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0223 ∗∗∗ SA45038 - CVE-2022-23852 - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-2385… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2022
by Daily end-of-shift report 22 Feb '22

22 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-02-2022 18:00 − Dienstag 22-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Revamped CryptBot malware spread by pirated software sites ∗∗∗ --------------------------------------------- A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-sp… ∗∗∗ VU#229438: Mobile device monitoring services do not authenticate API requests ∗∗∗ --------------------------------------------- The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. [..] We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability For advice on detecting and removing stalkerware apps, see "Your Android phone could have stalkerware, here's how to remove it." --------------------------------------------- https://kb.cert.org/vuls/id/229438 ∗∗∗ Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike ∗∗∗ --------------------------------------------- Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts. --------------------------------------------- https://thehackernews.com/2022/02/hackers-backdoor-unpatched-microsoft.html ∗∗∗ Horde Webmail 5.2.22 - Account Takeover via Email ∗∗∗ --------------------------------------------- We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment. [..] Although we reported this vulnerability almost 6 months ago, there is currently no official patch available. Hence, we provide recommendations on how to mitigate this code vulnerability at the end of this blog post. --------------------------------------------- https://blog.sonarsource.com/horde-webmail-account-takeover-via-email ∗∗∗ Empfehlungen: Mit kostenlosen IT-Security-Tools Computer sicherer machen ∗∗∗ --------------------------------------------- Admins aufgepasst: IT-Security ist komplex, doch es gibt jede Menge nützliche und vor allem kostenlose Services und Tools, die helfen können. Eine Auflistung. --------------------------------------------- https://heise.de/-6515891 ∗∗∗ Achtung: E-Mail von DNS Österreich ist Fake ∗∗∗ --------------------------------------------- Zahlreiche Webseiten-BetreiberInnen erhalten momentan ein E-Mail von DNS Österreich. Das vermeintliche Unternehmen behauptet darin, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, die Domain für € 297,50 vorab zu kaufen. Überweisen Sie nichts, Sie verlieren Ihr Geld. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-e-mail-von-dns-oesterreich-i… ∗∗∗ Asustor NAS owners hit by DeadBolt ransomware attack ∗∗∗ --------------------------------------------- While Asustor investigates what is clearly a serious problem, it says it has disabled functionality which can allow remote access to its NAS drives: ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to. In addition, the company has published the following recommendations for customers to protect themselves from the DeadBolt ransomware --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/asustor-nas-owners-hit-by-d… ∗∗∗ Ransomware victims are paying up. But then the gangs are coming back for more ∗∗∗ --------------------------------------------- Cybersecurity experts warn against paying ransoms - this is why. --------------------------------------------- https://www.zdnet.com/article/ransomware-victims-are-paying-up-but-the-croo… ∗∗∗ Integer overflow: How does it occur and how can it be prevented? ∗∗∗ --------------------------------------------- Make no mistake, counting on a computer is not as easy as it may seem. Here’s what happens when a number gets “too big”. --------------------------------------------- https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can… ∗∗∗ Kernel Karnage – Part 9 (Finishing Touches) ∗∗∗ --------------------------------------------- I also incorporated dynamic function imports using hashed function names and CIG to protect the spawned suspended process against injection of non-Microsoft-signed binaries. The Beacon payload is stored as an AES256 encrypted PE resource and decrypted in memory before being injected into the remote process. --------------------------------------------- https://blog.nviso.eu/2022/02/22/kernel-karnage-part-9-finishing-touches/ ===================== = Vulnerabilities = ===================== ∗∗∗ NAS: Sicherheitslücke in Synology DSM erlaubt Ausführen beliebiger Befehle ∗∗∗ --------------------------------------------- Angreifer könnten beliebige Befehle auf Synology-NAS-Geräten ausführen. Der Hersteller arbeitet an Updates zum Beheben der Fehler. Erste stehen bereit. --------------------------------------------- https://heise.de/-6515542 ∗∗∗ TYPO3-PSA-2022-001: Sanitization bypass in SVG Sanitizer ∗∗∗ --------------------------------------------- Third-party package enshrined/svg-sanitize, used by TYPO3 core packages, was susceptible to bypassing the sanitization strategy. --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2022-001 ∗∗∗ Reflected XSS in Header Footer Code Manager ∗∗∗ --------------------------------------------- On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations. The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-… ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Webmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Code auszuführen --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0217 ∗∗∗ EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67108459/ ∗∗∗ EC-CUBE improperly handles HTTP Host header values ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN53871926/ ∗∗∗ ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php ∗∗∗ Security Bulletin: App Connect Professional is affected by Quick Emulator vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-cast-iron-and-a… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU (minus CVE-2021-35550/35561/35603) plus CVE-2021-41035 affects IBM Tivoli Composite Application Manager for ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ GE Proficy CIMPLICITY-IPM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-01 ∗∗∗ GE Proficy CIMPLICITY-Cleartext ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-02 ∗∗∗ WIN-911 2021 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2022
by Daily end-of-shift report 21 Feb '22

21 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-02-2022 18:00 − Montag 21-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Versuchter Finanzbetrug nach Exchange-Einbruch ∗∗∗ --------------------------------------------- Nachdem die Exchange-Sicherheitslücken abgedichtet wurden, gingen Angriffe weiter. Mittels Spear-Phishing sollten die Opfer zu Überweisungen gedrängt werden. --------------------------------------------- https://heise.de/-6509718 ∗∗∗ Ungewöhnlicher Krypto-Raubzug erbeutet Millionen ∗∗∗ --------------------------------------------- Der Klayswap-Angriff hingegen attackierte Infrastruktur, auf die sich im Prinzip alle Internet-Dienste verlassen: das Routing, Zertifikate und Open-Source-Bibliotheken. Letztlich tauschten die Angreifer eine nachgeladene JavaScript-Datei durch eine trojanisierte Version aus, die Transaktionen auf ihr eigenes Konto umleitete. Spannend ist jedoch, wie sie das bewerkstelligten. --------------------------------------------- https://heise.de/-6496145 ∗∗∗ European Cybersecurity Agencies Issue Resilience Guidance for Decision Makers ∗∗∗ --------------------------------------------- The European Union Agency for Cybersecurity (ENISA) and the European Union’s Computer Emergency Response Team (CERT-EU) last week published a set of best practices to help organizations boost their cyber resilience. The joint guidance is meant for public and private organizations in the EU, specifically CISOs and other decision makers. The document is also recommended for entities that support organizational risk management. --------------------------------------------- https://www.securityweek.com/european-cybersecurity-agencies-issue-resilien… ∗∗∗ Schicken Sie Ihrer Internet-Bekanntschaft keine Steam-Guthaben-Codes ∗∗∗ --------------------------------------------- Soziale Netzwerke wie Facebook und Instagram sind beliebte Kanäle, um neue Bekanntschaften zu machen. Beim Austausch mit Fremden über das Internet besteht aber immer die Gefahr, dass sich die Person als jemand anderes ausgibt. Bittet Sie diese Person um Geld oder Guthabenkarten, sollten Sie den Kontakt abbrechen! --------------------------------------------- https://www.watchlist-internet.at/news/schicken-sie-ihrer-internet-bekannts… ∗∗∗ Ransomware trifft Europas industrielle Steuersysteme und Betriebstechnik so häufig wie IT-Systeme ∗∗∗ --------------------------------------------- Interessante Erkenntnisse aus einer Befragung von 1.100 Security-Spezialisten im Rahmen einer Studie im Hinblick auf die Sicherheit industrieller Anlagen und der kritischen Infrastruktur in Europa. Die Aussage der Studie war, dass industrielle Steuersysteme und Betriebstechnik in Europa fast ebenso häufig wie die IT-Systeme von Ransomware befallen wurde. --------------------------------------------- https://www.borncity.com/blog/2022/02/19/ransomware-trifft-europas-industri… ∗∗∗ Sicherheitslücke in diversen zebNet-Produkten entdeckt (Feb. 2022) ∗∗∗ --------------------------------------------- In Folge dieser Entdeckung hat zebNet für sämtliche betroffene Produkte, welche sich in der Unterstützung befinden, am 19.02.2022 (d.h. binnen 24-Stunden) fehlerbereinigte Versionen bereitgestellt. Der Hersteller weist darauf hin, dass diese Updates umgehend von allen Kunden, die ein betroffenes Produkt einsetzen, installiert werden sollten. --------------------------------------------- https://www.borncity.com/blog/2022/02/20/sicherheitslcke-in-diversen-zebnet… ∗∗∗ Chasing the Silver Petit Potam to Domain Admin ∗∗∗ --------------------------------------------- Exploiting Petit Potam in a different way to force some downgrade and protocol attacks. --------------------------------------------- https://blog.zsec.uk/chasing-the-silver-petit-potam/ ∗∗∗ Mobile malware evolution 2021 ∗∗∗ --------------------------------------------- In 2021, we observed a downward trend in the number of attacks on mobile users. But it is too early to celebrate: attacks are becoming more sophisticated in terms of both malware functionality and vectors. --------------------------------------------- https://securelist.com/mobile-malware-evolution-2021/105876/ ∗∗∗ New Android Banking Trojan Spreading via Google Play Store Targets Europeans ∗∗∗ --------------------------------------------- "Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." --------------------------------------------- https://thehackernews.com/2022/02/xenomorph-android-banking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Irony alert! PHP fixes security flaw in input validation code ∗∗∗ --------------------------------------------- If you’re using PHP in your network, check that you’re using the latest version, currently 8.1.3. Released yesterday [2022-02-17], this version fixes various memory mismanagement bugs, including CVE-2021-21708, which is a use-after-free blunder in a function called php_filter_float(). (Versions 8.0 and 7.4 are still supported, and are vulnerable too; if you aren’t using the latest 8.1 flavour of PHP then you need 8.0.16 and 7.4.28 respectively.) --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/18/irony-alert-php-fixes-security-… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Cloud Pak for Security vulnerable to information exposure (CVE-2021-35567) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-vu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM FileNet Content Manager component in IBM Business Automation Workflow -CVE-2021-31811, CVE-2021-31812, CVE-2021-23926, CVE-2021-38965 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Polkit as used by IBM® QRadar SIEM is vulnerable to privilege escalation (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-polkit-as-used-by-ibm-qra… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2021-2341 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Cloud Pak for Network Automation is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-network… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: A vulnerability in Kubernetes affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-kubern… ∗∗∗ K28409053: Apache Tomcat vulnerability CVE-2022-23181 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28409053?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2022
by Daily end-of-shift report 18 Feb '22

18 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-02-2022 18:00 − Freitag 18-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Conti ransomware gang takes over TrickBot malware operation ∗∗∗ --------------------------------------------- After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-… ∗∗∗ Remcos RAT Delivered Through Double Compressed Archive, (Fri, Feb 18th) ∗∗∗ --------------------------------------------- One of our readers shared an interesting sample received via email. --------------------------------------------- https://isc.sans.edu/diary/rss/28354 ∗∗∗ Microsoft Warns of Ice Phishing Threat on Web3 and Decentralized Networks ∗∗∗ --------------------------------------------- Microsoft has warned of emerging threats in the Web3 landscape, including "ice phishing" campaigns, as a surge in adoption of blockchain and DeFi technologies emphasizes the need to build security into the decentralized web while its still in its early stages. --------------------------------------------- https://thehackernews.com/2022/02/microsoft-warns-of-ice-phishing-threat.ht… ∗∗∗ Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2) ∗∗∗ --------------------------------------------- This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. --------------------------------------------- https://research.nccgroup.com/2022/02/18/analyzing-a-pjl-directory-traversa… ∗∗∗ Microsoft Teams Abused for Malware Distribution in Recent Attacks ∗∗∗ --------------------------------------------- A recently identified malicious campaign has been abusing Microsoft Teams for the distribution of malware, enterprise email security firm Avanan reports. --------------------------------------------- https://www.securityweek.com/microsoft-teams-abused-malware-distribution-re… ∗∗∗ Vorsicht bei der Jobsuche: Ignorieren Sie Stellenangebote von skovgaardtransit.com! ∗∗∗ --------------------------------------------- LeserInnen der Watchlist Internet melden uns derzeit ein betrügerisches Stellenangebot eines angeblich globalen Logistikunternehmens namens Skovgaard Logistics Services LTD. Das unseriöse Unternehmen verspricht darin einen Job mit „hoher Bezahlung“, Vorkenntnisse sind keine notwendig. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-jobsuche-ignorieren… ∗∗∗ NSA Best Practices for Selecting Cisco Password Types ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance on securing network infrastructure devices and credentials. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/17/nsa-best-practice… ∗∗∗ CISA Compiles Free Cybersecurity Services and Tools for Network Defenders ∗∗∗ --------------------------------------------- CISA has compiled and published a list of free cybersecurity services and tools to help organizations reduce cybersecurity risk and strengthen resiliency. This non-exhaustive living repository includes services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/18/cisa-compiles-fre… ∗∗∗ Academics publish method for recovering data encrypted by the Hive ransomware ∗∗∗ --------------------------------------------- A team of South Korean researchers has published an academic paper on Thursday detailing a method to recover files encrypted by the Hive ransomware without paying the attackers for the decryption key. --------------------------------------------- https://therecord.media/academics-publish-method-for-recovering-data-encryp… ∗∗∗ Distribution of Magniber Ransomware Stops (Since February 5th) ∗∗∗ --------------------------------------------- The ASEC analysis team constantly monitors ‘malvertising’ which is a term for the distribution of malware via browser online advertisement links. The team has recently discovered that Magniber ransomware, a typical malware distributed via malvertising has stopped its distribution. --------------------------------------------- https://asec.ahnlab.com/en/31690/ ∗∗∗ Log4Shell 2 Months Later: Security Strategies for the Internets New Normal ∗∗∗ --------------------------------------------- On Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/17/log4shell-2-months-later-securi… ===================== = Vulnerabilities = ===================== ∗∗∗ Onlineshops: Erneut kritische Lücke in Adobe Commerce und Magento entdeckt ∗∗∗ --------------------------------------------- Aufgrund einer weiteren Sicherheitslücke hat Adobe einen Notfallpatch überarbeitet. Es gibt bereits Attacken auf Onlineshops. --------------------------------------------- https://heise.de/-6495424 ∗∗∗ Root-Rechte durch Schwachstelle in Softwareverteilungssystem Snap ∗∗∗ --------------------------------------------- Sicherheitslücken in der Software-Bereitstellung Snap ermöglichen Angreifern unter anderem, ihre Rechte im System auszuweiten. Updates beheben die Fehler. --------------------------------------------- https://heise.de/-6495740 ∗∗∗ Vulnerability found in WordPress plugin with over 3 million installations ∗∗∗ --------------------------------------------- UpdraftPlus patched the vulnerability on Thursday in version 1.22.3. --------------------------------------------- https://www.zdnet.com/article/vulnerability-found-in-wordpress-plugin-with-… ∗∗∗ Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-ke… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 2.0. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39026 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: CVE-2021-42771 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-42771/ ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0003.html ∗∗∗ Bitdefender Antivirus: Schwachstelle ermöglicht Manipulation von Produkteinstellungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0207 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2022
by Daily end-of-shift report 17 Feb '22

17 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-02-2022 18:00 − Donnerstag 17-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Neue Welle von Spam-Mails: "Dein Paket wartet!" ∗∗∗ --------------------------------------------- Die E-Mails enthalten eine Zahlungsaufforderung und geben an, dass ein Paket abgeholt werden kann. --------------------------------------------- https://futurezone.at/digital-life/spam-e-mail-phishing-betrug-post-lieferu… ∗∗∗ Researchers Warn of a New Golang-based Botnet Under Continuous Development ∗∗∗ --------------------------------------------- Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken thats under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts. --------------------------------------------- https://thehackernews.com/2022/02/researchers-warn-of-new-golang-based.html ∗∗∗ Tutorial: Kubernetes Vulnerability Scanning & Testing With Open Source ∗∗∗ --------------------------------------------- Kubernetes containers have several security risks, including runtime threats, vulnerabilities, exposures, and failed compliance audits. These insecurities motivated CyberArk to develop two open source tools: Kubesploit and KubiScan. These tools benefit the Kubernetes community by performing deep security operations while simultaneously mimicking a real attack. They allow us to test our resiliency. --------------------------------------------- https://www.conjur.org/blog/tutorial-kubernetes-vulnerability-scanning-test… ∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗ --------------------------------------------- NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community. --------------------------------------------- https://research.nccgroup.com/2022/02/17/detecting-karakurt-an-extortion-fo… ∗∗∗ Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1) ∗∗∗ --------------------------------------------- Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed would be stored unencrypted. This allowed us to bypass the firmware update package encryption. With the firmware extracted, the binaries could be reverse-engineered to find vulnerabilities that would allow remote code execution. --------------------------------------------- https://research.nccgroup.com/2022/02/17/bypassing-software-update-package-… ∗∗∗ Gefahr Datenleaks: Achten Sie auf Passwort-Sicherheit! ∗∗∗ --------------------------------------------- Um sich vor den Gefahren im Netz zu schützen, macht es Sinn, sich regelmäßig über Internetbetrug zu informieren und die Tricks der Kriminellen zu kennen. Doch leider können Sie auch zum Opfer werden, wenn Sie alles richtig machen und sich nicht in Internetfallen locken lassen. Das gilt zum Beispiel, wenn Ihre Daten bei einem sogenannten Datenleak veröffentlicht werden. --------------------------------------------- https://www.watchlist-internet.at/news/gefahr-datenleaks-achten-sie-auf-pas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Information disclosure CVE IDs: CVE-2022-25270 Description: The Quick Edit module does not properly check entity access in some circumstances. --------------------------------------------- https://www.drupal.org/sa-core-2022-004 ∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Improper input validation CVE IDs: CVE-2022-25271 Description: Drupal cores form API has a vulnerability where certain contributed or custom modules forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. --------------------------------------------- https://www.drupal.org/sa-core-2022-003 ∗∗∗ Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025 ∗∗∗ --------------------------------------------- Project: Quick Edit Security risk: Moderately critical Vulnerability: Information Disclosure Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-025 ∗∗∗ Sicherheitsupdate: Präparierte Mails können Thunderbird aus dem Tritt bringen ∗∗∗ --------------------------------------------- Es ist eine gegen mögliche Schadcode-Attacken abgesicherte Version des Mailclients Thunderbird erschienen. --------------------------------------------- https://heise.de/-6484606 ∗∗∗ VMSA-2022-0005 - VMware NSX Data Center for vSphere (NSX-V) VMware Cloud Foundation (Cloud Foundation) ∗∗∗ --------------------------------------------- CVSSv3 Range: 8.8 CVE(s): CVE-2022-22945 Synopsis: VMware NSX Data Center for vSphere update addresses CLI shell injection vulnerability (CVE-2022-22945) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0005.html ∗∗∗ Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin ∗∗∗ --------------------------------------------- On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. [..] We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulne… ∗∗∗ PostgreSQL JDBC 42.3.3 Released ∗∗∗ --------------------------------------------- A security advisory has been created for the PostgreSQL JDBC Driver. The URL connection string loggerFile property could be mis-used to create an arbitrary file on the system that the driver is loaded. Additionally anything in the connection string will be logged and subsequently written into that file. In an insecure system it would be possible to execute this file through a webserver. --------------------------------------------- https://www.postgresql.org/about/news/postgresql-jdbc-4233-released-2410/ ∗∗∗ SSA-949188: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-949188.txt ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM OpenPages for Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-for-cloud-p… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to arbitrary code execution due to Apache Log4j CVE-2021-4104 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Financial Transaction Manager is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue within the channel process.(CVE-2021-39034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2022
by Daily end-of-shift report 16 Feb '22

16 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-02-2022 18:00 − Mittwoch 16-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Researcher fully recovers text from pixels: how to reverse redaction ∗∗∗ --------------------------------------------- A researcher has demonstrated how he was able to successfully recover text that had been redacted using the pixelation technique. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-fully-recovers-te… ∗∗∗ Trickbot Malware Targeted Customers of 60 High-Profile Companies Since 2020 ∗∗∗ --------------------------------------------- The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. --------------------------------------------- https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.ht… ∗∗∗ 25 years on, Microsoft makes another stab at stopping macro malware ∗∗∗ --------------------------------------------- Microsoft has announced that from April 2022 it is changing the default behavior of Office applications so that they block macros in files from the internet. What’s more, it won’t give users a simple one-click way to allow the macros to run, foiling much of the social engineering tricks commonly used by cybercriminals. --------------------------------------------- https://grahamcluley.com/microsoft-stab-macro-viruses/ ∗∗∗ OpSec. Hunting wireless ∗∗∗ --------------------------------------------- Continuing my series on OSINT techniques you can use for reviewing your own corporate OpSec, one of the most common services available in a modern corporate office is of course wireless. --------------------------------------------- https://www.pentestpartners.com/security-blog/opsec-hunting-wireless/ ∗∗∗ Characterising Cybercriminals: A Review. (arXiv:2202.07419v1 [cs.CY]) ∗∗∗ --------------------------------------------- This review provides an overview of current research on the knowncharacteristics and motivations of offenders engaging in cyber-dependentcrimes. --------------------------------------------- http://arxiv.org/abs/2202.07419 ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Security Bug Reported in Apache Cassandra Database Software ∗∗∗ --------------------------------------------- Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2022/02/high-severity-rce-security-bug-reported.h… ∗∗∗ VMware-Sicherheitsupdates: Angreifer könnten Schadcode in Host-Systeme schieben ∗∗∗ --------------------------------------------- Die VMware-Entwickler haben Sicherheitslücken in mehreren Anwendungen geschlossen. Sie stufen das Risiko als "kritisch" ein. --------------------------------------------- https://heise.de/-6478188 ∗∗∗ Atlassian Confluence und Jira für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- Admins sollten ihre Confluence und Jira Server vor möglichen Angriffen absichern. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6478758 ∗∗∗ ZDI-22-368: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-368/ ∗∗∗ ZDI-22-367: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-367/ ∗∗∗ ZDI-22-366: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-366/ ∗∗∗ ZDI-22-365: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-365/ ∗∗∗ ZDI-22-364: MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-364/ ∗∗∗ ZDI-22-363: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-363/ ∗∗∗ Cisco Email Security Appliance DNS Verification Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Maximo Anywhere Discloses Sensitive Information in Local Storage ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-discl… ∗∗∗ Security Bulletin: App Connect Professional is affected by polkit's pkexec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SECURITY BULLETIN: February 2022 Security Bulletin for Trend Micro Apex One ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000290464 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2022
by Daily end-of-shift report 15 Feb '22

15 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-02-2022 18:00 − Dienstag 15-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Domain-Hijacking: Tausende NPM-Accounts könnten sich übernehmen lassen ∗∗∗ --------------------------------------------- Laut einer Untersuchung lassen sich verwaiste NPM-Pakete leicht übernehmen. Außerdem könnten einige Maintainer überarbeitet sein. [..] Das hat auch NPM-Besitzer Github erkannt und führt deshalb langsam die zwingende Nutzung einer Zweifaktorauthentifizierung ein. --------------------------------------------- https://www.golem.de/news/domain-hijacking-tausende-npm-accounts-koennten-s… ∗∗∗ Who Are Those Bots?, (Tue, Feb 15th) ∗∗∗ --------------------------------------------- Im operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on a list of email addresses that have been crawled. [..] I extracted the list of IP addresses that generated authentication failures for the last 30 days and got a list of 11K addresses. They are part of botnets used to launch these attacks. But who are those bots? What kind of host are we facing? --------------------------------------------- https://isc.sans.edu/diary/rss/28342 ∗∗∗ New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin ∗∗∗ --------------------------------------------- A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency. MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems. --------------------------------------------- https://thehackernews.com/2022/02/new-mylobot-malware-variant-sends.html ∗∗∗ Dropping Files on a Domain Controller Using CVE-2021-43893 ∗∗∗ --------------------------------------------- On December 14, 2021, during the Log4Shell chaos, Microsoft published CVE-2021-43893, a remote privilege escalation vulnerability affecting the Windows Encrypted File System (EFS). The vulnerability was credited to James Forshaw of Google Project Zero, but perhaps owing to the Log4Shell atmosphere, the vulnerability gained little to no attention. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-cont… ∗∗∗ macOS: Sicherheitsupdates für ältere Versionen ∗∗∗ --------------------------------------------- Big Sur und Catalina erhalten jeweils ein Patch-Paket – doch leider verrät Apple nichts zum Inhalt. --------------------------------------------- https://heise.de/-6457597 ∗∗∗ Qnap lässt Sicherheitsupdate-Support für einige NAS-Modelle aufleben ∗∗∗ --------------------------------------------- Wer einen älteren Netzwerkspeicher (NAS) von Qnap besitzt, könnte ab sofort wieder Sicherheitspatches bekommen. --------------------------------------------- https://heise.de/-6474074 ∗∗∗ Betrügerische Wohnungsinserate erkennen: So geht’s ∗∗∗ --------------------------------------------- Auf Plattformen wie immobilienscout24.at, willhaben.at oder im Facebook Marketplace werden immer wieder Fake-Inserate von Miet- und Eigentumswohnungen veröffentlicht. Fake-Inserate können aber anhand einiger Merkmale schnell entlarvt werden. Zum einen am günstigen Preis, zum anderen an der Kommunikation mit den Eigentümerinnen und Eigentümern. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-wohnungsinserate-erke… ∗∗∗ New Emotet Infection Method ∗∗∗ --------------------------------------------- As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. [..] The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload. --------------------------------------------- https://unit42.paloaltonetworks.com/new-emotet-infection-method/ ∗∗∗ Warning over mysterious hackers that have been targeting aerospace and defence industries for years ∗∗∗ --------------------------------------------- Cybersecurity researchers detail a hacking operation that has been conducting phishing campaigns and malware attacks since 2017, despite barely changing its tactics. --------------------------------------------- https://www.zdnet.com/article/these-prolific-hackers-have-been-targeting-th… ∗∗∗ Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud ∗∗∗ --------------------------------------------- Unpatched servers have been used to twist corporate email threads and conduct financial theft. --------------------------------------------- https://www.zdnet.com/article/squirrelwaffle-loader-leverages-microsoft-exc… ∗∗∗ FBI and USSS Release Advisory on BlackByte Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/15/fbi-and-usss-rele… ∗∗∗ Sicherheitswarnung von Tuxedo Computer – dringend Passwort ändern ∗∗∗ --------------------------------------------- TUXEDO Computers ist ein in Augsburg angesiedelter Anbieter von Computern. [..] Bei diesem Hersteller hat es eine Sicherheitslücke gegeben, so dass der Hersteller die Kunden auffordert, ihre Kennwörter für deren Online-Konten zu ändern. --------------------------------------------- https://www.borncity.com/blog/2022/02/15/sicherheitswarnung-von-tuxedo-comp… ∗∗∗ Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users ∗∗∗ --------------------------------------------- Multi-factor Authentication or MFA (sometimes referred as 2FA) is an excellent way to protect your Office 365 accounts from attackers trying to gain access to them. [..] In this case, we are examining MFA Fatigue by focusing on a current attack vector—Push Notification Spamming. We’ll describe what MFA fatigue is, how it is carried out and detail the steps for IT professionals to detect and mitigate it within their organizations. --------------------------------------------- https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Google announces zero-day in Chrome browser – update now! ∗∗∗ --------------------------------------------- Zero-day buses: none for a while, then three at once. Heres Google joining Apple and Adobe in "zero-day week" --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-ch… ∗∗∗ Security Bulletin: Trend Micro Antivirus for Mac Link Following Privilege Escalation Vulnerability (CVE-2022-24671) ∗∗∗ --------------------------------------------- The update resolves a vulnerability in the product that allows a local attacker to modify a file during the update process and escalate their privileges. Please note that an attacker must at least have low-level privileges on the system to attempt to exploit this vulnerability. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10937 ∗∗∗ Unsichere Babymonitore von Nooie: Fremde könnten Vollzugriff erlangen ∗∗∗ --------------------------------------------- Bei der Analyse von zwei Babyphones von Nooie hat Bitdefender Sicherheitslücken entdeckt, durch die Angreifer etwa den Videostream anzapfen könnten. --------------------------------------------- https://heise.de/-6475088 ∗∗∗ Multiple Critical Vulnerabilities in multiple Zyxel devices ∗∗∗ --------------------------------------------- Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration. One of the worst vulnerabilities is the unauthenticated buffer overflow in the "zhttpd" webserver, which is developed by Zyxel. By bypassing ASLR, the buffer overflow can be turned into an unauthenticated remote code execution. Besides, vulnerabilities like unauthenticated file disclosure, authenticated command injection and processing of symbolic links in the FTP daemon were found in the firmware. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ VMSA-2022-0004 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-8.4 CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050 Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0004.html ∗∗∗ Symlink Directory Traversal in Linksys WLAN-Router (SYSS-2021-046) ∗∗∗ --------------------------------------------- Linksys WLAN-Router beinhaltet eine Schwachstelle, die es Angreifern erlaubt, Zugriff auf das gesamte interne Dateisystem des Routers zu erhalten. --------------------------------------------- https://www.syss.de/pentest-blog/symlink-directory-traversal-in-linksys-wla… ∗∗∗ Unzureichender Schutz für Medieninhalte bei AVMs FRITZ!Box (SYSS-2021-050) ∗∗∗ --------------------------------------------- AVMs FRITZ!Box-Heimrouter ermöglichen es Angreifenden, in Heimnetzwerken auf Mediendaten wie z. B. Bilder oder Videos zuzugreifen. --------------------------------------------- https://www.syss.de/pentest-blog/unzureichender-schutz-fuer-medieninhalte-b… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 15 February 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ ZDI-22-349: (Pwn2Own) Western Digital My Cloud Pro Series PR4100 ConnectivityService Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-349/ ∗∗∗ ZDI-22-348: (Pwn2Own) Western Digital MyCloud PR4100 cgi_api Server-Side Request Forgery Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-348/ ∗∗∗ ZDI-22-347: (Pwn2Own) Western Digital MyCloud PR4100 nasAdmin Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-347/ ∗∗∗ ZDI-22-346: (Pwn2Own) Western Digital MyCloud PR4100 samba Configuration Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-346/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220216-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ TYPO3-EXT-SA-2022-004: File Content Injection in extension "Hardcoded text to Locallang" (mqk_locallangtools) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-004 ∗∗∗ TYPO3-EXT-SA-2022-003: Insecure direct object reference in extension "Varnishcache" (varnishcache) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-003 ∗∗∗ TYPO3-EXT-SA-2022-002: Cross-Site Scripting in extension "Bookdatabase" (extbookdatabase) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-002 ∗∗∗ TYPO3-EXT-SA-2022-001: Server-side request forgery in extension "Kitodo.Presentation" (dlf) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-001 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2022
by Daily end-of-shift report 14 Feb '22

14 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-02-2022 18:00 − Montag 14-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Project Zero: Vendors are now quicker at fixing zero-days ∗∗∗ --------------------------------------------- Googles Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-project-zero-vendors-… ∗∗∗ Microsoft is making it harder to steal Windows passwords from memory ∗∗∗ --------------------------------------------- Microsoft is enabling an Attack Surface Reduction security feature rule by default to block hackers attempts to steal Windows credentials from the LSASS process. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-is-making-it-hard… ∗∗∗ Allcome clipbanker is a newcomer in underground forums ∗∗∗ --------------------------------------------- The malware underground market might seem astoundingly professional in marketing and support. Lets take a look under the covers of one particular malware-as-a-service—the clipboard banker Allcome. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-ne… ∗∗∗ DHL Spear Phishing to Capture Username/Password, (Sun, Feb 13th) ∗∗∗ --------------------------------------------- This week I got this run-of-the-mill DHL phishing in my ISC inbox. --------------------------------------------- https://isc.sans.edu/diary/rss/28332 ∗∗∗ Reminder: Decoding TLS Client Hellos to non TLS servers, (Mon, Feb 14th) ∗∗∗ --------------------------------------------- If you still run a non-TLS web server, you may occasionally find requests like the following in your weblogs. --------------------------------------------- https://isc.sans.edu/diary/rss/28338 ∗∗∗ Vulnerabilities that aren’t. Unquoted Spaces ∗∗∗ --------------------------------------------- I’ve covered a couple of web vulnerabilities that (mostly) aren’t, and now it’s time for a Windows specific one. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-un… ∗∗∗ E-Mail vom Bundeskriminalamt mit Betreff „BUNDESKRIMINALAMT VORLADUNG“ ist Fake ∗∗∗ --------------------------------------------- „Hallo, wir teilen Ihnen mit, dass Sie eine Straftat begangen haben“ lautet der Text in einem E-Mail – angeblich vom Bundeskriminalamt. In einem angehängten PDF-Dokument teilen Ihnen das Bundeskriminalamt, die Polizei sowie Europol mit, dass gegen Sie ein Verfahren wegen einer sexuellen Straftat eingeleitet wurde. Achtung: Dieses E-Mail ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-bundeskriminalamt-mit-bet… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/11/cisa-adds-one-kno… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa ∗∗∗ --------------------------------------------- A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview. --------------------------------------------- https://threatpost.com/critical-mqtt-bugs-industrial-rce-moxa/178399/ ∗∗∗ Jetzt aktualisieren! Angriffe auf Shop-Systeme Adobe Commerce und Magento ∗∗∗ --------------------------------------------- Adobe meldet Angriffe auf die Shop-Systeme Commerce und Magento. Updates stehen bereit, die die ausgenutzte kritische Sicherheitslücke schließen sollen. --------------------------------------------- https://heise.de/-6455225 ∗∗∗ ZDI-22-318: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-318/ ∗∗∗ Security Bulletin: IBM Cognos Analytics Mobile is affected by security vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-mobi… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres (Standard and Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console is vulnerable to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to arbitrary code execution in Log4j CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console uses Apache Log4j which is subject to a vulnerability alert CVE-2021-44228. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2022
by Daily end-of-shift report 11 Feb '22

11 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-02-2022 18:00 − Freitag 11-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft starts killing off WMIC in Windows, will thwart attacks ∗∗∗ --------------------------------------------- Microsoft is moving forward with removing the Windows Management Instrumentation Command-line (WMIC) tool, wmic.exe, starting with the latest Windows 11 preview builds in the Dev channel. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-killing-of… ∗∗∗ Zyxel Network Storage Devices Hunted By Mirai Variant, (Thu, Feb 10th) ∗∗∗ --------------------------------------------- I have been talking a lot about various network storage devices and how you never ever want to expose them to the Internet. The brands that usually come up are Synology and QNAP, which have a significant market share. But they are not alone. --------------------------------------------- https://isc.sans.edu/diary/rss/28324 ∗∗∗ CinaRAT Delivered Through HTML ID Attributes, (Fri, Feb 11th) ∗∗∗ --------------------------------------------- I found another sample that again drops a malicious ISO file but this time, it is much more obfuscated and the VT score is 0! Yes, not detected by any antivirus solution! --------------------------------------------- https://isc.sans.edu/diary/rss/28330 ∗∗∗ Use Zoom on a Mac? You might want to check your microphone settings ∗∗∗ --------------------------------------------- Big Brother Zoomer is listening to us, complain users Apple Mac users running the Zoom meetings app are reporting that its keeping their computers microphone on when they arent using it. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/02/10/zoom_mac_mic… ∗∗∗ Schwachstelle im Virenschutz Microsoft-Defender stillschweigend abgedichtet ∗∗∗ --------------------------------------------- Durch zu laxe Rechtevergabe hätten Angreifer auf die Microsoft-Defender-Ausnahmen zugreifen können. Die Lücke hat das Unternehmen ohne Ankündigung behoben. --------------------------------------------- https://heise.de/-6444399 ∗∗∗ Luftnummer: Warnung vor Geisterberührungen auf Touchscreens ∗∗∗ --------------------------------------------- Die TU Darmstadt warnt, dass gezielte Angriffe auf Touchscreens möglich seien. Praxistauglich ist der beschriebene "GhostTouch"-Angriff jedoch nicht. --------------------------------------------- https://heise.de/-6445488 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-know… ∗∗∗ Malicious Chrome Browser Extension Exposed: ChromeBack Leverages Silent Extension Loading ∗∗∗ --------------------------------------------- GoSecure Titan Labs received a malicious Chrome extension sample that we are calling ChromeBack from GoSecures Titan Managed Detection and Response (MDR) team. --------------------------------------------- https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft: SMB-Lücke in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine fast zwei Jahre alte kritische Lücke in Windows wird derzeit aktiv ausgenutzt. Exploits gibt es auch für eine sieben Jahre alte Windows-Lücke. --------------------------------------------- https://www.golem.de/news/microsoft-smb-luecke-in-windows-wird-aktiv-ausgen… ∗∗∗ Notfall-Patch für iPhones, iPads und Macs: iOS 15.3.1 und macOS 12.2.1 verfügbar ∗∗∗ --------------------------------------------- Apple schließt eine Lücke, die offenbar aktiv für Angriffe ausgenutzt wird. Außerdem beseitigt der Hersteller Bugs, darunter Bluetooth-Probleme bei Intel-Macs. --------------------------------------------- https://heise.de/-6440372 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba). --------------------------------------------- https://lwn.net/Articles/884516/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Xpat vulnerability affect IBM Cloud Object Storage Systems (Feb 2022 V1-a) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xpat-vulnerability-affect… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-24750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: EDB Postgres Advanced Server with IBM and IBM Data Management Platform for EDB Postgres (Standard or Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-edb-postgres-advanced-ser… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0178 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2022
by Daily end-of-shift report 10 Feb '22

10 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-02-2022 18:00 − Donnerstag 10-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Wave of MageCart attacks target hundreds of outdated Magento sites ∗∗∗ --------------------------------------------- Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. [...] The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-magecart-attacks-tar… ∗∗∗ FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems ∗∗∗ --------------------------------------------- Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain. The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-h… ∗∗∗ Linux Malware on the Rise ∗∗∗ --------------------------------------------- Ransomware, cryptojacking, and a cracked version of the penetration-testing tool Cobalt Strike have increasingly targeted Linux in multicloud infrastructure, report states. --------------------------------------------- https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illic… ∗∗∗ Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware ∗∗∗ --------------------------------------------- The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot. --------------------------------------------- https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/1783… ∗∗∗ SAP to Give Threat Briefing on Uber-Severe ‘ICMAD’ Bugs ∗∗∗ --------------------------------------------- SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more. [..] Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download [..] --------------------------------------------- https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/ ∗∗∗ Vorsicht vor betrügerischen Fortnite-Shops! ∗∗∗ --------------------------------------------- Betrügerische Fortnite-Onlineshops, wie premiumskins.net bieten beliebte Outfits, sogenannte „Fortnite-Skins“ zum Kauf an. Doch Vorsicht – oft werden die Skins nach Bezahlung nicht geliefert! Kaufen Sie Skins nur über den offiziellen Store, innerhalb des Spiels und vertrauen Sie keinen externen Anbietern. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-fortnit… ∗∗∗ Ransomware tracker: the latest figures [February 2022] ∗∗∗ --------------------------------------------- Over the last two years, The Record and our parent company Recorded Future have updated this ransomware tracker using data collected from government agencies, news reports, hacking forums, and other sources. The trend is clear: despite bold efforts from governments around the world, ransomware isn’t going anywhere. Here are some of our most critical findings --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-290: BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-290/ ∗∗∗ WordPress-Übernahme durch kritische Lücken in PHP Everywhere ∗∗∗ --------------------------------------------- Angreifer hätten durch eine kritische Sicherheitslücke in PHP Everywhere beliebigen Code in WordPress-Instanzen ausführen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-6369318 ∗∗∗ Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin ∗∗∗ --------------------------------------------- On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. --------------------------------------------- https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulner… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex). --------------------------------------------- https://lwn.net/Articles/884381/ ∗∗∗ Dell Computer: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Dell Computer ausnutzen, um beliebigen Programmcode auszuführen oder modifizierte BIOS-Firmware zu installieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0174 ∗∗∗ Drupal: Mehrere Schwachstellen [in Plugins] ∗∗∗ --------------------------------------------- Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden. Ein entfernter, anonymer oderauthentisierter Angreifer kann mehrere Schwachstellen in Drupal [Plugins] ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0173 ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ CVE-2022-0016 GlobalProtect App: Privilege Escalation Vulnerability When Using Connect Before Logon (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0016 ∗∗∗ CVE-2022-0017 GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0017 ∗∗∗ CVE-2022-0018 GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0018 ∗∗∗ CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0011 ∗∗∗ CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0021 ∗∗∗ CVE-2022-0020 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0020 ∗∗∗ CVE-2022-0019 GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2022
by Daily end-of-shift report 09 Feb '22

09 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-02-2022 18:00 − Mittwoch 09-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kimsuki hackers use commodity RATs with custom Gold Dragon malware ∗∗∗ --------------------------------------------- South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodit… ∗∗∗ Fake Windows 11 upgrade installers infect you with RedLine malware ∗∗∗ --------------------------------------------- Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-inst… ∗∗∗ Ransomware dev releases Egregor, Maze master decryption keys ∗∗∗ --------------------------------------------- The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egre… ∗∗∗ Bios, UEFI, WLAN: Intel schließt zahlreiche Firmware-Sicherheitslücken ∗∗∗ --------------------------------------------- An einem groß angelegten Patch-Day stellt Intel Updates für Sicherheitslücken bereit. Diese lassen sich zum Ausweiten von Rechten nutzen. --------------------------------------------- https://www.golem.de/news/bios-uefi-wlan-intel-schliesst-zahlreiche-firmwar… ∗∗∗ Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th) ∗∗∗ --------------------------------------------- Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08. --------------------------------------------- https://isc.sans.edu/diary/rss/28318 ∗∗∗ SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718) ∗∗∗ --------------------------------------------- In this blog post, we’ll look at a Windows Print Spooler local privilege escalation vulnerability that I found and reported in November 2021. The vulnerability got patched as part of Microsoft’s Patch Tuesday in February 2022. --------------------------------------------- https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalati… ∗∗∗ CISA and SAP warn about major vulnerability ∗∗∗ --------------------------------------------- SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products. --------------------------------------------- https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/ ∗∗∗ AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware ∗∗∗ --------------------------------------------- Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-040a ===================== = Vulnerabilities = ===================== ∗∗∗ Ausführen von Schadcode denkbar: Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler schließen in aktualisierten Versionen von Firefox und Thunderbird viele Sicherheitslücken. Einige davon stufen sie als hohes Risiko ein. --------------------------------------------- https://heise.de/-6360477 ∗∗∗ Patchday Microsoft: Angreifer könnten eine Kernel-Lücke in Windows ausnutzen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Azure, Office, Windows & Co. Das ist selten: Keine der geschlossenen Lücken gilt als kritisch. --------------------------------------------- https://heise.de/-6360267 ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Illustrator ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben ihr Software-Portfolio gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6360575 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh,[...] --------------------------------------------- https://lwn.net/Articles/884242/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ HPE Agentless Management registers unquoted service paths ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12969207/ ∗∗∗ Security Advisory for Citrix Hypervisor (CVE-2022-23034, CVE-2022-23035, CVE-2021-0145) ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX337526 ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Apache Log4j affects Netcool Operation Insight (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go (CVE CVE-2021-41771 & CVE-2021-41772) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0002.html ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0158 ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0156 ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0159 ∗∗∗ QNAP: Multiple Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2022
by Daily end-of-shift report 08 Feb '22

08 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-02-2022 18:00 − Dienstag 08-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Internetsicherheit: So schützen Sie sich vor Account-Hijacking und Co. ∗∗∗ --------------------------------------------- Wir erklären Ihnen, worauf Sie achten sollten, damit Sie sicher im Internet unterwegs sind. --------------------------------------------- https://heise.de/-6355600 ∗∗∗ Microsoft Office soll VBA-Makros standardmäßig blockieren ∗∗∗ --------------------------------------------- Makros sind ein Einfallstor für Malware. VBA-Makros standardmäßig zu deaktivieren, ist längst überfällig. --------------------------------------------- https://heise.de/-6353429 ∗∗∗ Patchday: Lücken in SAP-Produkten ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Am Februar-Patchday schließt SAP mehrere kritische Sicherheitslücken, durch die Angreifer Schadcode in betroffene Systeme einschleusen hätten können. --------------------------------------------- https://heise.de/-6356776 ∗∗∗ Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages ∗∗∗ --------------------------------------------- Specifically, in this paper, we study [..] security releases over a dataset of 4,377 security advisories across seven package ecosystems (Composer, Go, Maven, npm, NuGet, pip, and RubyGems). [..] Based on our findings, we make four recommendations for the package maintainers and the ecosystem administrators, such as using private fork for security fixes and standardizing the practice for announcing security releases. --------------------------------------------- https://arxiv.org/pdf/2112.06804.pdf ∗∗∗ “We absolutely do not care about you”: Sugar ransomware targets individuals ∗∗∗ --------------------------------------------- They call it Sugar ransomware, but its not sweet in any way. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-… ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- [UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress IP2Location Country Blocker 2.26.7 Cross Site Scripting ∗∗∗ --------------------------------------------- An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022020031 ∗∗∗ CVE-2021-38130 Voltage SecureMail 7.3 Mail Relay Information Leakage Vuln. ∗∗∗ --------------------------------------------- An information leakage vulnerability with a CVSS of 4.1 was discovered in SecureMail Server for versions prior to 7.3.0.1. The vulnerability can be exploited to send sensitive information to an unauthorized user. A resolution of this vulnerability is available in the Voltage SecureMail version 7.3.0.1 patch release. --------------------------------------------- https://portal.microfocus.com/s/article/KM000003667?language=en_US ∗∗∗ Patchday: Kritische System-Lücke lässt Angreifer auf Android-Geräte zugreifen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android 10, 11, 12 und verschiedene Komponenten des Systems. --------------------------------------------- https://heise.de/-6355256 ∗∗∗ Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution ∗∗∗ --------------------------------------------- On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin [...] --------------------------------------------- https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-ever… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (log4j), Debian (chromium, xterm, and zabbix), Fedora (kate, lua, and podman), Oracle (aide and log4j), and SUSE (xen). --------------------------------------------- https://lwn.net/Articles/884082/ ∗∗∗ K33484369: Linux kernel vulnerability CVE-2021-20194 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33484369?utm_source=f5support&utm_mediu… ∗∗∗ K01217337: Linux kernel vulnerability CVE-2021-22543 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01217337?utm_source=f5support&utm_mediu… ∗∗∗ Mitsubishi Electric FA Engineering Software Products (Update D) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update F) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ SSA-914168: Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-914168.txt ∗∗∗ SSA-669737: Improper Access Control Vulnerability in SICAM TOOLBOX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669737.txt ∗∗∗ SSA-654775: Open Redirect Vulnerability in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-654775.txt ∗∗∗ SSA-609880: File Parsing Vulnerabilities in Simcenter Femap before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-609880.txt ∗∗∗ SSA-539476: Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-539476.txt ∗∗∗ SSA-301589: Multiple File Parsing Vulnerabilities in Solid Edge, JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-301589.txt ∗∗∗ SSA-244969: OpenSSL Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-244969.txt ∗∗∗ SSA-838121: Multiple Denial of Service Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-838121.txt ∗∗∗ SSA-831168: Cross-Site Scripting Vulnerability in Spectrum Power 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-831168.txt ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-35728) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2021-20190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Log4Shell Vulnerability affects IBM SPSS Statistics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2022
by Daily end-of-shift report 07 Feb '22

07 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-02-2022 18:00 − Montag 07-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Medusa malware ramps up Android SMS phishing attacks ∗∗∗ --------------------------------------------- The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-andr… ∗∗∗ An Insidious Mac Malware Is Growing More Sophisticated ∗∗∗ --------------------------------------------- When UpdateAgent emerged in late 2020, it utilized basic infiltration techniques. Its developers have since expanded it in dangerous ways. --------------------------------------------- https://www.wired.com/story/mac-malware-growing-more-sophisticated ∗∗∗ Shadow Credentials ∗∗∗ --------------------------------------------- During Black Hat Europe 2019 Michael Grafnetter discussed several attacks towards Windows Hello for Business including a domain persistence technique which involves the modification of the msDS-KeyCredentialLink attribute of a target computer or user account. [..] The following diagram visualize the steps of the technique Shadow Credentials in practice. --------------------------------------------- https://pentestlab.blog/2022/02/07/shadow-credentials/ ∗∗∗ web3 phishing via self-customizing landing pages ∗∗∗ --------------------------------------------- You may not quite understand what "web3" is all about (I do not claim to do so), but it appears phishers may already use it. [..] the JavaScript used to implement the phishing page is interesting. Not only does it customize the login dialog with the company logo, but it also replaces the entire page with a screenshot of the domain homepage. --------------------------------------------- https://isc.sans.edu/diary/rss/28312 ∗∗∗ Sextortion: Wenn ein harmloser Flirt in Erpressung endet ∗∗∗ --------------------------------------------- Sextortion ist eine Betrugsmasche, bei der meist männliche Opfer von Online-Bekanntschaften aufgefordert werden, sexuelles Bild- und Videomaterial von sich zu versenden oder sich nackt vor der Webcam zu zeigen. Mit diesen Bildern und Videos werden die Opfer dann erpresst: Zahlen oder das Material wird im Internet veröffentlicht! --------------------------------------------- https://www.watchlist-internet.at/news/sextortion-wenn-ein-harmloser-flirt-… ∗∗∗ FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000162-MW and apply the recommend mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/07/fbi-releases-indi… ∗∗∗ Microsoft deaktiviert wegen Emotet & Co. MSIX ms-appinstaller Protokoll-Handler in Windows (Feb. 2022) ∗∗∗ --------------------------------------------- Nachdem Ransomware wie Emotet oder BazarLoader den MSIX ms-appinstaller Protokoll-Handler missbrauchten, hat Microsoft nun erneut reagiert. Der komplette MSIX ms-appinstaller Protokoll-Handler wurde vorerst in Windows – quasi als Schutz vor Emotet, BazarLoader oder ähnlicher Malware – deaktiviert. --------------------------------------------- https://www.borncity.com/blog/2022/02/05/microsoft-deaktiviert-msix-ms-appi… ∗∗∗ Vorsicht: audacity.de und keepass.de verbreiten Malware (Feb. 2022) ∗∗∗ --------------------------------------------- Kleiner Hinweis an Leute, die sich gerne Software aus dem Internet herunterladen. Es sieht so aus, als ob die Domains audacity.de und keepass.de in die Hände von Leuten gekommen sind, die damit Schindluder treiben. Statt ein Audio-Tool oder einen Passwort-Manager zu bekommen, wird über die betreffenden Seiten Malware verteilt. --------------------------------------------- https://www.borncity.com/blog/2022/02/07/vorsicht-audacity-de-und-keepass-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/884015/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0143 ∗∗∗ Multiple ESET products for macOS vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95898697/ ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multipe vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2022
by Daily end-of-shift report 04 Feb '22

04 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-02-2022 18:00 − Freitag 04-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schwachstelle in GitOps-Tool: Argo CD über Path Traversal angreifbar ∗∗∗ --------------------------------------------- Angriffe mit manipulierten Helm-Charts ermöglichen Zugriff auf beliebige Verzeichnisse im Repository des Continuous-Delivery-Werkzeugs für Kubernetes. --------------------------------------------- https://heise.de/-6349810 ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- - Volexity discovers XSS zero-day vulnerability against Zimbra - Targeted sectors include European government and media - Successful exploitation results in theft of email data from users --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ∗∗∗ Cybersecurity for Industrial Control Systems: Part 1 ∗∗∗ --------------------------------------------- In this two-part series, we look into various cybersecurity threats that affected industrial control systems endpoints. We also discuss several insights and recommendations to mitigate such threats. --------------------------------------------- https://www.iiot-world.com/ics-security/cybersecurity/cybersecurity-for-ind… ∗∗∗ Vulnerabilities that aren’t. ETag headers ∗∗∗ --------------------------------------------- This time we’re looking at the ETag (Entity Tag) header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-et… ∗∗∗ Target open-sources its web skimmer detector ∗∗∗ --------------------------------------------- Targets cybersecurity team has open-sourced the code of Merry Maker, the companys internal application that it has used since 2018 to detect if any of its own websites have been compromised with malicious code that can steal payment card details from buyers. --------------------------------------------- https://therecord.media/target-open-sources-its-web-skimmer-detector/ ∗∗∗ An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’ ∗∗∗ --------------------------------------------- Late last year, cybersecurity researchers began to notice a ransomware strain called ALPHV that stood out for being particularly sophisticated and coded in the Rust programming language—a first for ransomware used in real-world attacks. --------------------------------------------- https://therecord.media/an-alphv-blackcat-representative-discusses-the-grou… ∗∗∗ Special Report: Die Tücken von Active Directory Certificate Services (AD CS) ∗∗∗ --------------------------------------------- Active Directory Certificate Services (ADCS) ist anfällig für Fehlkonfigurationen, mit denen eine komplette Kompromittierung des Netzes trivial möglich ist. Publiziert wurde das Problem im Sommer 2021, jetzt wird diese Methode bei APT-Angriffen benutzt. Kontrollieren Sie mit den bereitgestellten Tools ihr Setup. Stellen Sie mit den angeführten Präventiv-Maßnahmen höhere Sichtbarkeit her. Überprüfen Sie mit den vorgestellen Tools, ob eine Fehlkonfiguration bereits ausgenutzt wurde. --------------------------------------------- https://cert.at/de/spezielles/2022/2/special-report-die-tucken-von-active-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, [...] --------------------------------------------- https://lwn.net/Articles/883828/ ∗∗∗ Mattermost security updates 6.3.3, 6.2.3, 6.1.3, 5.37.8 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.3.3 (Extended Support Release), 6.2.3, 6.1.3, 5.37.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-3-6-2-3-6-1-3-5… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-kno… ∗∗∗ CSV+ vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67396225/ ∗∗∗ K40508224: Perl vulnerability CVE-2020-10878 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40508224 ∗∗∗ K05295469: Expat vulnerability CVE-2019-15903 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05295469 ∗∗∗ Security Bulletin: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix Dynamic Server in Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring installed WebSphere Application Server (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (October 2021) affects IBM InfoSphere Information Server (CVE-2021-35578 CVE-2021-35564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2022
by Daily end-of-shift report 03 Feb '22

03 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-02-2022 18:00 − Donnerstag 03-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spam-Anrufe von Wiener Nummer: “This is the police” ∗∗∗ --------------------------------------------- Bei solchen Anrufen gilt es generell, sofort aufzulegen. Ist man sich unsicher, ob der Anruf echt war (im Falle eines englischsprachigen Tonbands ist er das jedenfalls nicht), kann man eigenständig die Polizei (133) anrufen. Die Polizei warnt, dass man nie eine "Polizei"-Telefonnummern zurückrufen soll, wenn das in solchen Anrufen gefordert wird. Hat man bereits mit der Person gesprochen und Daten herausgegeben, soll man umgehend Anzeige bei der Polizei erstatten. --------------------------------------------- https://futurezone.at/digital-life/spam-anrufe-wiener-nummer-federal-police… ∗∗∗ WooCommerce Skimmer Uses Fake Fonts and Favicon to Steal CC Details ∗∗∗ --------------------------------------------- Today’s investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December. What first seemed to be a routine case of credit card theft turned out to be a much more interesting infection that leveraged both font, favicon and other less-commonly used files to pilfer credit card details. --------------------------------------------- https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-fav… ∗∗∗ A comprehensive guide on [NTLM] relaying anno 2022 ∗∗∗ --------------------------------------------- For years now, Internal Penetration Testing teams have been successful in obtaining a foothold or even compromising entire domains through a technique called NTLM relaying. [..] This blog post aims to be a comprehensive resource that will walk through the attack primitives that continue to work today. While most will be well known techniques, some techniques involving Active Directory Certificate Services might be lesser known. --------------------------------------------- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ ∗∗∗ Tattoo-Giveaways auf Instagram führen in eine Abo-Falle ∗∗∗ --------------------------------------------- Kriminelle versenden Nachrichten von Fake-Accounts und behaupten, dass Instagram-User bei einem Gewinnspiel gewonnen hätten. Doch der angebliche Gewinn führt nicht zu einem neuen Tattoo, sondern in eine gut getarnte Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/tattoo-giveaways-auf-instagram-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File ParsingOut-Of-Bounds Read Information Disclosure Vulnerability * DCM File Parsing Use-After-Free Information Disclosure Vulnerability * JP2 File Parsing Use-After-Free Remote Code Execution Vulnerability * JP2 File Parsing Memory Corruption Remote Code Execution Vulnerability * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability --------------------------------------------- https://www.zerodayinitiative.com/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, samba). --------------------------------------------- https://lwn.net/Articles/883676/ ∗∗∗ Sensormatic PowerManage ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ Airspan Networks Mimosa ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Airspan Networks Mimosa network management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-02 ∗∗∗ Zwei Schwachstellen in AudioCodes Session Border Controller (SYSS-2021-068/-075) ∗∗∗ --------------------------------------------- In AudioCodes Session Border Controller (SBC) kann Telefonbetrug begangen werden. Auch wurde eine Rechteeskalation in der Web Management-Konsole gefunden. --------------------------------------------- https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construct… ∗∗∗ InsydeH2O UEFI System Management Mode (SMM) Vulnerabilities ∗∗∗ --------------------------------------------- Mitigation Strategy for Customers (what you should do to protect yourself): Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500463-INSYDEH2O-UEFI-SYSTEM-M… ∗∗∗ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by JWT-Go vulnerability (CVE-2020-26160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Standard is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-38960 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Enterprise is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ K67416037: Linux kernel vulnerability CVE-2021-23133 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67416037?utm_source=f5support&utm_mediu… ∗∗∗ Weidmueller: Remote I/O fieldbus couplers (IP20) affected by INFRA:HALT vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-042/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2022
by Daily end-of-shift report 02 Feb '22

02 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-02-2022 18:00 − Mittwoch 02-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM ∗∗∗ --------------------------------------------- The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM). UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. --------------------------------------------- https://kb.cert.org/vuls/id/796611 ∗∗∗ CISA Releases Securing Industrial Control Systems: A Unified Initiative ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. The strategy—developed in collaboration with industry and government partners—lays out CISA's plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure. --------------------------------------------- https://us-cert.cisa.gov/ics/cisa-releases-securing-industrial-control-syst… ∗∗∗ Kasper: a tool for finding speculative-execution vulnerabilities ∗∗∗ --------------------------------------------- The Systems and Network Security Group at Vrije Universiteit Amsterdam hasannounced a tool calledKasper that is able to scan the kernel source and locatespeculative-execution vulnerabilities: Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels). --------------------------------------------- https://lwn.net/Articles/883448/ ∗∗∗ Post E-Mail „Dein Paket wartet !“ ist fake! ∗∗∗ --------------------------------------------- Kriminelle versenden gehäuft E-Mails im Namen der Post mit dem Betreff „Dein Paket wartet !“. Eine Liefergebühr über 1,69 Euro sei ausständig. Achtung: Die E-Mails sind frei erfunden. Die Kriminellen wenden Spoofing an, um die Mail-Adresse echt aussehen zu lassen und verlinken auf eine nachgebaute Post-Website. --------------------------------------------- https://www.watchlist-internet.at/news/post-e-mail-dein-paket-wartet-ist-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron). --------------------------------------------- https://lwn.net/Articles/883541/ ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome versions 98.0.4758.80/81/82 for Windows and 98.0.4758.80 for Mac and Linux. These versions address vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/02/google-releases-s… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Sealevel SeaConnect ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in Sealevel Systems Inc.’s SeaConnect internet-of-things edge device — many of which could allow an attacker to conduct a man-in-the-middle attack or execute remote code on the targeted device. The SeaConnect 370W is a WiFi-connected edge device commonly used in industrial control system (ICS) environments that allow users to remotely monitor and control the status of real-world I/O processes. This device offers remote control via MQTT, Modbus TCP and a manufacturer-specific interface referred to as the "SeaMAX API." --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-sea-level-connect.… ∗∗∗ Cisco Prime Service Catalog Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Umbrella Secure Web Gateway File Inspection Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV Series Routers Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ FortiAuthenticator - Improper access control in HA service ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-20-217 ∗∗∗ FortiMail - reflected cross-site scripting vulnerability in FortiGuard URI protection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-185 ∗∗∗ FortiExtender - Arbitrary command execution because of missing CLI input sanitization ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-148 ∗∗∗ FortiWeb - OS command injection due to unsafe input validation function ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-166 ∗∗∗ FortiWeb - Stack-based buffer overflow in command line interpreter ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-132 ∗∗∗ FortiWeb - OS command injection due to direct input interpolation in API controllers ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-180 ∗∗∗ FortiWeb - arbitrary file/directory deletion ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-158 ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to leaking sensitive information due to CVE-2021-3712 in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ K74013101: Binutils vulnerability CVE-2021-42574 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74013101?utm_source=f5support&utm_mediu… ∗∗∗ K28622040: Python vulnerability CVE-2019-9948 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28622040?utm_source=f5support&utm_mediu… ∗∗∗ Advantech ADAM-3600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-032-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2022
by Daily end-of-shift report 01 Feb '22

01 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 31-01-2022 18:00 − Dienstag 01-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI-Grundschutz-Kompendium 2022: Neue Bausteine, schlankere Struktur ∗∗∗ --------------------------------------------- Das IT-Grundschutzkompendium in der Edition 2022 wartet mit einigen neuen Bausteinen, aber auch mit strukturellen Änderungen auf. --------------------------------------------- https://heise.de/-6344956 ∗∗∗ SMS der „Bawag“ mit „Ihr Konto wurde gesperrt!“ ist Fake ∗∗∗ --------------------------------------------- Vorsicht: Momentan kursiert ein betrügerisches SMS – angeblich von der Bawag. In der Nachricht werden Sie darüber informiert, dass Ihr Konto gesperrt wurde. Sie werden aufgefordert, auf einen Link zu klicken. Tun Sie das keinesfalls. Der Link führt auf eine gefälschte BAWAG-Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/sms-der-bawag-mit-ihr-konto-wurde-ge… ∗∗∗ Domain Escalation – Machine Accounts ∗∗∗ --------------------------------------------- The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password hash could not be cracked due to complexity or assessment time constraints. However, performing pass the hash with machine accounts instead of local administrators accounts is not very common even though it has been described in an article by Adam Chester years ago and could be used in scenarios where the host is part of an elevated group such as the domain admins. --------------------------------------------- https://pentestlab.blog/2022/02/01/machine-accounts/ ∗∗∗ Updates released for multiple vulnerabilities found in 42 Gears SureMDM products ∗∗∗ --------------------------------------------- 42 Gears released an initial set of updates in November and more earlier this month. --------------------------------------------- https://www.zdnet.com/article/multiple-vulnerabilities-found-in-42-gears-su… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-146: Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Esri ArcReader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-146/ ∗∗∗ ZDI-22-148: ESET Endpoint Antivirus Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-148/ ∗∗∗ Rate - Critical - Unsupported - SA-CONTRIB-2022-010 ∗∗∗ --------------------------------------------- 2022-01-31 a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2022-010 ∗∗∗ WordPress-Plug-in Essential Addons for Elementor als Schadcode-Schleuder ∗∗∗ --------------------------------------------- In der aktuellen Version von Essential Addons for Elementor haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-6344583 ∗∗∗ VMSA-2022-0003 ∗∗∗ --------------------------------------------- VMware Cloud Foundation contains an information disclosure vulnerability due to the logging of plaintext credentials within some log files. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/883423/ ∗∗∗ Ricon Mobile Industrial Cellular Router ∗∗∗ --------------------------------------------- This advisory contains mitigations for an OS Command Injection vulnerability in the Ricon Mobile Industrial Cellular Router mobile network router. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-032-01 ∗∗∗ Advantech ADAM-3600 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Cryptographic Key vulnerability in Advantech ADAM-3600 remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-032-02 ∗∗∗ January 31, 2022 TNS-2022-04 [R1] Nessus 10.1.0 Fixes One Third-Party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-04 ∗∗∗ K59563964: Apache Log4j Remote Code Execution vulnerability CVE-2022-23302 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K59563964 ∗∗∗ K97120268: Apache Log4j SQL injection vulnerability CVE-2022-23305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97120268 ∗∗∗ K00322972: Apache Log4j Chainsaw vulnerability CVE-2022-23307 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00322972 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability (CVE-2021-4034) in Polkit affects IBM Netezza PDA OS Security ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in PostgreSQL, Node.js, and Data Tables from Spry Media may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-postgr… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Golang Go, MinIO, and Python may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golang… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may impact IBM Spectrum Protect Plus (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring operands and Integration Server operands that use the JDBC connector may be vulnerable to remote code execution due to CVE-2021-44228 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Verify Access fixed a security vulnerability in the product. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces… ∗∗∗ Security Bulletin: IBM TRIRIGA Indoor Maps, a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to arbitrary code execution due to Apache Log4j library vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-indoor-maps-a… ∗∗∗ Security Bulletin: Cross-site scripting and session fixation vulnerability in IBM Financial Transaction Manager for SWIFT Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2022
by Daily end-of-shift report 31 Jan '22

31 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-01-2022 18:00 − Montag 31-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Log4Shell: Eine Bestandsaufnahme ∗∗∗ --------------------------------------------- Nach der Panik wegen der größten Sicherheitslücke aller Zeiten blieb der große Knall aus. Kommt der noch oder haben wir das Gröbste überstanden? --------------------------------------------- https://heise.de/-6342536 ∗∗∗ Unseriöse Umzugsfirmen: Vorsicht bei zu günstigen Angeboten ∗∗∗ --------------------------------------------- Sie ziehen gerade um und sind auf der Suche nach einer Umzugsfirma? Unser Tipp: Lassen Sie sich nicht von Billigangeboten täuschen! Festpreisangebote von „25 Euro pro Stunde für 2 Männer inklusive LKW“ sind vollkommen unrealistisch. Dabei handelt es sich um ein Lockangebot. Bei einer Beauftragung wird Ihnen schlussendlich der 3- bis 4-fache Preis verrechnet! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-umzugsfirmen-vorsicht-bei… ∗∗∗ 277,000 routers exposed to Eternal Silence attacks via UPnP ∗∗∗ --------------------------------------------- A malicious campaign known as Eternal Silence is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-e… ∗∗∗ Be careful with RPMSG files, (Mon, Jan 31st) ∗∗∗ --------------------------------------------- Not many people are aware of ".rpmsg" files. The file extension means "restricted-permission message". They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email. --------------------------------------------- https://isc.sans.edu/diary/rss/28292 ∗∗∗ Rip Raw - A tool to analyse the memory of compromised Linux systems ∗∗∗ --------------------------------------------- It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory. --------------------------------------------- https://github.com/cado-security/rip_raw ∗∗∗ TrendNET AC2600 RCE via WAN ∗∗∗ --------------------------------------------- This blog provides a walkthrough of how to gain RCE on the TrendNET AC2600 (model TEW-827DRU specifically) consumer router via the WAN interface. There is currently no publicly available patch for these issues; therefore only a subset of issues disclosed in TRA-2021–54 will be discussed in this post. --------------------------------------------- https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4 ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in) ∗∗∗ --------------------------------------------- Wir suchen derzeit: - Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben - IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung - Python Entwickler:in zur Weiterentwicklung von bestehenden Open-Source-Projekten, insbesondere IntelMQ und Tuency Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2022/1/in-eigener-sache-certat-sucht-verstarkung-ju… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#119678: Samba vfs_fruit module insecurely handles extended file attributes ∗∗∗ --------------------------------------------- The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges. --------------------------------------------- https://kb.cert.org/vuls/id/119678 ∗∗∗ ABB: SECURITY - OPC Server for AC 800M - Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- ABB is aware that OPC Server for AC 800M contains a Remote Code Execution vulnerability. An authenticated remote user with low privileges who successfully exploited this vulnerability could insert and execute arbitrary code in the node running the AC800M OPC Server. --------------------------------------------- https://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/B0A9E56BA54C9C3AC12587DB002… ∗∗∗ Lenovo Security Advisory: LEN-78122 - Intel Graphics Drivers Advisory Intel Graphics Drivers Advisory ∗∗∗ --------------------------------------------- Intel reported potential security vulnerabilities in some Intel Graphics Drivers that may allow escalation of privilege or denial of service. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500462-intel-graphics-d… ∗∗∗ OpenSSL Security Advisory [28 January 2022] - BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) ∗∗∗ --------------------------------------------- There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of theTLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. --------------------------------------------- https://openssl.org/news/secadv/20220128.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo [...] --------------------------------------------- https://lwn.net/Articles/883322/ ∗∗∗ SBA-ADV-20220127-01: Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery ∗∗∗ --------------------------------------------- Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the `request_uri` parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/65856734acca54052de34b5206… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology JetWave products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ K54450124: NSS vulnerability CVE-2021-43527 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54450124 ∗∗∗ K46015513: Polkit pkexec vulnerability CVE-2021-4034 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46015513 ∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-002/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2022
by Daily end-of-shift report 28 Jan '22

28 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-01-2022 18:00 − Freitag 28-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lets Encrypt: Was Admins heute tun müssen ∗∗∗ --------------------------------------------- Heute um 17 Uhr werden bei Lets Encrypt Zertifikate zurückgezogen. Wir beschreiben, wie Admins prüfen können, ob sie betroffen sind. Eine Anleitung von Hanno Böck --------------------------------------------- https://www.golem.de/news/let-s-encrypt-was-admins-heute-tun-muessen-2201-1… ∗∗∗ Fake-Gewinnspiel führt in Abo-Falle: BetrügerInnen geben sich als Ö-Ticket aus! ∗∗∗ --------------------------------------------- Auf Facebook geben sich Kriminelle unter der Seite „Oeticket Österreich“ als Ö-Ticket aus und bewerben das „Gewinnspiel des Jahres“. Zu gewinnen gibt es 2 Tickets für ein Ed Sheeran Konzert. Doch Achtung: Mit dieser Masche versuchen die Kriminellen an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-fuehrt-in-abo-falle… ∗∗∗ QNAP probt Zwangsupdate nach 3.600 DeadBolt-Ransomware-Infektionen ∗∗∗ --------------------------------------------- QNAP-Nutzer werden aktuell wohl Opfer der DeadBolt-Ransomware – ich hatte es nicht im Blog, aber binnen einer Woche waren es wohl über 3.600 Opfer. Der NAS-Hersteller greift nun zu drastischen Mitteln und versucht die Firmware betroffener Geräte zwangsweise zu aktualisieren. --------------------------------------------- https://www.borncity.com/blog/2022/01/28/qnap-probt-zwangsupdate-nach-3-600… ∗∗∗ EU to create pan-European cyber incident coordination framework ∗∗∗ --------------------------------------------- The European Systemic Risk Board (ESRB) proposed a new systemic cyber incident coordination framework that would allow EU relevant authorities to better coordinate when having to respond to major cross-border cyber incidents impacting the Unions financial sector. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-to-create-pan-european-cy… ∗∗∗ Doctor Web’s December 2021 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics from Dr.Web for Android anti-virus products, adware trojans remained the most active Android threat in December. Another common threat detected on protected devices was malware that downloaded other apps. At the same time, more threats have been found on Google Play, like fake apps from the Android.FakeApp malware family. These are used in various fraudulent schemes. --------------------------------------------- https://news.drweb.com/show/?i=14408&lng=en&c=9 ∗∗∗ Doctor Web’s December 2021 virus activity review ∗∗∗ --------------------------------------------- Our December analysis of Dr.Web’s statistics revealed a 34% increase in the total number of threats compared to the previous month. The number of unique threats decreased by 15%. Nonetheless, adware still made up the majority of detected threats. These threats manifested with different types of malware. A variety of malware, including backdoors, was most often distributed in mail traffic. --------------------------------------------- https://news.drweb.com/show/?i=14410&lng=en&c=9 ∗∗∗ Why are WordPress Websites Targeted by Hackers? ∗∗∗ --------------------------------------------- If you are wondering why your wordpress site keeps getting hacked, or why you’re being targeted by hackers, we’ve compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Currently over 445 million websites are utilizing WordPress. With a make up of over 40% of sites on the web utilizing WordPress to some extent, it’s only expected for bad actors to take advantage of its popularity. --------------------------------------------- https://blog.sucuri.net/2022/01/why-are-wordpress-sites-targeted-by-hackers… ∗∗∗ Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victims network to further propagate spam emails and widen the infection pool. The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target's bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-device-registration-trick.h… ∗∗∗ How to avoid an open source security nightmare ∗∗∗ --------------------------------------------- Just as it would be a mistake to say that all closed source projects are bug-free, its a mistake to say that all open source projects are security risks. Different projects have different focuses; some of them are much more concerned with the security of their releases. --------------------------------------------- https://www.zdnet.com/article/how-to-avoid-an-open-source-security-nightmar… ∗∗∗ Weekly Threat Report 28th January 2022 ∗∗∗ --------------------------------------------- Read about the Mirai-based malware exploiting poor security, CISA updates and New Scanning Made Easy trial service from the NCSC --------------------------------------------- https://www.ncsc.gov.uk/report/weekly-threat-report-28th-january-2022 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates available in Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1 ∗∗∗ --------------------------------------------- Foxit has released Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1, which address potential security and stability issues. CVE-2018-1285, CVE-2021-40420, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741, CVE-2022-22150 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046) ∗∗∗ --------------------------------------------- 2022-01-27: VMSA-2022-0028.10 - Revised advisory with updates to multiple products, including vCenter Server. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/883047/ ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- BOSCH-SA-637429: The ActiveMover with Profinet communication module (Rexroth no. 3842 559 445) sold by Bosch Rexroth contains communication technology from Hilscher (PROFINET IO Device V3) in which a vulnerability with high severity has been discovered. A Denial of Service vulnerability may lead to unexpected loss of cyclic communication or interruption of acyclic communication. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2022
by Daily end-of-shift report 27 Jan '22

27 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-01-2022 18:00 − Donnerstag 27-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2020-0696 - Microsoft Outlook Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- How are the email security systems bypassed with vulnerability on ''Microsoft Outlook for Mac''? Improper hyperlink translation in ''Microsoft Outlook for Mac'' leads to the complete bypassing of email security systems and sending the malicious link to the victim as clickable. [..] The below investigation was performed with trial accounts provided by multiple vendors and reported responsibly to Microsoft, which has taken action to remedy the problem. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2020-06… ∗∗∗ Update-Reigen: macOS 12.2, watchOS 8.4 und tvOS 15.3 beheben Fehler ∗∗∗ --------------------------------------------- Apple hat neben iOS und iPadOS 15.3 auch alle anderen Betriebssysteme aktualisiert. Zudem gibts ein HomePod-OS-Update. --------------------------------------------- https://heise.de/-6340079 ∗∗∗ Hackers Using New Evasive Technique to Deliver AsyncRAT Malware ∗∗∗ --------------------------------------------- [..] Opening the decoy file redirects the message recipient to a web page prompting the user to save an ISO file. But unlike other attacks that route the victim to a phishing domain set up explicitly for downloading the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.ht… ∗∗∗ Configuring Linux auditd for Threat Detection ∗∗∗ --------------------------------------------- The topics I look to cover in this article are - Quick intro to the Linux Audit System - Tips when writing audit rules - Designing a configuration for security monitoring - What to record with auditd - Tips on managing noise --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ∗∗∗ Financially Motivated Mobile Scamware Exceeds 100M Installations ∗∗∗ --------------------------------------------- In the pursuit of identifying and taking down similar financially motivated scams, zLabs researchers have discovered another premium service abuse campaign with upwards of 105 million victims globally, which we have named Dark Herring. [..] At the time of publishing, the scam services and phishing sites are no longer active, and Google has removed all the malicious applications from Google Play. --------------------------------------------- https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-insta… ∗∗∗ Jetzt handeln! Erpressungstrojaner DeadBolt hat es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Der Hersteller von Netzwerkspeichern (NAS) Qnap warnt abermals vor Ransomware-Attacken und gibt wichtige Tipps zur Absicherung. --------------------------------------------- https://heise.de/-6340174 ∗∗∗ Betrug mit nachgebautem Käuferschutz auf ebay-kleinanzeigen.de ∗∗∗ --------------------------------------------- eBay-kleinanzeigen.de stellt eine beliebte Kleinanzeigen-Plattform dar. Wie bei einigen anderen bekannten Marktplätzen wird auch hier eine sichere Bezahlmethode direkt auf der Plattform angeboten. Kriminelle nützen dies aus, indem sie die Kommunikation von offizieller Website und App beispielsweise auf WhatsApp verlagern. Später verweisen sie auf nachgebaute Websites und zweigen Zahlungen direkt in die eigenen Taschen ab! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-nachgebautem-kaeuferschut… ∗∗∗ The January 2022 Security Update Review ∗∗∗ --------------------------------------------- The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2022/1/11/the-january-2022-security-update-revi… ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014 ∗∗∗ --------------------------------------------- Project: Private Taxonomy Terms Security risk: Critical Description: This module enables users to create private vocabularies.The module doesnt sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-014 ∗∗∗ Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011 ∗∗∗ --------------------------------------------- Project: Navbar Security risk: Moderately critical Description: This module provides a very simple, mobile-friendly navigation toolbar.The module doesnt sufficiently check for user-provided input. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-011 ∗∗∗ Xerox Versalink Denial Of Service ∗∗∗ --------------------------------------------- A specifically crafted TIFF payload may be submitted to the printers job queue (in person or over the network) by unauthenticated/unprivileged users or network or internet attackers by means of a JavaScript payload. The device will panic upon attempting to read the submitted file and a physical reboot will be required. Upon reboot, the device will attempt to resume the last-printed job, triggering the panic once more. The process repeats ad-infinitum. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010119 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/882882/ ∗∗∗ Synology-SA-22:02 Samba ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_02 *** Drupal: Bugs in unsupporteten Sub-Projekten *** --------------------------------------------- The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. [..] If you use this project, you should uninstall it. - Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022 https://www.drupal.org/sa-contrib-2022-022 - Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021 https://www.drupal.org/sa-contrib-2022-021 - Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020 https://www.drupal.org/sa-contrib-2022-020 - Vendor Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-019 https://www.drupal.org/sa-contrib-2022-019 - Cog - Critical - Unsupported - SA-CONTRIB-2022-018 https://www.drupal.org/sa-contrib-2022-018 - Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017 https://www.drupal.org/sa-contrib-2022-017 - Vocabulary Permissions Per Role - Critical - Unsupported - SA-CONTRIB-2022-016 https://www.drupal.org/sa-contrib-2022-016 - Exif - Critical - Unsupported - SA-CONTRIB-2022-015 https://www.drupal.org/sa-contrib-2022-015 - Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013 https://www.drupal.org/sa-contrib-2022-013 - Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012 https://www.drupal.org/sa-contrib-2022-012 - Rate - Critical - Unsupported - SA-CONTRIB-2022-010 https://www.drupal.org/sa-contrib-2022-010 - Expire reset password link - Critical - Unsupported - SA-CONTRIB-2022-009 https://www.drupal.org/sa-contrib-2022-009 - Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008 https://www.drupal.org/sa-contrib-2022-008 - Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007 https://www.drupal.org/sa-contrib-2022-007 - Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005 https://www.drupal.org/sa-contrib-2022-005 - Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006 https://www.drupal.org/sa-contrib-2022-006 --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ Security Bulletin:IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-db2-on-openshift-and-i… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-22960, CVE-2021-22959 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2022
by Daily end-of-shift report 26 Jan '22

26 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-01-2022 18:00 − Mittwoch 26-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ALPN: Ein Prozent der Lets-Encrypt-Zertifikate wird zurückgezogen ∗∗∗ --------------------------------------------- Lets Encrypt teilt mit, dass es Probleme bei der ALPN-Validierungsmethode gab und damit ausgestellte Zertifikate zurückgezogen werden. --------------------------------------------- https://www.golem.de/news/alpn-ein-prozent-der-let-s-encrypt-zertifikate-wi… ∗∗∗ Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW, (Wed, Jan 26th) ∗∗∗ --------------------------------------------- Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration, which is embedded by Hewlett-Packard Enterprise on some of their servers. Besides its use for maintenance, it is often used by administrators for an emergency access to the server when everything "above it" (hypervisor or OS) fails and/or is unreachable. Since these kinds of platforms/interfaces are quite sensitive from the security standpoint, access to them should always be limited to relevant administrator groups only and their firmware should always be kept up to date. --------------------------------------------- https://isc.sans.edu/diary/rss/28276 ∗∗∗ German govt warns of APT27 hackers backdooring business networks ∗∗∗ --------------------------------------------- "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)." The BfV also published indicators of compromise (IOCs) and YARA rules to help targeted German organizations to check for HyperBro infections and connections to APT27 command-and-control (C2) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-h… ∗∗∗ Sysdig-Report: Container-Deployments weisen mehrheitlich Schwachstellen auf ∗∗∗ --------------------------------------------- Sysdig beobachtet einen anhaltenden Shift Left bei Container Security, viele Schwachstellen bleiben aber ungepatcht und Rechte-Konfigurationen unzureichend. --------------------------------------------- https://heise.de/-6336816 ∗∗∗ Root-Zugriff unter Linux durch Polkit-Lücke ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwachstelle in Polkit entdeckt, die Rechteausweitung ermöglicht. Für die viele Distributionen sind bereits Patches verfügbar. --------------------------------------------- https://heise.de/-6338569 ∗∗∗ Fake-Shops geben sich als Shops für Warenhausauflösungen aus ∗∗∗ --------------------------------------------- Derzeit stoßen wir vermehrt auf Fake-Shops, die behaupten auf Warenhausauflösungen spezialisiert zu sein oder Überbestände von Amazon oder von Kaufhäusern zu verkaufen. Damit begründen Sie auch ihre günstigen Preise für Marken-Produkte wie KitchenAid, Weber oder DeLonghi. Doch wer genau hinsieht, erkennt, dass es sich um Fake-Shops handelt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-geben-sich-als-shops-fuer… ∗∗∗ Vidar Exploiting Social Media Platform (Mastodon) ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware. --------------------------------------------- https://asec.ahnlab.com/en/30875/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in TransmitMail ∗∗∗ --------------------------------------------- TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. - Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146 - Cross-site scripting (CWE-79) - CVE-2022-21193 --------------------------------------------- https://jvn.jp/en/jp/JVN70100915/ ∗∗∗ Security Update - Fix available for a privilege escalation vulnerability ∗∗∗ --------------------------------------------- This notification is in regard to an elevation of privilege vulnerability (CVE-2022-23863) that was recently identified and fixed in Desktop Central and Desktop Central MSP. [...] A privilege escalation vulnerability that may allow an authenticated user to change passwords of a more privileged account. --------------------------------------------- https://pitstop.manageengine.com/portal/en/community/topic/security-update-… ∗∗∗ Denial of service & User Enumeration in WAGO 750-8xxx PLC ∗∗∗ --------------------------------------------- The Wago PLC models 750-8xxx are prone to multiple security vulnerabilities. These include a Denial-of-Service (DoS) of the connection to the Codesys service and the enumeration of usernames via a timing sidechannel. By exploiting these vulnerabilities, the remote usage of the Codesys services can be prevented and existing usernames on the device can be identified. [..] WAGO's customers should upgrade the firmware to the latest version available. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/denial-of-service-user-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server). --------------------------------------------- https://lwn.net/Articles/882724/ ∗∗∗ Security Advisory - Laser Command Injection Vulnerability on Huawei Terminals ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220126-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-24122 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Jan 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Automationis vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-automat… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: IBM Observability by Instana and IBM Observability with Instana – Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-observability-by-inst… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: Tivoli Network Manager IP Edition is vulnerable to a denial of service vulnerability (CVE-2021-30468) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-network-manager-ip… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-17527 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-13935 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ GE Gas Power ToolBoxST ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-025-01 ∗∗∗ Injection of arbitrary HTML code in Bosch Video Security Android App ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-844050-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2022
by Daily end-of-shift report 25 Jan '22

25 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 24-01-2022 18:00 − Dienstag 25-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Responsible Disclosure: Vom Finden und Melden von Sicherheitslücken ∗∗∗ --------------------------------------------- Im Auftrag eines ISP habe ich mehrere Sicherheitslücken in einem Cisco-Router gefunden. Hier erkläre ich, wie ich vorgegangen bin. Ein Erfahrungsbericht von Marco Wiorek --------------------------------------------- https://www.golem.de/news/responsible-disclosure-vom-finden-und-melden-von-… ∗∗∗ Analyse: Linux- und ESXi-Varianten der LockBit-Ransomware ∗∗∗ --------------------------------------------- Die Forscher von Trend Micro Research haben das Thema LockBit-Ransomware in einer Analyse aufgegriffen. Denn diese Ransomware bedroht inzwischen nicht mehr nur Windows-Systeme. Es gibt bereits Samples, die auch Linux- und VMware ESXi-Instanzen befallen können. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/analyse-linux-und-esxi-varianten-d… ∗∗∗ Vollzugriff durch Hintertür in WordPress-Erweiterungen ∗∗∗ --------------------------------------------- Bei einem Servereinbruch landete Hintertür-Schadcode in Plugins und Themes von AccessPress. Angreifer könnten dadurch WordPress-Instanzen übernehmen. --------------------------------------------- https://heise.de/-6337344 ∗∗∗ Jetzt patchen! Attacken auf Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer derzeit Sonicwall Secure Mobile Access im Visier haben. Dagegen lässt sich etwas tun. --------------------------------------------- https://heise.de/-6337222 ∗∗∗ Verkaufen auf willhaben, ebay & Co: Zahlung und Versand nicht über „Kurierdienst Post“ oder „ebay Selling“ abwickeln ∗∗∗ --------------------------------------------- Auf ebay, willhaben, Shpock und Co. treiben momentan vermehrt betrügerische KäuferInnen ihr Unwesen. Diese können aber rasch entlarvt werden: Betrügerische KäuferInnen wollen die Zahlung und Versendung Ihres Produktes über spezielle Dienstleistungen abwickeln. Dabei handelt es sich um angebliche Kurierdienste der Post oder ebay. Diese sind aber Fake! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-willhaben-ebay-co-zahl… ∗∗∗ BRATA Android Trojan Updated with ‘Kill Switch’ that Wipes Devices ∗∗∗ --------------------------------------------- Researchers identify three new versions of the banking trojan that include various new features, including GPS tracking and novel obfuscation techniques. --------------------------------------------- https://threatpost.com/brata-android-trojan-kill-switch-wipes/177921/ ∗∗∗ TrickBot Malware Using New Techniques to Evade Web Injection Attacks ∗∗∗ --------------------------------------------- The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products. --------------------------------------------- https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html ∗∗∗ Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks ∗∗∗ --------------------------------------------- A previously undocumented cyber-espionage malware aimed at Apples macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with "strong technical capabilities," [...] --------------------------------------------- https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.h… ∗∗∗ Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies ∗∗∗ --------------------------------------------- We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent Tesla.The post Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent… ∗∗∗ Microsoft warns about this phishing attack that wants to read your emails ∗∗∗ --------------------------------------------- Attackers have targeted hundreds of organisations, says Microsoft security. --------------------------------------------- https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-th… ∗∗∗ Introducing Scanning Made Easy ∗∗∗ --------------------------------------------- A joint effort between the i100 and the NCSC, Scanning Made Easy (SME) will be a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. In this blog post I want to give you an idea of the motivation behind the project, and its capabilities. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/introducing-scanning-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ PHOENIX CONTACT: FL SWITCH 2xxx series incorrect privilege assignment ∗∗∗ --------------------------------------------- CVE ID: CVE-2022-22509; CVSS 3.1: 8.8 In Phoenix Contact FL SWITCH Series 2xxx an incorrect privilege assignment allows an unprivileged user to enable full access to the device configuration. Solution: Upgrade to firmware 3.10 or higher --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-001/ ∗∗∗ Kritische Sicherheitslücke in Unisys Messaging Integration Services ∗∗∗ --------------------------------------------- Unbefugte Nutzer könnten aufgrund fehlerhafter Passwort-Prüfungen in den Messaging Integration Services (NTSI) von Unisys Zugang zu Servern erhalten. --------------------------------------------- https://heise.de/-6337226 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan). --------------------------------------------- https://lwn.net/Articles/882552/ ∗∗∗ PrinterLogic Patches Code Execution Flaws in Printer Management Suite ∗∗∗ --------------------------------------------- PrinterLogic has released security updates to address a total of nine vulnerabilities in Web Stack and Virtual Appliance, including three security defects that carry "high severity" ratings. --------------------------------------------- https://www.securityweek.com/printerlogic-patches-code-execution-flaws-prin… ∗∗∗ Trend Micro Worry Free Business Security Critical Patch 2380 und der freie Disk-Speicher ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat ein kritisches Update 2380 für seine Worry Free Business Security (WFBS) freigegeben. Der Patch soll ein Sicherheitsproblem in einer Komponente beseitigen, die die Virenschutzlösung angreifbar macht. Was aber nicht verraten wird: Um diesen kritischen Patch zu installieren, müssen mindestens 13 Gigabyte Festplattenspeicher auf dem Systemlaufwerk vorhanden sein. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/trend-micro-worry-free-business-se… ∗∗∗ XSA-395 ∗∗∗ --------------------------------------------- Insufficient cleanup of passed-through device IRQs --------------------------------------------- https://xenbits.xen.org/xsa/advisory-395.html ∗∗∗ XSA-394 ∗∗∗ --------------------------------------------- A PV guest could DoS Xen while unmapping a grant --------------------------------------------- https://xenbits.xen.org/xsa/advisory-394.html ∗∗∗ XSA-393 ∗∗∗ --------------------------------------------- arm: guest_physmap_remove_page not removing the p2m mappings --------------------------------------------- https://xenbits.xen.org/xsa/advisory-393.html ∗∗∗ GNU libc: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0097 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0096 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0094 ∗∗∗ Mattermost security updates 6.3.1, 6.2.2, 6.1.2, 5.37.7 released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Studio Client (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2022
by Daily end-of-shift report 24 Jan '22

24 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-01-2022 18:00 − Montag 24-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erfolgreicher Angriff auf Nutzerkonten bei Thalia ∗∗∗ --------------------------------------------- Um Schaden von den Kunden abzuwenden, wurden die Kennwörter der betroffenen Konten von Thalia geändert. Die entsprechenden Kunden wurden per E-Mail darüber informiert. Der Buchhändler ruft in der E-Mail auch dazu auf, das Thalia-Kennwort bei anderen Diensten zu ändern, falls dieses auch bei anderen Anbietern mit dem gleichen Benutzernamen verwendet wird. --------------------------------------------- https://www.golem.de/news/sicherheit-erfolgreicher-angriff-auf-nutzerkonten… ∗∗∗ Backup-Software: Dell EMC AppSync kompromittierbar ∗∗∗ --------------------------------------------- Durch mehrere Sicherheitslücken in der Backup-Software EMC AppSync von Dell hätten Angreifer in betroffene Systeme eindringen und sie manipulieren können. --------------------------------------------- https://heise.de/-6334745 ∗∗∗ SonicWall explains why firewalls were caught in reboot loops ∗∗∗ --------------------------------------------- In a weekend update, SonicWall said the widespread reboot loops that impacted next-gen firewalls worldwide were caused by signature updates published on Thursday evening not being correctly processed. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/sonicwall-explains-why-fir… ∗∗∗ Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd) ∗∗∗ --------------------------------------------- Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack. --------------------------------------------- https://isc.sans.edu/diary/rss/28264 ∗∗∗ Microsoft is now disabling Excel 4.0 macros by default ∗∗∗ --------------------------------------------- Microsoft says that all Excel 4.0 (XLM) macros will now be disabled by default. [...] Sometimes good news in the security world comes later than expected. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is making it the default. --------------------------------------------- https://blog.malwarebytes.com/reports/2022/01/microsoft-is-now-disabling-ex… ∗∗∗ Emotet Now Using Unconventional IP Address Formats to Evade Detection ∗∗∗ --------------------------------------------- Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers, [...] --------------------------------------------- https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html ∗∗∗ GoWard A robust and rapidly-deployable Red Team proxy ∗∗∗ --------------------------------------------- Generally, Red Teams and adversarys redirect their traffic through proxies to protect their backend infrastructure. GoWard proxies HTTP C2 traffic to specified Red Team servers based on the HTTP header of the traffic. GoWards intent is to help obfuscate Red Team traffic and provide some level of resiliency against Blue Team investigation and mitigation. --------------------------------------------- https://github.com/chdav/GoWard ∗∗∗ Crime Shop Sells Hacked Logins to Other Crime Shops ∗∗∗ --------------------------------------------- Up for the "Most Meta Cybercrime Offering" award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites. --------------------------------------------- https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other… ∗∗∗ Dark Souls servers taken offline over hacking fears ∗∗∗ --------------------------------------------- We look at trouble in Dark Souls land after PvP servers were turned off to combat what looked like a nasty exploit. [...] It all begins with a popular streamer playing a Souls game in PvP mode. [...] You’ll also hear the incredibly confused streamer in the background, talking about seeing “powershell.exe” on their screen. This is, it has to be said, not a good sign. --------------------------------------------- https://blog.malwarebytes.com/hacking-2/2022/01/dark-souls-servers-taken-of… ∗∗∗ Cobalt Strike, a Defender’s Guide – Part 2 ∗∗∗ --------------------------------------------- Our previous article on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this post, we will focus on the network traffic it produced, and [...] --------------------------------------------- https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity Rust Programming Bug Could Lead to File, Directory Deletion ∗∗∗ --------------------------------------------- The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldnt otherwise access or delete, [...] --------------------------------------------- https://thehackernews.com/2022/01/high-severity-rust-programming-bug.html ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ CVE-2021-45467: CWP CentOS Web Panel – preauth RCE ∗∗∗ --------------------------------------------- CentOS Web Panel or commonly known as CWP is a popular web hosting management software, used by over 200,000 unique servers, that can be found on Shodan or Census. The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities. In this post we hope to cover our vulnerability research journey, and how we approached this particular target. --------------------------------------------- https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-pre… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird). --------------------------------------------- https://lwn.net/Articles/882396/ ∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0089 ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netcool-agile-service… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Sensitive information in logs vulnerability affects IBM Sterling Gentran:Server for Windows (CVE-2021-39032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… ∗∗∗ Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2022
by Daily end-of-shift report 21 Jan '22

21 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-01-2022 18:00 − Freitag 21-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iOS 15.3 & Co: Wichtige Bugfixes für iPhones, Macs und Watches in Vorbereitung ∗∗∗ --------------------------------------------- Apples anstehende Betriebssystem-Updates schließen ein schweres Datenschutzleck im Browser Safari und sollen Ladeprobleme bei der Apple Watch ausräumen. --------------------------------------------- https://heise.de/-6334675 ∗∗∗ Netzwerkausrüster F5 sichert BIG-IP & Co. gegen mögliche Attacken ab ∗∗∗ --------------------------------------------- Über Schwachstellen in verschiedenen BIG-IP Appliances könnte Schadcode auf Systeme gelangen. --------------------------------------------- https://heise.de/-6334437 ∗∗∗ Vorsicht: Gefälschte Europol-Vorladungen im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als Europol aus und versenden eine „Einberufung“, die für viele EmpfängerInnen sehr bedrohlich wirkt: So behaupten die Kriminellen, dass mehrere Gerichtsverfahren gegen die Betroffenen laufen würden. Konkret ginge es um Kinderpornografie, Pädophile und Ähnliches. Auch wenn die Mail sehr beängstigend klingt, besteht kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-gefaelschte-europol-vorladu… ∗∗∗ SonicWall Gen7 Firewall Inaccessible/ Reboot Loop (20. Jan. 2022) ∗∗∗ --------------------------------------------- Aktuell sieht es so aus, als ob die SonicWall Gen7 Firewalls seit dem 20. Januar 2022 ein Problem verursachen. Es gibt Berichte, dass kein Zugriff mehr möglich ist oder die Gen7 Firewall in eine Neustart-Schleife fallen. Von SonicWall gibt es dazu bereits einen Supportbeitrag mit einem Workaround. --------------------------------------------- https://www.borncity.com/blog/2022/01/21/sonicwall-gen7-firewall-inaccessib… ∗∗∗ Over 90 WordPress themes, plugins backdoored in supply chain attack ∗∗∗ --------------------------------------------- A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plu… ∗∗∗ Doctor Web’s overview of virus activity on mobile devices in 2021 ∗∗∗ --------------------------------------------- In 2021, making illegal profit remained one of the top cybercriminals’ priorities. That’s why adware trojans, malware that downloaded and installed other software, and trojans capable of downloading and executing arbitrary code, were among the most common threats on Android. Banking trojans also posed a significant threat whilst their activity increased. Moreover, users often encountered various adware apps. --------------------------------------------- https://news.drweb.com/show/?i=14395&lng=en&c=9 ∗∗∗ Doctor Web’s annual virus activity review for 2021 ∗∗∗ --------------------------------------------- Among the most popular threats in 2021 were numerous malware. Among them were trojan droppers destined to distribute malicious malware, and trojan downloader modifications–they download and run executable files with various payloads on the victims computer. Besides that, cybercriminals were actively distributing backdoors. Among the email threats, the most popular were stealers and various backdoor modifications written in VB.NET. --------------------------------------------- https://news.drweb.com/show/?i=14393&lng=en&c=9 ∗∗∗ Spyware Blitzes Compromise, Cannibalize ICS Networks ∗∗∗ --------------------------------------------- The brief spearphishing campaigns spread malware and use compromised networks to steal credentials that can be sold or used to commit financial fraud. --------------------------------------------- https://threatpost.com/spyware-blitzes-compromise-cannibalize-ics-networks/… ∗∗∗ AccessPress Themes Hit With Targeted Supply Chain Attack ∗∗∗ --------------------------------------------- Security researchers at Automattic recently reported that the popular WordPress plugin and theme authors AccessPress were compromised and their software replaced with backdoored versions. The compromise appears to have taken place in September of last year and was only recently made public. Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites. --------------------------------------------- https://blog.sucuri.net/2022/01/accesspress-themes-hit-with-targeted-supply… ∗∗∗ A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations ∗∗∗ --------------------------------------------- Microsoft reported evidence of destructive malware targeting organizations in Ukraine starting from January 13 [1]. The LIFARS threat intelligence team have analyzed the malicious samples and provided a detailed analysis of the execution flow. The main objective of this technical brief is to reveal the sophisticated TTPs demonstrated by threat actors. --------------------------------------------- https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#287178: McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/287178 ∗∗∗ Plugin "Email Template Designer" reißt Sicherheitslücke in WordPress ∗∗∗ --------------------------------------------- Durch eine Schwachstelle im WordPress-Plugin "WordPress Email Template Designer - WP HTML Mail" könnten Angreifer dem Administrator Schadcode unterschieben. --------------------------------------------- https://heise.de/-6334308 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aide, flatpak, kernel, libspf2, and usbview), Fedora (kernel, libreswan, nodejs, texlive-base, and wireshark), openSUSE (aide, cryptsetup, grafana, permissions, rust1.56, and stb), SUSE (aide, apache2, cryptsetup, grafana, permissions, rust1.56, and webkit2gtk3), and Ubuntu (aide, thunderbird, and usbview). --------------------------------------------- https://lwn.net/Articles/882119/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0001.html ∗∗∗ Lexmark Laser Printers: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0087 ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Operational Decision Manager (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to a denial of service vulnerability in Apache log4j2 component (CVE-2021-45105 & CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Java Batch affects WebSphere Application Server Liberty (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-bat… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: IBM Cognos Controller has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-has… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender and Modules have various vulnerabilities (CVE-2021-22924, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2022
by Daily end-of-shift report 20 Jan '22

20 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-01-2022 18:00 − Donnerstag 20-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Revamped Community-Based DDoS Defense Tool Improves Filtering ∗∗∗ --------------------------------------------- Team Cymru updates its Unwanted Traffic Removal Service (UTRS), adding more granular controls and greater ranges of both IPv4 and IPv6 addresses. --------------------------------------------- https://www.darkreading.com/perimeter/revamped-community-based-ddos-defense… ∗∗∗ MoonBounce: the dark side of UEFI firmware ∗∗∗ --------------------------------------------- At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. --------------------------------------------- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ ∗∗∗ What Should You do if Your WordPress Site was Hacked? ∗∗∗ --------------------------------------------- This article will provide insight on what to do if your website is hacked and how to move forward. WordPress sites can be hacked due to a variety of reasons, which we cover in Why are WordPress sites targeted by hackers? --------------------------------------------- https://blog.sucuri.net/2022/01/what-should-you-do-if-your-wordpress-site-w… ∗∗∗ Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks ∗∗∗ --------------------------------------------- Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets. Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an " input validation vulnerability that could allow attackers to build a query given some input and [..] --------------------------------------------- https://thehackernews.com/2022/01/microsoft-hackers-exploiting-new.html ∗∗∗ New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets ∗∗∗ --------------------------------------------- "BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researcher said in a technical report on Wednesday. --------------------------------------------- https://thehackernews.com/2022/01/new-bhunt-password-stealer-malware.html ∗∗∗ RedLine Stealer Delivered Through FTP ∗∗∗ --------------------------------------------- Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that the payload is delivered through FTP! It’s pretty unusual because FTP is today less and less used for multiple reasons (lack of encryption by default, complex to filter with those passive/active modes). --------------------------------------------- https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-thr… ∗∗∗ Kritische Sicherheitslücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- In der aktualisierten Version von Google Chrome schließt das Unternehmen zahlreiche Schwachstellen. Mindestens eine davon stuft der Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-6332812 ∗∗∗ Knapp 7 Millionen Passwörter von Open Subtitles entwendet ∗∗∗ --------------------------------------------- Die Webseiten und das Forum von Open Subtitles wurden Opfer von Cyberkriminellen. Die konnten alle Zugangsdaten erbeuten. Nutzer müssen jetzt aktiv werden. --------------------------------------------- https://heise.de/-6332951 ∗∗∗ Zahlreiche Facebook-Seiten bewerben Fernseher um 1,95€ ∗∗∗ --------------------------------------------- Einen QLED-Fernseher um nur 1,95 Euro? Das versprechen derzeit zahlreiche Facebook-Seiten. Alles was Sie dafür machen müssen, ist an einer kurzen Umfrage teilnehmen. Anschließend sollen Sie noch die Kreditkartendaten eingeben, um 1,95 Euro zu bezahlen und schon wird ein hochwertiger Fernseher zu Ihnen nach Hause geliefert. Wie so oft gilt: Das Angebot ist zu gut, um wahr zu sein. Tatsächlich landen Ihre Kreditkartendaten in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-facebook-seiten-bewerben-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross site scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. --------------------------------------------- https://www.drupal.org/sa-core-2022-002 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7 --------------------------------------------- https://www.drupal.org/sa-core-2022-001 ∗∗∗ jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004 ∗∗∗ --------------------------------------------- Project: jQuery UI Datepicker Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-004 ∗∗∗ Improper copy algorithm and component validation in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated attacker to execute code ∗∗∗ --------------------------------------------- CVE-2021-22282: RCE through Project Upload from Target All versions of Automation Studio 4 are affected. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16405293… ∗∗∗ Local file inclusion Schwachstelle in Land Software - FAUST iServer ∗∗∗ --------------------------------------------- Der von Land Software entwickelte Webserver namens FAUST iServer ist anfällig auf eine local file inclusion Schwachstelle. Ein Angreifer kann alle lokalen Dateien des zugrunde liegenden Betriebssystems im Kontext der aktuellen Festplatte lesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-file-inclusion-… ∗∗∗ Rechenfehler im Linux-Kernel erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Vor allem in Cloud-Systemen problematisch: An Linux-Systemen angemeldete Nutzer könnten aufgrund eines potenziellen Pufferüberlaufs ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-6333365 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (kernel, libreswan, nodejs, and wireshark), openSUSE (busybox, firefox, kernel, and python-numpy), Oracle (gegl, gegl04, httpd, java-17-openjdk, kernel, kernel-container, and libreswan), Red Hat (kernel, kernel-rt, and libreswan), Slackware (wpa_supplicant), SUSE (busybox, firefox, htmldoc, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container, openstack-monasca-agent, spark, spark-kit, zookeeper, python-numpy) and Ubuntu (curl, linux, linux-aws, linux-aws-5.11, linux-aws-5.4, linux-azure, linux-azure-5.11, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.11, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oem-5.10, linux-oem-5.13, linux-oem-5.14, linux-oracle, linux-oracle-5.11, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, openvswitch, qtsvg-opensource-src). --------------------------------------------- https://lwn.net/Articles/881956/ ∗∗∗ Canon: “Log4j” RCE [CVE-2021-44228], “Log4j” RCE [CVE-2021-45046] and “Log4j” DOS [CVE-2021-45105] vulnerabilities ∗∗∗ --------------------------------------------- We are currently in the process of investigating the impact of the ‘Log4j’ https://logging.apache.org/log4j/2.x/security.html vulnerability on Canon products. As information comes to light, we will update this article. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Canon: Cross-site scripting vulnerability for laser printers and multifunction devices for small offices ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability has been identified in the Remote UI function of Canon laser printers and multifunction devices for small office – see the affected models below (vulnerability identification number: JVN # 64806328). --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Conductor is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Symphony is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: IBM® Security SOAR could be vulnerable to a downgrade attack because of missing Strict-Transport-Security headers for some endpoints (CVE-2021-29785). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-b… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Apache log4j Vulnerability Affects IBM Sterling Global Mailbox (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: IBM® Disconnected Log Collector is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-coll… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ Endress+Hauser: Multiple products affected by log4net vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-044/ ∗∗∗ ICONICS and Mitsubishi Electric HMI SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2022
by Daily end-of-shift report 19 Jan '22

19 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-01-2022 18:00 − Mittwoch 19-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th) ∗∗∗ --------------------------------------------- [..] Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18. --------------------------------------------- https://isc.sans.edu/diary/rss/28254 ∗∗∗ Project Zero: Zooming in on Zero-click Exploits ∗∗∗ --------------------------------------------- In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom. --------------------------------------------- https://googleprojectzero.blogspot.com//2022/01/zooming-in-on-zero-click-ex… ∗∗∗ Introducing TREVORproxy and TREVORspray 2.0 - Increasing the Speed and Effectiveness of Password Sprays ∗∗∗ --------------------------------------------- Classically, password spraying has been the single lowest-effort and highest-yield technique for gaining an initial foothold in an organization. [...] But alas, with increasing Multi-Factor coverage and defensive countermeasures like Smart Lockout, password spraying is becoming more and more of a chore. [...] When I set out to write these tools, the biggest problem I wanted to solve was Smart Lockout. Smart Lockout tries to lock out attackers without locking out legitimate users. So basically, --------------------------------------------- https://blog.blacklanternsecurity.com/p/introducing-trevorproxy-and-trevors… ∗∗∗ Betrügerische Geldversprechen auf Instagram ∗∗∗ --------------------------------------------- Kriminelle richten sich mit ihren betrügerischen Anfragen insbesondere an junge Frauen und Männer. Sie versprechen ihnen hohe Geldbeträge für anzügliche Fotos oder spielen vor, an der Finanzierung des Lifestyles der betroffenen Personen interessiert zu sein. Wer solche Angebote bekommt, sollte unbedingt Abstand nehmen. Denn es handelt sich um einen Vorschussbetrug, bei dem vorab Zahlungen verlangt werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-geldversprechen-auf-i… ∗∗∗ The Perfect Cyber Crime ∗∗∗ --------------------------------------------- [..] what if criminals were able to acquire large amounts of victims’ credentials without infecting any victim, without the need to build or purchase anything, and without the risk of getting caught? We recently set out to explore this topic and validate our theory that this type of “perfect crime” could be a new reality in cyber security. In this blog, we’ll explain how we were able to obtain large amounts of sensitive data using Google’s VirusTotal service in combination with other known malware services and hacker forums. --------------------------------------------- https://safebreach.com/blog/2022/the-perfect-cyber-crime/ ∗∗∗ CVE-2022-21661: Exposing Database Info via WordPress SQL Injection ∗∗∗ --------------------------------------------- In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 (ZDI-22-220). This blog covers the root cause of the bug and looks at how the WordPress team chose to address it. --------------------------------------------- https://www.thezdi.com/blog/2022/1/18/cve-2021-21661-exposing-database-info… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin WP Visitor Statistics 4.7 SQL Injection ∗∗∗ --------------------------------------------- The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks CVE: CVE-2021-24750 --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010098 ∗∗∗ Oracle Critical Patch Update Advisory - January 2022 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 497 new security patches across the (Anm.: 165) product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2022.html ∗∗∗ The ace(r) up your sleeve! Privilege Escalation vulnerability in Acer Care Center (CVE-2021-45975) ∗∗∗ --------------------------------------------- Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3038 included, one of the suite’s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in. --------------------------------------------- https://aptw.tf/2022/01/20/acer-care-center-privesc.html ∗∗∗ Sicherheitsupdate: Mediaplayer Nvidia Shield TV für Schadcode-Attacke anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben mehrere Lücken in der Android-Version für Nvidia Shield TV geschlossen. Insgesamt gilt das Risiko als hoch. --------------------------------------------- https://heise.de/-6332144 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gegl, kernel, and thunderbird), Debian (nvidia-graphics-drivers), Fedora (btrbk and thefuck), Mageia (clamav, kernel, kernel-linus, vim, and wpa_supplicant), openSUSE (java-1_8_0-ibm, jawn, nodejs12, nodejs14, SDL2, and virglrenderer), Red Hat (gegl, gegl04, java-17-openjdk, and kernel-rt), Scientific Linux (gegl and httpd), SUSE (apache2, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libvirt, nodejs12, nodejs14, openstack-monasca-agent, spark, spark-kit, zookeeper, python-Django, python-Django1, python-numpy, virglrenderer), Ubuntu (byobu, clamav, ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/881810/ ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ConfD CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in OptiX OSN 9800 U32 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus V10 (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Multicloud Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM TRIRIGA Connector for Esri ArcGIS Indoors a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-connector-for… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Cloud PAK for Watson AI Ops is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ K61112120: BIG-IP ASM and Advanced WAF TMUI vulnerability CVE-2022-23031 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61112120 ∗∗∗ K96924184: F5 HTTP profile vulnerability CVE-2022-23022 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96924184 ∗∗∗ K82793463: BIG-IP MRF Diameter vulnerability CVE-2022-23019 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82793463 ∗∗∗ K41503304: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature bypass security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41503304 ∗∗∗ K53442005: BIG-IP VE vulnerability CVE-2022-23030 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53442005 ∗∗∗ K16101409: BIG-IP AFM vulnerability CVE-2022-23028 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16101409 ∗∗∗ K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28042514 ∗∗∗ K91013510: SSL Forward Proxy vulnerability CVE-2022-23016 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91013510 ∗∗∗ K08476614: BIG-IP Client SSL profile vulnerability CVE-2022-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08476614 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K93526903: BIG-IP APM portal access vulnerability CVE-2022-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93526903 ∗∗∗ K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30525503 ∗∗∗ K54892865: BIG-IP AFM vulnerability CVE-2022-23024 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54892865 ∗∗∗ K29500533: TMUI XSS vulnerability CVE-2022-23013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29500533 ∗∗∗ K50343028: BIG-IP FastL4 profile vulnerability CVE-2022-23029 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50343028 ∗∗∗ K68755210: BIG-IP SYN Cookie Protection vulnerability CVE-2022-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68755210 ∗∗∗ K26310765: HTTP/2 profile vulnerability CVE-2022-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26310765 ∗∗∗ K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34360320 ∗∗∗ K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check failure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30911244 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K41415626: Transparent DNS Cache can consume excessive resources ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41415626 ∗∗∗ K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44110411 ∗∗∗ K08402414: BIG-IP ASM and Advanced WAF REST API endpoint vulnerability CVE-2022-23026 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08402414 ∗∗∗ K11742742: iControl REST vulnerability CVE-2022-23023 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11742742 ∗∗∗ K30573026: BIG-IP virtual server with FastL4 profile vulnerability CVE-2022-23027 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30573026 ∗∗∗ K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24358905 ∗∗∗ Multiple vulnerabilities in Bosch AMC2 (Access Modular Controller) ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-940448-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2022
by Daily end-of-shift report 18 Jan '22

18 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 17-01-2022 18:00 − Dienstag 18-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft releases emergency fixes for Windows Server, VPN bugs ∗∗∗ --------------------------------------------- Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2022 Patch Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergenc… ∗∗∗ Telenot-Schließanlage: Schwacher Zufall sorgt für offene Türen ∗∗∗ --------------------------------------------- Ein Alarmanlagen- und Schließsystem erstellte Zufallszahlen mit einer dafür nicht geeigneten C-Funktion. --------------------------------------------- https://www.golem.de/news/telenot-schliessanlage-schwacher-zufall-sorgt-fue… ∗∗∗ Understanding Website SQL Injections ∗∗∗ --------------------------------------------- SQL injection is one of the most common types of web hacking techniques used today. As data breaches continue to happen to some of the most high-profile corporations and brands, it’s become more important for web users to adapt to these increased breaches with changes in behavior like system generated passwords and 2FA. In this post, we’ll be discussing SQL Injections in further detail, and why, as a website owner, you should care about this kind of attack. --------------------------------------------- https://blog.sucuri.net/2022/01/understanding-website-sql-injections.html ∗∗∗ Zoho Patches Critical Vulnerability in Endpoint Management Solutions ∗∗∗ --------------------------------------------- Zoho Corp on Monday said it has released patches for a critical vulnerability affecting Desktop Central and Desktop Central MSP, the endpoint management solutions from ManageEngine. --------------------------------------------- https://www.securityweek.com/zoho-patches-critical-vulnerability-endpoint-m… ∗∗∗ Kreditbetrug auf globalekredit-fin.com & darlehenexpert.com ∗∗∗ --------------------------------------------- Sie möchten einen Kredit aufnehmen und suchen im Internet nach günstigen Konditionen? Wir raten zur Vorsicht. In den Suchergebnissen lauern auch betrügerische Angebote wie globalekredit-fin.com oder darlehenexpert.com. Wer dort eine Anfrage stellt, läuft Gefahr viel Geld zu verlieren. Und: Kredite gibt es hier keine! --------------------------------------------- https://www.watchlist-internet.at/news/kreditbetrug-auf-globalekredit-finco… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2022-0002 ∗∗∗ --------------------------------------------- VMware Workstation and Horizon Client for Windows updates address a denial-of-service vulnerability (CVE-2022-22938) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0002.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (slurm-llnl), openSUSE (apache2, ghostscript, and watchman), Red Hat (kernel and telnet), SUSE (apache2, ghostscript, and kernel), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/881648/ ∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-36160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-34798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects Cloud Pak for Security (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Host header injection vulnerability in Business Automation Studio in Cloud Pak for Automation (CVE-2021-29872) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-host-header-injection-vul… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-39275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-42013) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-33193) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Cloudera Data Platform is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-is… ∗∗∗ Security Bulletin: A vulnerability in Apache log4j (CVE-2021-45105) affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j CVE-2021-45046 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-44224) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities fixed in Cloud Pak for Automation components ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-40438) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-35560, CVE-2021-35586, CVE-2021-35578, CVE-2021-35564, CVE-2021-35559, CVE-2021-35556, CVE-2021-35565, CVE-2021-35588, CVE-2021-41035) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2022
by Daily end-of-shift report 17 Jan '22

17 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-01-2022 18:00 − Montag 17-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge v97 ∗∗∗ --------------------------------------------- We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 97! We have reviewed the settings in Microsoft Edge version 97 and updated our guidance with the addition of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 97 package from the Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Log4Shell Attacks Getting "Smarter", (Mon, Jan 17th) ∗∗∗ --------------------------------------------- Ever since news of the Log4Shell vulnerability broke, we saw a stream of attacks attempting to exploit this vulnerability in log4j (CVE-2021-44228). --------------------------------------------- https://isc.sans.edu/diary/rss/28246 ∗∗∗ New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking ∗∗∗ --------------------------------------------- A software bug introduced in Apple Safari 15s implementation of the IndexedDB API could be abused by a malicious website to track users online activity in the web browser and worse, even reveal their identity. The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021. --------------------------------------------- https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.ht… ∗∗∗ Domain Persistence – Machine Account ∗∗∗ --------------------------------------------- Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence. This involves either the addition of an arbitrary machine account to a high privilege group such as the domain admins or the modification of the “userAccountControl” attribute [...] --------------------------------------------- https://pentestlab.blog/2022/01/17/domain-persistence-machine-account/ ∗∗∗ "Smishing"-Masche: Weiter massenhaft Betrugs-SMS auf Handys ∗∗∗ --------------------------------------------- Wer eine SMS von unbekannt mit einem Link bekommt, sollte vorsichtig sein. Es könnte sich um eine Betrugs-SMS handeln. "Smishing" ist noch immer nicht vorbei. --------------------------------------------- https://heise.de/-6328158 ∗∗∗ Capturing RDP NetNTLMv2 Hashes: Attack details and a Technical How-To Guide ∗∗∗ --------------------------------------------- The GoSecure Titan Labs team saw an opportunity to further explore the topic of hash capturing (which is a must in the arsenal of any offensive team). This blog will examine RDP security modes, how they work and how to put that into action to capture NetNTLMv2 hashes via the RDP protocol using PyRDP—a library created by GoSecure. --------------------------------------------- https://www.gosecure.net/blog/2022/01/17/capturing-rdp-netntlmv2-hashes-att… ===================== = Vulnerabilities = ===================== ∗∗∗ Serious Security: Linux full-disk encryption bug fixed – patch now! ∗∗∗ --------------------------------------------- Imagine if someone who didnt have your password could sneakily modify data that was encrypted with it. --------------------------------------------- https://nakedsecurity.sophos.com/2022/01/14/serious-security-linux-full-dis… ∗∗∗ Über drei Millionen PCs in Deutschland mit unsicherem Windows-System ∗∗∗ --------------------------------------------- Vor zwei Jahren stellte Microsoft den Support für Windows 7 ein. Trotzdem schaffen es viele Anwender nicht, sich von dem unsicheren System zu trennen. --------------------------------------------- https://heise.de/-6328189 ∗∗∗ Virenschutz: Microsoft Defender erleichtert Einnisten von Schädlingen ∗∗∗ --------------------------------------------- Eine kleine Schwachstelle bei Zugriffsrechten des Microsoft Defender unter Windows 10 ermöglicht Angreifern, Malware vor Scans zu verstecken. --------------------------------------------- https://heise.de/-6329300 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, ghostscript, libreswan, prosody, sphinxsearch, thunderbird, and uriparser), Fedora (cryptsetup, flatpak, kernel, mingw-uriparser, python-celery, python-kombu, and uriparser), Mageia (htmldoc, mbedtls, openexr, perl-CPAN, systemd, thunderbird, and vim), openSUSE (chromium and prosody), Red Hat (httpd, kernel, and samba), Scientific Linux (kernel), Slackware (expat), SUSE (ghostscript), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/881545/ ∗∗∗ Oracle to Release Nearly 500 New Security Patches ∗∗∗ --------------------------------------------- Oracle is preparing the release of nearly 500 new security patches with its Critical Patch Update (CPU) for January 2022. --------------------------------------------- https://www.securityweek.com/oracle-release-nearly-500-new-security-patches ∗∗∗ Microsoft Januar 2022 Patchday-Revisionen (14.1.2022) ∗∗∗ --------------------------------------------- Zum 11. Januar 2022 hat Microsoft eine Reihe Sicherheitsupdates für Windows und Office freigegeben, die Schwachstellen beseitigen sollen. Einige dieser Updates führten aber zu Problemen, so dass Funktionen in Windows gestört wurden. Am 14. Januar 2022 hat Microsoft eine Liste [...] --------------------------------------------- https://www.borncity.com/blog/2022/01/17/microsoft-januar-2022-patchday-rev… ∗∗∗ ZDI-22-081: TP-Link TL-WA1201 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-081/ ∗∗∗ ZDI-22-080: TP-Link Archer C90 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-080/ ∗∗∗ OpenBMCS 2.4 Secrets Disclosure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php ∗∗∗ OpenBMCS 2.4 Unauthenticated SSRF / RFI ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php ∗∗∗ OpenBMCS 2.4 Create Admin / Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-041/ ∗∗∗ GNU libc: Mehrere Schwachstellen ermöglichen Codeausführung und Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0054 ∗∗∗ Stored Cross-Site Scripting Schwachstelle in Typo3 Extension "femanager" ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2022
by Daily end-of-shift report 14 Jan '22

14 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-01-2022 18:00 − Freitag 14-01-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Defender weakness lets hackers bypass malware detection ∗∗∗ --------------------------------------------- Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-defender-weakness-… ∗∗∗ Nach Log4J: Google will zusammen mit Regierungen Open Source absichern ∗∗∗ --------------------------------------------- Seit langem sucht Google nach Wegen, Open-Source-Software besser abzusichern. Nach der Log4J-Lücke kommen nun auch Regierungen ins Spiel. --------------------------------------------- https://www.golem.de/news/nach-log4j-google-will-zusammen-mit-regierungen-o… ∗∗∗ Microsoft Yanks Buggy Windows Server Updates ∗∗∗ --------------------------------------------- Since their release on Patch Tuesday, the updates have been breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable. --------------------------------------------- https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/ ∗∗∗ A closer look at Flubot’s DoH tunneling ∗∗∗ --------------------------------------------- [...] The following blog post will take a closer look at Flubot version 4.9, and in particular its Command and Control (C&C) communication, based on the data F-Secure gathered during that campaign. --------------------------------------------- https://blog.f-secure.com/flubot_doh_tunneling/ ∗∗∗ Verwundbare Exchange-Server der öffentlichen Verwaltung ∗∗∗ --------------------------------------------- 20 Exchange-Server in öffentlicher Hand waren für eine Sicherheitslücke anfällig. Kriminelle hätten die Kontrolle übernehmen können. --------------------------------------------- https://heise.de/-6320504 ∗∗∗ Citrix liefert Sicherheitsupdates für Workspace App und Hypervisor ∗∗∗ --------------------------------------------- Sicherheitslücken in der Citrix Workspace App for Linux und im Hypervisor ermöglichten Angreifern die Rechteausweitung oder DoS-Attacken auf den Host. --------------------------------------------- https://heise.de/-6327171 ∗∗∗ Aus für iOS 14? Verwirrung über fehlende Sicherheits-Updates ∗∗∗ --------------------------------------------- Neben iOS 15 stellte Apple erstmals Updates für die Vorjahresversion des Betriebssystems in Aussicht. Es fehlen aber wichtige Patches für iOS 14. --------------------------------------------- https://heise.de/-6327709 ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Unified Contact Manager ∗∗∗ --------------------------------------------- Admins von Cisco-Hard- und -Software sind gefragt, ihre Systeme abzusichern. --------------------------------------------- https://heise.de/-6327050 ∗∗∗ Schadcode-Schlupflöcher in Qnap NAS geschlossen ∗∗∗ --------------------------------------------- Die Qnap-Entwickler haben ihr NAS-Betriebssystem und zwei Apps gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6327201 ∗∗∗ Juniper Networks stopft zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- In Geräten und Diensten von Juniper hätten Angreifer Schwachstellen etwa für DoS-Angriffe, die Ausweitung von Rechten oder Schlimmeres missbrauchen können. --------------------------------------------- https://heise.de/-6327645 ∗∗∗ Signierte Kernel‑Treiber – unbewachte Zugänge zum Windows‑Kern ∗∗∗ --------------------------------------------- ESET Forscher untersuchen Schwachstellen in signierten Windows-Treibern, die trotz Gegenmaßnahmen immer noch ein Sicherheitsproblem darstellen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/01/13/signierte-kernel-treiber-… ∗∗∗ Telefon-Betrug: Drücken Sie nicht die Taste 1! ∗∗∗ --------------------------------------------- LeserInnen der Watchlist Internet melden uns derzeit betrügerische Anrufe: Dabei werden willkürlich Personen angerufen und mit einer Bandansage darauf hingewiesen, dass es einen Haftbefehl gegen sie gäbe. Um mehr zu erfahren, solle die Taste 1 gedrückt werden. Machen Sie das auf keinen Fall! Die BetrügerInnen wollen Sie damit in eine Kostenfalle locken. --------------------------------------------- https://www.watchlist-internet.at/news/telefon-betrug-druecken-sie-nicht-di… ∗∗∗ Schwachstellen in AWS Glue und AWS Cloud Formation entdeckt ∗∗∗ --------------------------------------------- Das Orca Security Research Team hat Sicherheitslücken im Amazon Web Services AWS Glue-Service sowie zur Zero-Day-Schwachstelle BreakingFormation erkannt. Beide Unternehmen konnten binnen weniger Tagen die Fehler beheben. --------------------------------------------- https://www.zdnet.de/88398803/schwachstellen-in-aws-glue-und-aws-cloud-form… ∗∗∗ Detection Rules for Sysjoker (and How to Make Them With Osquery) ∗∗∗ --------------------------------------------- On January 11, 2022, we released a blog post on a new malware called SysJoker. SysJoker is a malware targeting Windows, macOS, and Linux. At the time of the publication, the Linux and macOS versions were not detected by any scanning engines on VirusTotal. As a consequence to this, we decided to release a followup [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/detection-rules-sysjoker-osquer… ∗∗∗ Adobe Acrobat (Reader) DC 21.011.20039, Installationsfehler und offene Bugs ∗∗∗ --------------------------------------------- Kurzer Sammelbeitrag zum Acrobat Gelump, was Adobe auf die Rechner der Nutzer kippt. Zum 11. Januar 2022 gab es ein Sicherheitsupdate für den Adobe Acrobat (Reader) DC auf die Version 21.011.20039. Weiterhin haben mich die letzten Tage einige Nutzer auf eine Latte an offenen Bugs hingewiesen, die ich hier mal einfach einstellen will. Soll ja niemand behaupten, ich ließe die "Qualitätsupdates" von Adobe zum Acrobat unerwähnt. --------------------------------------------- https://www.borncity.com/blog/2022/01/14/adobe-acrobat-reader-dc-21-011-200… ===================== = Vulnerabilities = ===================== ∗∗∗ Positive Technologies Uncovers Vulnerability in IDEMIA Biometric Identification Devices That Can Unlock Doors and Turnstiles ∗∗∗ --------------------------------------------- Positive Technologies researchers, Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered a critical vulnerability (VU-2021-004) in IDEMIA biometric identification devices used in the world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities. By exploiting the flaw, which received a score of 9.1 on the CVSS v3 scale, attackers can unlock doors and turnsites. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (cockpit, python-cvxopt, and vim), openSUSE (libmspack), Oracle (webkitgtk4), Scientific Linux (firefox and thunderbird), SUSE (kernel and libmspack), and Ubuntu (firefox and pillow). --------------------------------------------- https://lwn.net/Articles/881407/ ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Lack of Administrator Control Over Security vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-013-01 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Initialization vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block, --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-013-07 ∗∗∗ Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update B) ∗∗∗ --------------------------------------------- [...] 4.1 AFFECTED PRODUCTS [...] Begin Update B Part 1 of 1 - L 02/06/26 CPU (-P), L 26 CPU - (P) BT, serial number 23121 and earlier End Update B Part 1 of 1 --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-20-303-01 ∗∗∗ Trane Symbio (Update B) ∗∗∗ --------------------------------------------- [...] 3. RISK EVALUATION Begin Update B Part 1 of 1 Successful exploitation of this vulnerability could allow a user to execute arbitrary code on the controller. End Update B Part 1 of 1 --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-21-266-01 ∗∗∗ Ivanti Updates Log4j Advisory with Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Ivanti has updated its Log4j Advisory with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Ivanti security advisories pages for Avalanche; File Director; and MobileIron Core, MobileIron Sentry (Core/Cloud), and MobileIron Core Connector and apply the necessary updates and workarounds. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-lo… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0050 ∗∗∗ ClamAV: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0052 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2022
by Daily end-of-shift report 13 Jan '22

13 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-01-2022 18:00 − Donnerstag 13-01-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ 19-jähriger Hacker kann Teslas in 13 Ländern fernsteuern ∗∗∗ --------------------------------------------- Der junge IT-Sicherheitsexperte kann die Autos lokalisieren, Türen öffnen und das Entertainment-System fernsteuern. [..] In einem Twitter-Beitrag, den er am Montag veröffentlichte, erklärte er auch, dass es sich bei dem Fehler nicht um eine Schwachstelle in der Infrastruktur von Tesla handelt. Es sei der Fehler der Besitzer*innen. Weiters schreibt Colombo, dass er das Problem an das Sicherheitsteam von Tesla gemeldet hat, das die Angelegenheit untersucht. --------------------------------------------- https://futurezone.at/digital-life/19-jaehriger-hacker-25-teslas-in-13-laen… ∗∗∗ Adobe Cloud Abused to Steal Office 365, Gmail Credentials ∗∗∗ --------------------------------------------- Threat actors are creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate to target Office 365 and Gmail users, researchers from Avanan discovered. --------------------------------------------- https://threatpost.com/adobe-cloud-steal-office-365-gmail-credentials/17762… ∗∗∗ Decrypting Qakbot’s Encrypted Registry Keys ∗∗∗ --------------------------------------------- One new skill is to insert encrypted data into the registry. One of the requests we received from Trustwave’s DFIR and Global Threats Operations teams is for us to decrypt the registry data that Qakbot created. We duly jumped into this task, and, as it was a bit of fun, decided to blog about it. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-… ∗∗∗ Viele Lücken im Software-System Jenkins entdeckt – und noch nicht geschlossen ∗∗∗ --------------------------------------------- Entwickler sollten ihre Jenkins-Umgebung aus Sicherheitsgründen auf den aktuellen Stand bringen. Viele Updates sind jedoch noch nicht verfügbar. --------------------------------------------- https://heise.de/-6326362 ∗∗∗ 84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability ∗∗∗ --------------------------------------------- We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of “Login/Signup Popup” was released on November 24, 2021, while patched versions of “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” were released on December 17, 2021. We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins.. --------------------------------------------- https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-th… ∗∗∗ Free Micropatches for "RemotePotato0", a "WONT FIX" Local Privilege Escalation Affecting all Windows Systems ∗∗∗ --------------------------------------------- [..] a local privilege escalation vulnerability they had found in Windows and reported to Microsoft, who decided not to fix because "Servers must defend themselves against NTLM relay attacks." As far as real world goes, many servers do not, in fact, defend themselves against NTLM relay attacks. Since the vulnerability is present on all supported Windows versions as of today (as well as all unsupported versions which we had security-adopted), we decided to fix it ourselves. --------------------------------------------- https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html ∗∗∗ Code-Signatur-Prozesse sichern ∗∗∗ --------------------------------------------- DevOps steht unter Druck, wie unter anderem bei der Attacke auf SolarWinds offenkundig wurde. Fünf Wege zur Absicherung von Code-Signatur-Prozessen schildert Tony Hadfield, Director Solutions Architect bei Venafi, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88398761/code-signatur-prozesse-sichern/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master" ∗∗∗ --------------------------------------------- * Cross-site request forgery (CWE-352) - CVE-2022-0180 * Reflected cross-site scripting (CWE-79) - CVE-2022-0181 * Stored cross-site scripting (CWE-79) - CVE-2022-0182 Solution: Update the plugin --------------------------------------------- https://jvn.jp/en/jp/JVN72788165/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper hat 34 Security Advisories veröffentlicht. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… ∗∗∗ Klartextspeicherung des Kennwortes in Cisco IP Telefonen ∗∗∗ --------------------------------------------- Mehrere Cisco IP Telefone speichern das konfigurierte Verwalterkennwort als Klartext im unverschlüsselten Flash Speicher. Somit ist die Extrahierung des Kennworts bei physischem Zugriff auf ein Telefon problemlos möglich. Wird dieses Kennwort nun bei mehreren Telefonen verwendet, bekommt ein Angreifer Zugriff auf die administrativen Einstellungen aller Geräte im Netzwerk. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/klartextspeicherung-d… ∗∗∗ Apache Log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗ --------------------------------------------- Product / System line - Potentially affected products and versions * B&R Products - See further details in specific advisory * ABB Remote Service - ABB Remote Access Platform (RAP) --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language… ∗∗∗ iOS 15.2.1 und iPadOS 15.2.1: Wartungsupdates für iPhone und iPad ∗∗∗ --------------------------------------------- Apple hat eine Bugfix- und Sicherheitsaktualisierung für seine Handys und Tablets. Neben einigen Fehler wird auch ein Sicherheitsproblem behoben. --------------------------------------------- https://heise.de/-6325566 ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht Computer mit HP-UX ∗∗∗ --------------------------------------------- HPE-Entwickler haben eine kritische Schwachstelle im Unix-Betriebssystem HP-UX geschlossen. --------------------------------------------- https://heise.de/-6326104 ∗∗∗ IBM sichert sein Server- und Workstation-System AIX ab ∗∗∗ --------------------------------------------- Angreifer könnten AIX-Systeme von IBM attackieren und Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6326080 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, lxml, and roundcube), Fedora (gegl04, mingw-harfbuzz, and mod_auth_mellon), openSUSE (openexr and python39-pip), Oracle (firefox and thunderbird), Red Hat (firefox and thunderbird), SUSE (apache2, openexr, python36-pip, and python39-pip), and Ubuntu (apache-log4j1.2, ghostscript, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, and systemd). --------------------------------------------- https://lwn.net/Articles/881303/ ∗∗∗ Cisco Patches Critical Vulnerability in Contact Center Products ∗∗∗ --------------------------------------------- Cisco on Wednesday announced patches for a critical vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited remotely to elevate privileges to administrator. --------------------------------------------- https://www.securityweek.com/cisco-patches-critical-vulnerability-contact-c… ∗∗∗ Citrix Hypervisor Security Update - CTX335432 ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor, that may each allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues have the following identifiers: CVE-2021-28704, CVE-2021-28705, CVE-2021-28714, CVE-2021-28715 All of these issues affect all currently supported versions of Citrix Hypervisor. Citrix has released hotfixes to address these issues --------------------------------------------- https://support.citrix.com/article/CTX335432 ∗∗∗ CVE-2022-0015 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: HIGH) ∗∗∗ --------------------------------------------- A local privilege escalation (PE) vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables an authenticated local user to execute programs with elevated privileges. This issue impacts: * Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; * Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0015 ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Archive Enterprise Edition (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Archive Enterprise Edition (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable to allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Security Bulletin: IBM Db2 Big SQL for Hortonworks Data Platform, for Cloudera Data Platform Private Cloud, and IBM Db2 Big SQL on Cloud Pak for Data are affected by critical vulnerability in Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-for-horto… ∗∗∗ Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ibm-i-extended-dynami… ∗∗∗ January 12, 2022 TNS-2022-03 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1 ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-03 ∗∗∗ CVE-2022-0014 Cortex XDR Agent: Unintended Program Execution When Using Live Terminal Session (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0014 ∗∗∗ CVE-2022-0013 Cortex XDR Agent: File Information Exposure Vulnerability When Generating Support File (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0013 ∗∗∗ CVE-2022-0012 Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2022
by Daily end-of-shift report 12 Jan '22

12 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-01-2022 18:00 − Mittwoch 12-01-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TellYouThePass ransomware returns as a cross-platform Golang threat ∗∗∗ --------------------------------------------- TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re… ∗∗∗ Coming Soon: New Security Update Guide Notification System ∗∗∗ --------------------------------------------- Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected. --------------------------------------------- https://msrc-blog.microsoft.com:443/2022/01/11/coming-soon-new-security-upd… ∗∗∗ SysJoker, the first (macOS) malware of 2022! ∗∗∗ --------------------------------------------- Here, we analyze the macOS versions of a cross-platform backdoor. --------------------------------------------- https://objective-see.com/blog/blog_0x6C.html ∗∗∗ A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th) ∗∗∗ --------------------------------------------- Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise. --------------------------------------------- https://isc.sans.edu/diary/rss/28234 ∗∗∗ Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more ∗∗∗ --------------------------------------------- This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-… ∗∗∗ Kaufen Sie keine Immobilien über term-re.com oder den-home.com! ∗∗∗ --------------------------------------------- Aktuell beobachten wir vermehrt Betrug mit angeblichen Traum-Immobilien: Kriminelle bieten dabei günstige Immobilien über bekannte Internetplattformen an. Besichtigungen sollen über ein Treuhandunternehmen abgewickelt werden. Aber Achtung: Kriminelle versuchen so an Ihre Ausweiskopie und an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-immobilien-ueber-te… ∗∗∗ Check your SPF records: Wide IP ranges undo email security and make for tasty phishes ∗∗∗ --------------------------------------------- With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours. --------------------------------------------- https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-em… ∗∗∗ Signed kernel drivers – Unguarded gateway to Windows’ core ∗∗∗ --------------------------------------------- ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation. --------------------------------------------- https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-g… ∗∗∗ Ransomware-Angreifer leakten möglicherweise frühere Opfer ∗∗∗ --------------------------------------------- Kürzlich wurden wir damit beauftragt, einen Ransomware-Angriff zu untersuchen. Wir konnten den wahrscheinlichen Angriffsvektor rekonstruieren und die wahrscheinlich gestohlenen Daten identifizieren. Was diesen Fall besonders interessant machte, war der Mechanismus zum Exfiltrieren von Daten. --------------------------------------------- https://certitude.consulting/blog/de/ransomware-leak-de/ ∗∗∗ How to Analyze Malicious Microsoft Office Files ∗∗∗ --------------------------------------------- Most phishing attacks arrive via emails containing malicious attachments. A seemingly innocent Microsoft Word file, for example, can be the initial infection stage of a dangerous attack where a threat actor uses a document to deliver malware. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-o… ∗∗∗ Windows Server: Januar 2022-Sicherheitsupdates verursachen Boot-Schleife ∗∗∗ --------------------------------------------- Administratoren von Windows Domain Controllern sollten mit der Installation der Sicherheitsupdates von Januar 2022 vorsichtig sein.Mir liegen inzwischen zahlreiche Berichte vor, dass die Windows Server, die als Domain Controller fungieren, anschließend nicht mehr booten. --------------------------------------------- https://www.borncity.com/blog/2022/01/12/windows-server-januar-2022-sicherh… ∗∗∗ Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome ∗∗∗ --------------------------------------------- The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/30645/ ∗∗∗ Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure ∗∗∗ --------------------------------------------- Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users information. --------------------------------------------- http://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spr… ===================== = Vulnerabilities = ===================== ∗∗∗ Make sure youre up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out ∗∗∗ --------------------------------------------- Nothing like topping off unauthd remote code execution with a su password of ... password. Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/01/11/sonicwall_mu… ∗∗∗ Cisco Security Advisories 2022-01-12 ∗∗∗ --------------------------------------------- 1 Critical, 8 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM published 14 Security Bulletins --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Trojaner könnte sich über kritische Windows-Lücke wurmartig verbreiten ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Der Großteil der geschlossenen Lücken ist mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-6323634 ∗∗∗ Patchday Adobe: Acrobat und Reader bekommen jede Menge Sicherheitsupdates ∗∗∗ --------------------------------------------- Angreifer könnten auf Computern mit Adobe-Anwendungen Schadcode platzieren. Dagegen abgesicherte Versionen schaffen Abhilfe. --------------------------------------------- https://heise.de/-6323723 ∗∗∗ Patchday: SAP schließt in mehreren Anwendungen Lücke mit Höchstwertung ∗∗∗ --------------------------------------------- Der deutsche Software-Hersteller SAP kümmert sich unter anderem um eine kritische Lücke in seinem Portfolio. --------------------------------------------- https://heise.de/-6323843 ∗∗∗ Firefox, Thunderbird: Angreifer könnten Opfer im Vollbildmodus gefangen halten ∗∗∗ --------------------------------------------- Mozillas Mailclient und Webrowser sind Versionen erschienen, die gegen verschiedene Attacken gewappnetet sind. --------------------------------------------- https://heise.de/-6323936 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cfrpki, gdal, and lighttpd), Fedora (perl-CPAN and roundcubemail), Mageia (firefox), openSUSE (jawn, kernel, and thunderbird), Oracle (kernel, openssl, and webkitgtk4), Red Hat (cpio, idm:DL1, kernel, kernel-rt, openssl, virt:av and virt-devel:av, webkit2gtk3, and webkitgtk4), Scientific Linux (openssl and webkitgtk4), SUSE (kernel and thunderbird), and Ubuntu (apache-log4j2, ghostscript, and lxml). --------------------------------------------- https://lwn.net/Articles/881144/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities ∗∗∗ --------------------------------------------- The first round of security advisories released by Siemens and Schneider Electric in 2022 address a total of 40 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ Credential Disclosure in Web Interface of Crestron Device ∗∗∗ --------------------------------------------- When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are validto authenticate to the web interface. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/ ∗∗∗ Released: January 2022 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released security updates for vulnerabilities found in any version of: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-… ∗∗∗ QNX-2022-001 Vulnerability in QNX Neutrino Kernel Impacts QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ Apache Guacamole: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0037 ∗∗∗ Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-57 ∗∗∗ Stack Overflow Vulnerability in QVR Elite, QVR Pro, and QVR Guard ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-59 ∗∗∗ XSS and Open Redirect Vulnerabilities in QcalAgent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-60 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2022
by Daily end-of-shift report 11 Jan '22

11 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 10-01-2022 18:00 − Dienstag 11-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ l+f: Malware-Entwickler kuscheln etwas zu eng mit ihrem Trojaner ∗∗∗ --------------------------------------------- Sicherheitsforscher bekommen unerwartet Hilfe. [...] Einem Bericht von Malwarebytes zufolge gehen alle gesammelten Informationen auf ein Missgeschick der Hintermänner der Kampagne zurück: Die Malware-Entwickler haben ihre Entwicklungsumgebung mit dem eigenen Trojaner infiziert. --------------------------------------------- https://heise.de/-6323191 ∗∗∗ macOS-Lücke: Spionieren über Teams und andere Apps ∗∗∗ --------------------------------------------- Microsoft hat Details zu einem Bug publiziert, mit dem es möglich war, den Systemschutz TCC zu umgehen, der eigentlich Mac-Nutzer vor Datenabgriff bewahrt. --------------------------------------------- https://heise.de/-6322269 ∗∗∗ Facebook-Währung „Diem“ nicht bei thediemtoken.com kaufen ∗∗∗ --------------------------------------------- Diem – eine Kryptowährung, die ursprünglich Libra hieß, wird vermutlich bald verfügbar sein. Kriminelle bieten Diem aber schon jetzt auf ihren betrügerischen Trading-Plattformen wie „thediemtoken.com“ an. Auf Facebook, Instagram und Co werden diese dann beworben, um möglichst viele AnlegerInnen in die Falle zu locken. Vorsicht: Wer dort investiert, verliert sein Geld! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-waehrung-diem-nicht-bei-the… ∗∗∗ Linux version of AvosLocker ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-avoslocker-… ∗∗∗ Night Sky ransomware uses Log4j bug to hack VMware Horizon servers ∗∗∗ --------------------------------------------- The Night Sky ransomware gang has started to exploit the critical CVE-2021-4422 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-lo… ∗∗∗ Millions of Routers Exposed to RCE by USB Kernel Bug ∗∗∗ --------------------------------------------- The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al. --------------------------------------------- https://threatpost.com/millions-routers-exposed-bug-usb-module-kcodes-netus… ∗∗∗ Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters ∗∗∗ --------------------------------------------- TL;DR This research led to: * Five high severity vulnerabilities: CVE-2021-28847, CVE-2021-28848, CVE-2021-32198, CVE-2021-33500 and CVE-2021-42095. We found a way to cause a remote DoS on the terminal client’s host. * An ANSI escape characters injection vulnerability in OpenShift and Kubernetes (CVE-2021-25743). * Three additional vulnerabilities: CVE-2021-31701, CVE-2021-37326 and CVE-2021-40147. We found a way to bypass the bracket paste mode mechanism inside the terminals. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-tit… ∗∗∗ Domain Escalation – sAMAccountName Spoofing ∗∗∗ --------------------------------------------- Microsoft has released patches in order to prevent successful exploitation. However, there are many occasions where patches are not applied on time which creates a time period which this technique could be leveraged during a red team assessment. The prerequisites of the technique are the following: * A domain controller which is missing the KB5008380 and KB5008602 security patches * A valid domain user account * The machine account quota to be above 0 --------------------------------------------- https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofin… ∗∗∗ What Is FIM (File Integrity Monitoring)? ∗∗∗ --------------------------------------------- Change is prolific in organizations’ IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during an organization’s regular patching cycle, while others cause concern by popping up unexpectedly. Organizations commonly respond to this dynamism by investing in asset discovery and secure configuration management [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/securit… ∗∗∗ SFile (Escal) ransomware ported for Linux attacks ∗∗∗ --------------------------------------------- The operators of the SFile ransomware, also known as Escal, have ported their malware to work and encrypt files on Linux-based operating systems. --------------------------------------------- https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/ ∗∗∗ New SysJoker Backdoor Targets Windows, Linux, and macOS ∗∗∗ --------------------------------------------- Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical SonicWall NAC Vulnerability Stems from Apache Mods ∗∗∗ --------------------------------------------- Researchers offer more detail on the bug, which can allow attackers to completely take over targets. --------------------------------------------- https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/ ∗∗∗ Microsoft: macOS Powerdir Flaw Could Let Attackers Gain Access to User Data ∗∗∗ --------------------------------------------- Microsoft today disclosed a vulnerability in Apples macOS that could enable an attacker to gain unauthorized access to protected user data through bypassing the Transparency, Consent, and Control (TCC) technology in the operating system. [...] Apple addressed CVE-2021-30970, dubbed "Powerdir," in a rollout of security updates released on Dec. 13. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/microsoft-macos-powerdi… ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens hat am 2022-01-11 5 neue und 7 aktualiserte Advisories veröffentlicht. (CVSS Scores von 3.4 bis 9.9) --------------------------------------------- https://new.siemens.com/de/de/produkte/services/cert.html#SecurityVeroffent… ∗∗∗ PHOENIX CONTACT: BLUEMARK X1 / LED / CLED printers utilizing the Siemens Nucleus RTOS TCP/IP Stack ∗∗∗ --------------------------------------------- The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED. The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-059/ ∗∗∗ HPESBUX04206 rev.1 - HP-UX Telnetd, Remote Execution of Arbitrary Code ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified with HP-UX telnetd which allows remote attackers to execute arbitrary code via short writes or urgent data. This is due to a remote buffer overflow involving the netclear and nextitem functions. --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739&elq_cid=67018… ∗∗∗ SAP Security Patch Day - January 2022 ∗∗∗ --------------------------------------------- On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously. Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035 ∗∗∗ Citrix Workspace App for Linux Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux. --------------------------------------------- https://support.citrix.com/article/CTX338435 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- Update on IBM’s response: IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, vim, and wordpress), Mageia (ghostscript, osgi-core, apache-commons-compress, python-django, squashfs-tools, and suricata), openSUSE (libsndfile, net-snmp, and systemd), Oracle (httpd:2.4, kernel, and kernel-container), SUSE (libsndfile, libvirt, net-snmp, and systemd), and Ubuntu (exiv2, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.10, linux-oracle, [...] --------------------------------------------- https://lwn.net/Articles/881005/ ∗∗∗ Synology-SA-22:01 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_01 ∗∗∗ Johnson Controls VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Handling of Syntactically Invalid Structure vulnerability in the Sensormatic Electronics VideoEdge network video recorder. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-011-01 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-know… ∗∗∗ January 10th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2022
by Daily end-of-shift report 10 Jan '22

10 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-01-2022 18:00 − Montag 10-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI-Warnung: FIN7-Bande verschickt USB-Sticks mit Ransomware ∗∗∗ --------------------------------------------- Die Speichermedien mit der Malware erreichen US-Firmen etwa in der Rüstungsindustrie laut dem FBI getarnt als Geschenkbox oder Covid-19-Leitlinien. --------------------------------------------- https://heise.de/-6321079 ∗∗∗ FluBot malware now targets Europe posing as Flash Player app ∗∗∗ --------------------------------------------- The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-e… ∗∗∗ Trojanized dnSpy app drops malware cocktail on researchers, devs ∗∗∗ --------------------------------------------- Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-m… ∗∗∗ Wheres the Interpreter!? ∗∗∗ --------------------------------------------- CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why! --------------------------------------------- https://objective-see.com/blog/blog_0x6A.html ∗∗∗ TShark & jq, (Sat, Jan 8th) ∗∗∗ --------------------------------------------- TShark (Wireshark's command-line version) can output JSON data, as shown in diary entry "Quicktip: TShark's Options -e and -T". --------------------------------------------- https://isc.sans.edu/diary/rss/28194 ∗∗∗ Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th) ∗∗∗ --------------------------------------------- There is also a video of this analysis. --------------------------------------------- https://isc.sans.edu/diary/rss/28200 ∗∗∗ BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks ∗∗∗ --------------------------------------------- Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science. --------------------------------------------- https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.h… ∗∗∗ Sophisticated phishing scheme spent years robbing authors of their unpublished work ∗∗∗ --------------------------------------------- The FBI says a multi-year phishing attack targeting authors and book publishers, and stole unpublished novels, manuscripts and other books. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/01/sophisticated-phishing-scheme-s… ∗∗∗ Tool Release - insject: A Linux Namespace Injector ∗∗∗ --------------------------------------------- tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. --------------------------------------------- https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-names… ∗∗∗ U.S. Government Issues Warning Over Commercial Surveillance Tools ∗∗∗ --------------------------------------------- The U.S. State Department and the National Counterintelligence and Security Center (NCSC) on Friday issued a warning over the use of commercial surveillance tools. --------------------------------------------- https://www.securityweek.com/us-government-issues-warning-over-commercial-s… ∗∗∗ Abcbot botnet is linked to Xanthe cryptojacking group ∗∗∗ --------------------------------------------- Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks. --------------------------------------------- https://www.zdnet.com/article/abcbot-botnet-has-now-been-linked-to-xanthe-c… ∗∗∗ Kernel Karnage - Part 8 (Getting Around DSE) ∗∗∗ --------------------------------------------- When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar. --------------------------------------------- https://blog.nviso.eu/2022/01/10/kernel-karnage-part-8-getting-around-dse/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities ∗∗∗ --------------------------------------------- Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications. --------------------------------------------- https://kb.cert.org/vuls/id/142629 ∗∗∗ Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries ∗∗∗ --------------------------------------------- A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, [...] --------------------------------------------- https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html ∗∗∗ Qnap warnt vor Ransomware-Attacken auf Netzwerkspeicher ∗∗∗ --------------------------------------------- Es gibt wichtige Tipps zur Absicherung von NAS-Geräten von Qnap und aktuelle Sicherheitsupdates. --------------------------------------------- https://heise.de/-6321485 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/880807/ ∗∗∗ SonicWall Patches Y2K22 Bug in Email Security, Firewall Products ∗∗∗ --------------------------------------------- Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates. --------------------------------------------- https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-fir… ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. Chitubox is 3-D printing software for users to download and process models and send them [...] --------------------------------------------- http://blog.talosintelligence.com/2022/01/vulnerability-spotlight-buffer-ov… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2022
by Daily end-of-shift report 07 Jan '22

07 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-01-2022 18:00 − Freitag 07-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Docs commenting feature exploited for spear-phishing ∗∗∗ --------------------------------------------- A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-docs-commenting-featu… ∗∗∗ Night Sky is the latest ransomware targeting corporate networks ∗∗∗ --------------------------------------------- Its a new year, and with it comes a new ransomware to keep an eye on called Night Sky that targets corporate networks and steals data in double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-rans… ∗∗∗ New Mac Malware Samples Underscore Growing Threat ∗∗∗ --------------------------------------------- A handful of malicious tools that emerged last year showed threat actors may be getting more serious about attacking Apple macOS and iOS environments. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/new-mac-malware-samples… ∗∗∗ Custom Python RAT Builder, (Fri, Jan 7th) ∗∗∗ --------------------------------------------- This week I already wrote a diary about "code reuse" in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. --------------------------------------------- https://isc.sans.edu/diary/rss/28224 ∗∗∗ NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance ∗∗∗ --------------------------------------------- When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point. --------------------------------------------- https://thehackernews.com/2022/01/nist-cybersecurity-framework-quick.html ∗∗∗ iPhone-Angriff: Hacker könnten Reboot verunmöglichen ∗∗∗ --------------------------------------------- Malware wie die iOS-Version der Spyware Pegasus gehen nach einem Neustart verloren. Dieser lässt sich allerdings unterbinden, wie eine Sicherheitsfirma zeigt. --------------------------------------------- https://heise.de/-6319430 ∗∗∗ Patchday Android: Angreifer könnten sich weitreichende Berechtigungen aneignen ∗∗∗ --------------------------------------------- Google und weitere Smartphone-Hersteller haben wichtige Sicherheitsupdates für Android 9, 10, 11 und 12 veröffentlicht. --------------------------------------------- https://heise.de/-6320248 ∗∗∗ Vermeintlicher Amazon-Kundendienst verschickt betrügerische Mails zu Kundenprämienprogramm ∗∗∗ --------------------------------------------- LeserInnen melden uns derzeit eine E-Mail, die angeblich vom Amazon-Kundendienst stammt. Tatsächlich stecken Kriminelle dahinter. --------------------------------------------- https://www.watchlist-internet.at/news/vermeintlicher-amazon-kundendienst-v… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns of ransomware targeting Internet-exposed NAS devices ∗∗∗ --------------------------------------------- QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-tar… ∗∗∗ NHS warns of hackers exploiting Log4Shell in VMware Horizon ∗∗∗ --------------------------------------------- UKs National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploit… ∗∗∗ Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console ∗∗∗ --------------------------------------------- Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month. --------------------------------------------- https://thehackernews.com/2022/01/log4shell-like-critical-rce-flaw.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 36 Security Bulletins veröffentlicht --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten sich auf WordPress-Websites einnisten ∗∗∗ --------------------------------------------- In der aktuellen Version des Content Management System WordPress haben die Entwickler vier Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6320363 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, [...] --------------------------------------------- https://lwn.net/Articles/880564/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sphinxsearch), Fedora (chromium and vim), Red Hat (rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and Ubuntu (apache2 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/880672/ ∗∗∗ January 5, 2022 TNS-2022-01 [R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-01 ∗∗∗ January 5, 2022 TNS-2022-02 [R1] Nessus Network Monitor 6.0.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-02 ∗∗∗ VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Log-Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0006 ∗∗∗ Drupal Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0014 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-01 ∗∗∗ Fernhill SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-02 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03 ∗∗∗ Philips Engage Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-006-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2022
by Daily end-of-shift report 05 Jan '22

05 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-01-2022 18:00 − Mittwoch 05-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iOS malware can fake iPhone shut downs to snoop on camera, microphone ∗∗∗ --------------------------------------------- Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ios-malware-can-fake-iphone-… ∗∗∗ Code Reuse In the Malware Landscape, (Wed, Jan 5th) ∗∗∗ --------------------------------------------- Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? --------------------------------------------- https://isc.sans.edu/diary/rss/28216 ∗∗∗ New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification ∗∗∗ --------------------------------------------- An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsofts digital signature verification to siphon user credentials and sensitive information. --------------------------------------------- https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html ∗∗∗ Elephant Beetle: Uncovering an organized financial-theft operation ∗∗∗ --------------------------------------------- Using an arsenal of over 80 unique tools & scripts, the group executes its attacks patiently over long periods of time, blending in with the target’s environment and going completely undetected while it quietly liberates organizations of large amounts of money. --------------------------------------------- https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operati… ∗∗∗ „Media Markt Exclusive Giveaway“ Aktion ist Fake! ∗∗∗ --------------------------------------------- Auf Facebook werden derzeit Links zu einer nachgeahmten Media Markt Seite verbreitet. Dort heißt es, dass Media Markt landesweit Filialen schließt und daher eine „Online-Aktion“ durchführt. KonsumentInnen hätten so die Chance, Produkte wie iPhones, Macbooks, Playstations und mehr günstig zu kaufen. Wer bei dieser Aktion mitmacht, verliert jedoch Geld und erhält keine der versprochenen Produkte. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-exclusive-giveaway-aktio… ∗∗∗ Malware Reverse Engineering for Beginners – Part 1: From 0x0 ∗∗∗ --------------------------------------------- Malware researchers require a diverse skill set usually gained over time through experience and self-training. Reverse engineering (RE) is an integral part of malware analysis and research but it is also one of the most advanced skills a researcher can have. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/malware-reverse-engineering-b… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-01-05 ∗∗∗ --------------------------------------------- IBM hat 26 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ VMware-Sicherheitsupdates: Virtuelles CD-ROM-Laufwerk als Angreifer-Schlupfloch ∗∗∗ --------------------------------------------- VMware warnt vor einer Lücke in seinen Anwendungen für virtuelle Maschinen Cloud Foundation, ESXi, Fusion und Workstation. Einige Patches fehlen noch. --------------------------------------------- https://heise.de/-6318269 ∗∗∗ Sicherheitspatches: Angreifer könnten Datenbanken in IBM Db2 manipulieren ∗∗∗ --------------------------------------------- IBM hat Sicherheitslücken in mehreren Anwendungen wie Cloud Private, Db2 und Elastic Search geschlossen. Außerdem gibt es Neuigkeiten zu Log4j-Anfälligkeiten. --------------------------------------------- https://heise.de/-6318740 ∗∗∗ Entwickler schließen 37 Sicherheitslücken in Chrome 97 ∗∗∗ --------------------------------------------- Die Vorgängerversion von Chrome 97 enthielt mindestens eine kritische Sicherheitslücke. Angreifer hätten vermutlich eingeschleusten Code ausführen können. --------------------------------------------- https://heise.de/-6318885 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xorg-x11-server), Debian (apache2), openSUSE (libvirt), Oracle (grafana, qemu, and xorg-x11-server), Red Hat (idm:DL1, samba, and telnet), SUSE (libvirt), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/880454/ ∗∗∗ Google Patches 48 Vulnerabilities With First Set of 2022 Android Updates ∗∗∗ --------------------------------------------- Google this week published information on the first set of 2022 security updates for Android, describing a total of 48 vulnerabilities that were addressed across Android OS, Pixel devices, and Android Automotive OS. --------------------------------------------- https://www.securityweek.com/google-patches-48-vulnerabilities-first-set-20… ∗∗∗ K10396196: Linux RPM vulnerability CVE-2021-20271 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10396196 ∗∗∗ WAGO: Smart Script affected by Log4Shell Vulnerability ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2022
by Daily end-of-shift report 04 Jan '22

04 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 03-01-2022 18:00 − Dienstag 04-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A Simple Batch File That Blocks People, (Tue, Jan 4th) ∗∗∗ --------------------------------------------- I found another script that performs malicious actions. Its a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). --------------------------------------------- https://isc.sans.edu/diary/rss/28212 ∗∗∗ Purple Fox rootkit now bundled with Telegram installer ∗∗∗ --------------------------------------------- The Purple Fox malware family has been found to combine its payload with trusted apps in an interesting way. --------------------------------------------- https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundle… ∗∗∗ Mails zu Hacks von einer Telefonnummer? Nicht zurückrufen! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell E-Mails, bei denen als Absender eine Telefonnummer angezeigt wird. Angeblich wurden die Systeme der EmpfängerInnen gehackt und mit Viren infiziert. Deshalb müsse dringend die Nummer zurückgerufen werden. Achtung: Hier lauert eine Falle und die E-Mail kann ignoriert werden. --------------------------------------------- https://www.watchlist-internet.at/news/mails-zu-hacks-von-einer-telefonnumm… ∗∗∗ A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain ∗∗∗ --------------------------------------------- A supply chain attack leveraging a cloud video platform to distribute web skimmer campaigns compromised more than 100 real estate sites. --------------------------------------------- https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/ ∗∗∗ Log4j flaw attack levels remain high, Microsoft warns ∗∗∗ --------------------------------------------- Organizations mights not realize their environments are already compromised. --------------------------------------------- https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-proble… ∗∗∗ State-of-the-art EDRs are not perfect, fail to detect common attacks ∗∗∗ --------------------------------------------- A team of Greek academics has tested endpoint detection & response (EDR) software from 11 of todays top cybersecurity firms and found that many fail to detect some of the most common attack techniques used by advanced persistent threat actors, such as state-sponsored espionage groups and ransomware gangs. --------------------------------------------- https://therecord.media/state-of-the-art-edrs-are-not-perfect-fail-to-detec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (salt and thunderbird), Red Hat (xorg-x11-server), and Scientific Linux (xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/880327/ ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Copy Data Management (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Apache Log4j vulnerabilities impact IBM Sterling Connect:Direct for UNIX (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ VMSA-2022-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0001.html ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2022
by Daily end-of-shift report 03 Jan '22

03 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-12-2021 18:00 − Montag 03-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dont copy-paste commands from webpages — you can get hacked ∗∗∗ --------------------------------------------- Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal risk having their system compromised. Wizers Gabriel Friedlander demonstrates an obvious, simple yet stunning trick that'll make you think twice before copying-pasting text from web pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-fro… ∗∗∗ Do you want your Agent Tesla in the 300 MB or 8 kB package?, (Fri, Dec 31st) ∗∗∗ --------------------------------------------- Since today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over the course of the year. --------------------------------------------- https://isc.sans.edu/diary/rss/28202 ∗∗∗ McAfee Phishing Campaign with a Nice Fake Scan, (Mon, Jan 3rd) ∗∗∗ --------------------------------------------- I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared. --------------------------------------------- https://isc.sans.edu/diary/rss/28208 ∗∗∗ Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations ∗∗∗ --------------------------------------------- Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis. --------------------------------------------- https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html ∗∗∗ Nach Ransomware-Angriff: Webseiten mehrerer Medien aus Portugal offline ∗∗∗ --------------------------------------------- Eine neue Ransomware-Gruppe hat den portugiesischen Medienkonzern Impresa angegriffen. Mehrere Medien können aktuell nur über Social Media Meldungen verbreiten. --------------------------------------------- https://heise.de/-6316020 ∗∗∗ Y2K22-Bug stoppt Exchange-Mailzustellung: Antimalware-Engine stolpert über 2022 ∗∗∗ --------------------------------------------- Zum Jahreswechsel streiken weltweit zahlreiche Exchange-Server, weil die FIP-FS-Scan-Engine sich an der Jahreszahl verhebt. Immerhin gibt es temporäre Abhilfe. --------------------------------------------- https://heise.de/-6315605 ∗∗∗ On the malicious use of large language models like GPT-3 ∗∗∗ --------------------------------------------- Or, “Can large language models generate exploits?” --------------------------------------------- https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-lang… ∗∗∗ Detecting anomalous Vectored Exception Handlers on Windows ∗∗∗ --------------------------------------------- We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous. --------------------------------------------- https://research.nccgroup.com/2022/01/03/detecting-anomalous-vectored-excep… ∗∗∗ Shodan Verified Vulns 2022-01-01 ∗∗∗ --------------------------------------------- Auch dieses Monat sehen wir wieder einen deutlichen Rückgang der verwundbaren Exchange-Server. Neu hinzugekommen ist die Grafana Path Traversal Schwachstelle CVE-2021-43798, welche am 7. Dezember veröffentlicht wurde. --------------------------------------------- https://cert.at/de/aktuelles/2022/1/shodan-verified-vulns-2022-01-01 ∗∗∗ Log4j Scanners ∗∗∗ --------------------------------------------- There are 19 tools, and each has certain stipulations with it. I would suggest take a look. --------------------------------------------- https://securitythreatnews.com/2022/01/03/log4j-scanners/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple: Sicherheitslücke kann iPhones und iPads unbenutzbar machen ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke in Apples Homekit lassen sich iPhones erst nach einem Reset wieder nutzen. Ein Update hat Apple verschoben. --------------------------------------------- https://www.golem.de/news/apple-sicherheitsluecke-kann-iphones-und-ipads-un… ∗∗∗ Rootkit schlüpft durch Lücke in HPEs Fernwartung iLO ∗∗∗ --------------------------------------------- Eine Iranische Security-Firma hat ein Rootkit entdeckt, das sich in Hewlett Packards Fernwartungstechnik "Integrated Lights-Out" (iLO) eingenistet hat. --------------------------------------------- https://heise.de/-6315714 ∗∗∗ Jetzt patchen: Netgear-Router Nighthawk R6700v3 könnte Passwörter leaken ∗∗∗ --------------------------------------------- Angreifer könnten Nighthawk-Router von Netgear attackieren. Es könnten noch weitere Modelle betroffen sein. Aktuelle Firmware-Versionen sollen Abhilfe schaffen. --------------------------------------------- https://heise.de/-6316037 ∗∗∗ Trend Micro Apex One und Worry-Free Business Security gefährden Windows-PCs ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Schutzlösungen Apex One und Worry-Free Business Security von Trend Micro erschienen. --------------------------------------------- https://heise.de/-6316263 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (agg, aria2, fort-validator, and lxml), Fedora (libgda, pgbouncer, and xorg-x11-server-Xwayland), Mageia (calibre, e2guardian, eclipse, libtpms/swtpm, nodejs, python-lxml, and toxcore), openSUSE (c-toxcore, gegl, getdata, kernel-firmware, log4j, postrsd, and privoxy), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/880100/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (kernel, libopenmpt, and xorg-x11-server), Mageia (gegl, libgda5.0, log4j, ntfs-3g, and wireshark), openSUSE (log4j), and Red Hat (grafana). --------------------------------------------- https://lwn.net/Articles/880232/ ∗∗∗ Security Bulletin: IBM Insurance Information Warehouse is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-insurance-information… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Banking and Financial Markets Data Warehouse (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Unified Data Model for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-unified-data-model-fo… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Data Model for Energy and Utilities is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-model-for-energy… ∗∗∗ Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-apac… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-ibm-i2… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale for IBM Elastic Storage Server (CVE-2021-45105,CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Elastic Storage System (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus (CVE-2021-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2021
by Daily end-of-shift report 30 Dec '21

30 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-12-2021 18:00 − Donnerstag 30-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hiding malware inside the flex capacity space on modern SSDs ∗∗∗ --------------------------------------------- Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location thats beyond the reach of the user and security solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hiding-malware-inside-the-fl… ∗∗∗ Agent Tesla Updates SMTP Data Exfiltration Technique, (Thu, Dec 30th) ∗∗∗ --------------------------------------------- Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data. This malware has been around since 2014, and SMTP is its most common method for data exfiltration. --------------------------------------------- https://isc.sans.edu/diary/rss/28190 ∗∗∗ LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ∗∗∗ --------------------------------------------- Users of the popular LastPass password manager are being targeted in so-called “credential stuffing” attacks that use email addresses and passwords obtained from third-party breaches. --------------------------------------------- https://www.securityweek.com/lastpass-automated-warnings-linked-%E2%80%98cr… ∗∗∗ Android 12: Samsung überrascht zum Jahresende mit regelrechter Update-Flut ∗∗∗ --------------------------------------------- Updates für praktisch alle High-End-Smartphones der vergangenen drei Jahre veröffentlicht. Selbst erste Tablets werden schon bedient. --------------------------------------------- https://www.derstandard.at/story/2000132240383/android-12-samsung-ueberrasc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (advancecomp, apache-log4j2, postgis, spip, uw-imap, and xorg-server), Mageia (kernel and kernel-linus), Scientific Linux (log4j), and SUSE (kernel-firmware and mariadb). --------------------------------------------- https://lwn.net/Articles/880039/ ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Guardium Data Encryption (GDE) (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Trend Micro Apex One und Trend Micro Worry-Free Business Security: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1320 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2021
by Daily end-of-shift report 29 Dec '21

29 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-12-2021 18:00 − Mittwoch 29-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ RedLine malware shows why passwords shouldnt be saved in browsers ∗∗∗ --------------------------------------------- The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-pa… ∗∗∗ Microsoft Defender Log4j scanner triggers false positive alerts ∗∗∗ --------------------------------------------- Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the companys newly deployed Microsoft 365 Defender scanner for Log4j processes. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-sc… ∗∗∗ Wieder Sicherheitslücken in Herzschrittmachern gefunden ∗∗∗ --------------------------------------------- Auf der Online-Konferenz RC3 zeigten zwei Sicherheitsforscher, wie sie Cardio-Geräte unter die Lupe genommen haben. --------------------------------------------- https://futurezone.at/digital-life/herzschrittmacher-sicherheitsluecken-rc3… ∗∗∗ Responsible Disclosure: Deine Software, die Sicherheitslücken und ich ∗∗∗ --------------------------------------------- Wie meldet man Sicherheitslücken eigentlich richtig? Und wie sollten Unternehmen damit umgehen? Zerforschung und CCC klären auf. Ein Bericht von Moritz Tremmel (rC3, API) --------------------------------------------- https://www.golem.de/news/responsible-disclosure-deine-software-die-sicherh… ∗∗∗ LotL Classifier tests for shells, exfil, and miners, (Tue, Dec 28th) ∗∗∗ --------------------------------------------- A supervised learning approach to Living off the Land attack classification from Adobe SI --------------------------------------------- https://isc.sans.edu/diary/rss/28184 ∗∗∗ Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics ∗∗∗ --------------------------------------------- An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed. [...] Initial attacks involved executing a malicious command upon running a vanilla image named "alpine:latest" that resulted in the download of a shell script named "autom.sh." "Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," --------------------------------------------- https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html ∗∗∗ Turning bad SSRF to good SSRF: Websphere Portal ∗∗∗ --------------------------------------------- In this blog post, we will explain how we discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how we turned a restrictive, bad SSRF to a good SSRF. --------------------------------------------- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/ ∗∗∗ Storage Devices of Major Vendors Impacted by Encryption Software Flaws ∗∗∗ --------------------------------------------- Earlier this month, SecurityWeek reported that Western Digital had updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks. SanDisk SecureAccess, recently rebranded SanDisk PrivateAccess, is a piece of software that allows users to encrypt files and folders stored in a protected vault on SanDisk USB flash drives.[...] Pelissier detailed his findings this week at the Chaos Computer Club’s Remote Chaos Experience (rC3) virtual conference, where he revealed that the vulnerabilities were actually discovered in the DataVault encryption software made by ENC Security. --------------------------------------------- https://www.securityweek.com/storage-devices-major-vendors-impacted-encrypt… ∗∗∗ Sicher kaufen auf Willhaben, Shpock & Co. ∗∗∗ --------------------------------------------- Sie sind auf der Suche nach gebrauchten Schnäppchen? Mit Kleinanzeigenplattformen wie willhaben, Shpock oder den Facebook Marketplace gibt es zahlreiche Möglichkeiten, um zu stöbern und das perfekte Schnäppchen zu finden. Allerdings sollten Sie beim Shoppen auf solchen Plattformen einige Punkte beachten. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-kaufen-auf-willhaben-shpock-c… ∗∗∗ Threat actor uses HP iLO rootkit to wipe servers ∗∗∗ --------------------------------------------- An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations. --------------------------------------------- https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Log4Shell vulnerability Number Four: “Much ado about something” ∗∗∗ --------------------------------------------- CVE-2021-44832; Its a Log4j bug, and you ought to patch it. But we dont think its a critical crisis like the last one. --------------------------------------------- https://nakedsecurity.sophos.com/2021/12/29/log4shell-vulnerability-number-… ∗∗∗ SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products ∗∗∗ --------------------------------------------- This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities, the impact of which is documented in SSA-661247. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-784507.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, python-gnupg, resiprocate, and ruby-haml), Fedora (mod_auth_mellon), openSUSE (thunderbird), Slackware (wpa_supplicant), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/879995/ ∗∗∗ D-LINK Router (DIR-2640 <= 1.11B02): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen und beliebigen Code als root auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1313 ∗∗∗ Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. ∗∗∗ --------------------------------------------- Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. - Citrix Endpoint Management (Citrix XenMobile Server): Impacted – Customers are advised to apply the latest CEM rolling patch updates - Citrix Virtual Apps and Desktops (XenApp & XenDesktop): Impacted - Linux VDA (non-LTSR versions only) --------------------------------------------- https://support.citrix.com/article/CTX335705 ∗∗∗ Exposure of Sensitive Information in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- CVE identifier: CVE-2021-34347 Affected products: All QNAP NAS A vulnerability involving exposure of sensitive information has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-53 ∗∗∗ Security Advisory - Cross-Site Scripting(XSS) Vulnerability in Huawei WS318n Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211229-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM SANnav software used by IBM b-type SAN directors and switches (CVE-2021-45105 and CV-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2021
by Daily end-of-shift report 28 Dec '21

28 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 27-12-2021 18:00 − Dienstag 28-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature thats dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group. --------------------------------------------- https://thehackernews.com/2021/12/experts-detail-logging-tool-of.html ∗∗∗ V8 Heap pwn and /dev/memes - WebOS Root LPE ∗∗∗ --------------------------------------------- This is a writeup for my latest WebOS local root exploit chain, which Im calling WAMpage. ... This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want RootMyTV, which offers a reliable 1-click persistent root. --------------------------------------------- https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html ∗∗∗ Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution ∗∗∗ --------------------------------------------- Recently observed malicious campaigns have abused Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines. [...] The threat actors typically gain access to the target environment using a valid remote desktop protocol (RDP) account, leverage remote Windows Services (SCM) for lateral movement, and abuse MSBuild to execute the Cobalt Strike Beacon payload. --------------------------------------------- https://www.securityweek.com/threat-actors-abuse-msbuild-cobalt-strike-beac… ===================== = Vulnerabilities = ===================== ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- Update December 28, 10:01am The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated. --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre, libzip, monit, novnc, okular, paramiko, postgis, rdflib, ruby2.3, and zziplib), openSUSE (chromium, kafka, and permissions), and SUSE (net-snmp and permissions). --------------------------------------------- https://lwn.net/Articles/879952/ ∗∗∗ Security Bulletin:IBM SPSS Modeler is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-spss-modeler-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SSA-661247 V2.0 (Last Update: 2021-12-27): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2021
by Daily end-of-shift report 27 Dec '21

27 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-12-2021 18:00 − Montag 27-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rook ransomware is yet another spawn of the leaked Babuk code ∗∗∗ --------------------------------------------- A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make "a lot of money" by breaching corporate networks and encrypting devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rook-ransomware-is-yet-anoth… ∗∗∗ QNAP NAS devices hit in surge of ech0raix ransomware attacks ∗∗∗ --------------------------------------------- Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-nas-devices-hit-in-surg… ∗∗∗ Example of how attackers are trying to push crypto miners via Log4Shell, (Fri, Dec 24th) ∗∗∗ --------------------------------------------- While following Log4Shell's exploit attempts hitting our honeypots, I came across another campaign trying to push a crypto miner on the victims machines. --------------------------------------------- https://isc.sans.edu/diary/rss/28172 ∗∗∗ More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild ∗∗∗ --------------------------------------------- A team of academics said it found more than 1,200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. --------------------------------------------- https://therecord.media/more-than-1200-phishing-toolkits-capable-of-interce… ∗∗∗ QNAP Firmware-Update Version QTS 5.0.0.1891 build 20211221 und log4j-Schwachstelle ∗∗∗ --------------------------------------------- Der Hersteller QNAP hat kurz vor Weihnachten ein Firmware-Update für sein QTS 5 freigegeben. Das Update schließt einige Schwachstellen. Zudem wurde eine log4j-Schwachstelle in QNAP-Software gemeldet. --------------------------------------------- https://www.borncity.com/blog/2021/12/26/qnap-firmware-update-version-qts-5… ===================== = Vulnerabilities = ===================== ∗∗∗ Garrett Walk-Through Metal Detectors Can Be Hacked Remotely ∗∗∗ --------------------------------------------- A number of security flaws have been uncovered in a networking component in Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, tamper with metal detector configurations, and even execute arbitrary code on the devices. --------------------------------------------- https://thehackernews.com/2021/12/garrett-walk-through-metal-detectors.html ∗∗∗ Remote Code Execution Vulnerabilities in Veritas Enterprise Vault ∗∗∗ --------------------------------------------- Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault Server. CVSS v3.1 Base Score 9.8 CVEs: CVE-2021-44679, CVE-2021-44680, CVE-2021-44678, CVE-2021-44677, CVE-2021-44682, CVE-2021-44681 --------------------------------------------- https://www.veritas.com/content/support/en_US/security/VTS21-003 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 33 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (httpd and singularity), Mageia (ldns, netcdf, php, ruby, thrift/golang-github-apache-thrift, thunderbird, and webkit2), openSUSE (go1.16, go1.17, libaom, and p11-kit), and SUSE (go1.16, go1.17, htmldoc, libaom, libvpx, logstash, openssh-openssl1, python3, and runc). --------------------------------------------- https://lwn.net/Articles/879791/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2, libextractor, libpcap, and wireshark), Fedora (grub2, kernel, libopenmpt, log4j, mingw-binutils, mingw-python-lxml, and seamonkey), Mageia (golang, lapack/openblas, and samba), and openSUSE (go1.16, libaom, log4j12, logback, and runc). --------------------------------------------- https://lwn.net/Articles/879891/ ∗∗∗ SolarWinds - multiple advisories ∗∗∗ --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ K16090693: Apache HTTP server vulnerability CVE-2021-44224 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16090693 ∗∗∗ Moxa MGate Protocol Gateways ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-357-01 ∗∗∗ Johnson Controls exacq Enterprise Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-357-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2021
by Daily end-of-shift report 23 Dec '21

23 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-12-2021 18:00 − Donnerstag 23-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Dridex malware trolls employees with fake job termination emails ∗∗∗ --------------------------------------------- A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a seasons greeting message. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employ… ∗∗∗ Microsoft Azure App Service flaw exposed customer source code ∗∗∗ --------------------------------------------- A security flaw found in Azure App Service, a Microsoft-managed platform for building and hosting web apps, led to the exposure of PHP, Node, Python, Ruby, or Java customer source code for at least four years, since 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-azure-app-service-… ∗∗∗ Honeypot experiment reveals what hackers want from IoT devices ∗∗∗ --------------------------------------------- A three-year-long honeypot experiment featuring simulated low-interaction IoT devices of various types and locations gives a clear idea of why actors target specific devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/honeypot-experiment-reveals-… ∗∗∗ Attackers, CSIRTs and Individual Rights: Clarified ∗∗∗ --------------------------------------------- A few years ago I wrote a post on how the GDPR copes with situations when there was a conflict between the obligation to prevent, detect and investigate incidents and the obligation to inform all those whose personal data you process. GDPR Article 14(5) provides a general tool for resolving that conflict: you don’t need to inform if doing so “is likely to render impossible or seriously impair the achievement of the objectives of that processing”. --------------------------------------------- https://regulatorydevelopments.jiscinvolve.org/wp/2021/12/22/attackers-csir… ∗∗∗ Microsoft Teams blockiert Notrufe mit Android-Handys – Update einspielen ∗∗∗ --------------------------------------------- Die Android-App für Microsoft Teams kann unter Umständen Notrufe vom Handy verhindern. Die aktuelle Version soll das unterlassen. [...] Wie es überhaupt dazu kommen kann, dass eine App ohne Root-Rechte die wichtigste Funktion des Telefons sabotieren kann, verraten weder Google noch Microsoft. [...] Das zugrundeliegende Sicherheitsproblem in Android möchte Google mit dem ersten Android-Sicherheitsupdate im neuen Jahr beheben. --------------------------------------------- https://heise.de/-6306221 ∗∗∗ Audio bugging with the Fisher Price Chatter Bluetooth Telephone ∗∗∗ --------------------------------------------- The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute! Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances. --------------------------------------------- https://www.pentestpartners.com/security-blog/audio-bugging-with-the-fisher… ∗∗∗ This new ransomware has simple but very clever tricks to evade PC defenses ∗∗∗ --------------------------------------------- One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target's intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe. --------------------------------------------- https://www.zdnet.com/article/this-new-ransomware-has-simple-but-very-cleve… ∗∗∗ Log4j Vulnerabilities: Attack Insights ∗∗∗ --------------------------------------------- Symantec [..] has observed numerous variations in attack requests primarily aimed at evading detection. [..] Attackers are predominantly using the LDAP and RMI protocols to download malicious payloads. We have also recorded vulnerability scans using protocols such as IIOP, DNS, HTTP, NIS etc. Payloads: Muhstik Botnet, XMRig miner, Malicious class file backdoor, Reverse Bash shell. Other publicly reported payloads include the Khonsari and Conti ransomware threats, the Orcus remote access Trojan (RAT), and the Dridex malware, among others. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ===================== = Vulnerabilities = ===================== ∗∗∗ Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047 ∗∗∗ --------------------------------------------- Project: Mail Login Security risk: Moderately critical Description: This modules enables users to login via email address.This module does not sufficiently check user status when authenticating.Solution: Install the latest version If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5 --------------------------------------------- https://www.drupal.org/sa-contrib-2021-047 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 46 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ CVE-2021-44790: Apache HTTP Server / mod_lua ∗∗∗ --------------------------------------------- A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. --------------------------------------------- https://www.openwall.com/lists/oss-security/2021/12/20/4 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-11), Fedora (keepalived and tang), openSUSE (openssh, p11-kit, runc, and thunderbird), Oracle (postgresql:12, postgresql:13, and virt:ol and virt-devel:ol), Red Hat (rh-maven36-log4j12), and SUSE (ansible, chrony, logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh, openssh, p11-kit, python-Babel, and thunderbird). --------------------------------------------- https://lwn.net/Articles/879675/ ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- A malicious privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1304 ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ SSA-661247 V1.8 (Last Update: 2021-12-22): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2021
by Daily end-of-shift report 22 Dec '21

22 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-12-2021 18:00 − Mittwoch 22-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ CISA releases Apache Log4j scanner to find vulnerable apps ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by& two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-releases-apache-log4j-s… ∗∗∗ The Biggest Cyber Security Developments in 2021 ∗∗∗ --------------------------------------------- As we charge towards another new year, we decided to pulse our threat intelligence team (@teamcymru_s2) for their views on what they perceive to be the biggest developments in cyber security over the past twelve months. --------------------------------------------- https://team-cymru.com/blog/2021/12/21/the-biggest-cyber-security-developme… ∗∗∗ Vorsicht vor betrügerischer BAWAG-SMS ∗∗∗ --------------------------------------------- Eine SMS-Falle kursiert, die dazu aufruft eine angebliche Sicherheits-App von der BAWAG-Bank zu installieren. --------------------------------------------- https://futurezone.at/digital-life/betrug-bawag-sms-phishing/401851228 ∗∗∗ Java Code Repository Riddled with Hidden Log4j Bugs; Here’s Where to Look ∗∗∗ --------------------------------------------- There are 17,000 unpatched Log4j packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits. --------------------------------------------- https://threatpost.com/java-supply-chain-log4j-bug/177211/ ∗∗∗ December 2021 Forensic Contest: Answers and Analysis, (Wed, Dec 22nd) ∗∗∗ --------------------------------------------- Thanks to everyone who participated in our December 2021 forensic challenge! You can still find the pcap for our December 2021 forensic contest here. --------------------------------------------- https://isc.sans.edu/diary/rss/28160 ∗∗∗ Vorsicht beim Autokauf: Privatkäufe nicht über easycarpay.net abwickeln ∗∗∗ --------------------------------------------- Wer auf der Suche nach günstigen Gebrauchtautos ist, wird oft auf Kleinanzeigenplattformen fündig. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich plötzlich im Ausland befindet oder andere Ausreden erfindet, wieso eine Besichtigung des Fahrzeugs nicht möglich sei. Spätestens wenn die Verkäuferin oder der Verkäufer vorschlägt, den Kauf über die Webseite easycarpay.net abzuwickeln, sollten Sie den Kontakt abbrechen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-autokauf-privatkaeufe-… ∗∗∗ Ubisoft erneut Opfer eines Cyberangriffs ∗∗∗ --------------------------------------------- Der Spielegigant Ubisoft hat einen Cyberangriff auf seine IT-Infrastruktur bestätigt, der auf das beliebte Spiel Just Dance abzielte. Laut Ubisoft gab es einen Einbruch in die IT-Infrastruktur des Unternehmens. --------------------------------------------- https://www.zdnet.de/88398543/ubisoft-erneut-opfer-eines-cyberangriffs/ ∗∗∗ Mitigating Log4Shell and Other Log4j-Related Vulnerabilities ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/22/mitigating-log4sh… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA discloses applications impacted by Log4j vulnerability ∗∗∗ --------------------------------------------- NVIDIA has released a security advisory detailing what products are affected by the Log4Shell vulnerability that is currently exploited in a wide range of attacks worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-discloses-application… ∗∗∗ VU#692873: Saviynt Enterprise Identity Cloud vulnerable to local user enumeration and authentication bypass ∗∗∗ --------------------------------------------- Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password reset feature. Together, these vulnerabilities could allow a remote, unauthenticated attacker to gain administrative privileges if an SSO solution is not configured for authentication. --------------------------------------------- https://kb.cert.org/vuls/id/692873 ∗∗∗ Active Directory: Microsoft warnt vor einfacher Domain-Übernahme ∗∗∗ --------------------------------------------- Zwei bekannte und bereits behobene Fehler in Active Directory ließen sich leicht ausnutzen, warnt Microsoft und empfiehlt dringend Updates. --------------------------------------------- https://www.golem.de/news/active-directory-microsoft-warnt-vor-einfacher-do… ∗∗∗ Four Bugs in Microsoft Teams Left Platform Vulnerable Since March ∗∗∗ --------------------------------------------- Attackers exploiting bugs in the “link preview” feature in Microsoft Teams could abuse the flaws to spoof links, leak an Android user’s IP address and launch a DoS attack. --------------------------------------------- https://threatpost.com/microsoft-teams-bugs-vulnerable-march/177225/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 68 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ WordPress-Plug-in: Kritische Lücke in All In One SEO bedroht Millionen Websites ∗∗∗ --------------------------------------------- Angreifer könnten WordPress-Websites mit All in One SEO mit Schadcode attackieren. Eine abgesicherte Version schafft Abhilfe. --------------------------------------------- https://heise.de/-6304412 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ipa, log4j, and samba), Debian (sogo, spip, and xorg-server), Fedora (jansi and log4j), Mageia (apache, apache-mod_security, kernel, kernel-linus, and x11-server), openSUSE (log4j and xorg-x11-server), Oracle (kernel, log4j, and openssl), and SUSE (libqt4 and xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/879492/ ∗∗∗ Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 (UPDATE) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-479842: Apache Log4j Vulnerabilities - Impact to Siemens Energy Sensformer (Platform, Basic and Advanced) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-479842.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2021
by Daily end-of-shift report 21 Dec '21

21 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 20-12-2021 18:00 − Dienstag 21-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware: Wer hat Angst vor Androids Barrierefreiheit? ∗∗∗ --------------------------------------------- Schadsoftware unter Android nutzt häufig die Accessibility Services, um Sicherheitsfunktionen auszuhebeln. Doch Apps können sich schützen. --------------------------------------------- https://www.golem.de/news/malware-wer-hat-angst-vor-androids-barrierefreihe… ∗∗∗ Xcode: Hotfix soll Log4j-Lücke umfahren ∗∗∗ --------------------------------------------- Apples Entwicklungsumgebung enthält eine angreifbare Version der Java-Logging-Bibliothek log4j. Beim Upload von iOS-Apps soll aber ein Fix greifen. --------------------------------------------- https://heise.de/-6301988 ∗∗∗ Have I Been Pwned: 225 Millionen neue Passwörter von britischer Polizeibehörde ∗∗∗ --------------------------------------------- Der Datensatz des Passwort-Prüfdiensts wächst immer weiter. Für Strafverfolgungsbehörden gibt es nun einen Weg, sichergestellte Daten direkt einzuspeisen. --------------------------------------------- https://heise.de/-6301963 ∗∗∗ Google entfernt Malware-infizierte SMS-App aus Play Store ∗∗∗ --------------------------------------------- Auf mehr als 500.000 Installationen kam eine Messages-App in Googles App-Store, die die Malware Joker einschleppte. Inzwischen hat Google die App entfernt. --------------------------------------------- https://heise.de/-6302544 ∗∗∗ Sicher verkaufen auf Willhaben, Shpock & Co ∗∗∗ --------------------------------------------- Sie möchten ungenutzte Gegenstände weiterverkaufen? Mit Plattformen wie willhaben, shpock oder Facebook haben Sie zahlreiche Möglichkeiten, alte Möbel, vernachlässigte Sportausrüstung oder Elektrogeräte an den Mann oder die Frau zu bringen. Dabei gibt es aber einiges zu beachten! Wir zeigen Ihnen, wie Sie sicher über Kleinanzeigenplattformen verkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-verkaufen-auf-willhaben-shpoc… ∗∗∗ Backdoor CVE-2021-40859 in Auerswald Telefonanlagen (z.B. COMpact 5500R 7.8A & 8.0B) gefixt ∗∗∗ --------------------------------------------- Auerswald ist ein deutscher Hersteller von Telefonanlagen für den Unternehmenseinsatz. Sicherheitsforscher haben in der Firmware von Auerswald Telefonanlagen (z.B. COMpact 5500R) Hintertüren entdeckt, über die man das Administrator-Passwort zurücksetzen konnte. Dies wurde zum 20.12.2021 offen gelegt. Hier einige Informationen dazu. --------------------------------------------- https://www.borncity.com/blog/2021/12/21/backdoor-cve-2021-40859-in-auerswa… ∗∗∗ Two Active Directory Bugs Lead to Easy Windows Domain Takeover ∗∗∗ --------------------------------------------- Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12. --------------------------------------------- https://threatpost.com/active-directory-bugs-windows-domain-takeover/177185/ ∗∗∗ Day 10: where we are with log4j from honeypot’s perspective ∗∗∗ --------------------------------------------- Our team spent great deal of effort on simulating different protocols, applications and vulnerabilities with our honeypot (Anglerfish and Apacket) system. When big event happens, we are always curious what we see from the honeypot side. Since log4j came to light 10 days ago, we have published two related blogs, --------------------------------------------- https://blog.netlab.360.com/apache-log4j2-vulnerability-attack-trend-from-t… ∗∗∗ [SANS ISC] More Undetected PowerShell Dropper ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “More Undetected PowerShell Dropper“: Last week, I published a diary about a PowerShell backdoor running below the radar with a VT score of 0! This time, it’s a dropper with multiple obfuscation techniques in place. --------------------------------------------- https://blog.rootshell.be/2021/12/21/sans-isc-more-undetected-powershell-dr… ∗∗∗ Velociraptor & Loki ∗∗∗ --------------------------------------------- Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server [...] --------------------------------------------- https://blog.rootshell.be/2021/12/21/velociraptor-loki/ ∗∗∗ RCE in Visual Studio Codes Remote WSL for Fun and Negative Profit ∗∗∗ --------------------------------------------- The Visual Studio Code server in Windows Subsystem for Linux uses a local WebSocket WebSocket connection to communicate with the Remote WSL extension. JavaScript in websites can connect to this server and execute arbitrary commands on the target system. --------------------------------------------- https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-f… ∗∗∗ Log4j vulnerability: what should boards be asking? ∗∗∗ --------------------------------------------- Advice for board members of medium to large organisations that are at risk from the Apache Log4j vulnerability. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be… ∗∗∗ FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability in Zoho’s ManageEngine Desktop Central product. --------------------------------------------- https://www.securityweek.com/fbi-sees-apts-exploiting-recent-manageengine-d… ∗∗∗ After ransomware attack, global logistics firm Hellmann warns of scam calls and mail ∗∗∗ --------------------------------------------- Hellmann said customers need to make sure they are really communicating with an employee through all calls or mail. --------------------------------------------- https://www.zdnet.com/article/after-ransomware-attack-global-logistics-firm… ∗∗∗ Why vulnerabilities are like buses ∗∗∗ --------------------------------------------- How organisations can address the growing trend in which multiple vulnerabilities within a single product are exploited over a short period. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/why-vulnerabilities-are-like-buses ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 30 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (log4j), openSUSE (chromium, log4j, netdata, and nextcloud), Oracle (kernel and kernel-container), Red Hat (kernel, kernel-rt, log4j, openssl, postgresql:12, postgresql:13, and virt:rhel and virt-devel:rhel), Slackware (httpd), SUSE (xorg-x11-server), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/879360/ ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass Using an Alternate Path or Channel, Use of Password Hash with Insufficient Computational Effort, Hidden Functionality, and OS Command Injection vulnerabilities in the mySCADA myPRO HMI/SCADA system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-01 ∗∗∗ Horner Automation Cscape EnvisionRV ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Horner Automation Cscape EnvisionRV industrial remote viewing software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-02 ∗∗∗ WECON LeviStudioU ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow, and Heap-based Buffer Overflow vulnerabilities in WECON LeviStudioU HMI programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-03 ∗∗∗ Emerson DeltaV ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authentication for Critical Function, and Uncontrolled Search Path Element vulnerabilities in the Emerson DeltaV control system controllers and workstations. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-04 ∗∗∗ Schneider Electric Rack PDU (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-348-02 Schneider Electric Rack PDU that was published December 14, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Schneider Electric Rack Power Distribution Unit (PDU). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02 ∗∗∗ Fresenius Kabi Agilia Connect Infusion System ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in the Fresenius Kabi Agilia Connect Infusion System. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-355-01 ∗∗∗ Apache Log4j Vulnerabilities - Impact on Bosch Rexroth Products ∗∗∗ --------------------------------------------- BOSCH-SA-572602: The Apache Software Foundation has published information about a vulnerability in the Java logging framework *log4j*, which allows an attacker to execute arbitrary code loaded from LDAP or JNDI related endpoints which are under control of the attacker. \[1\]Additionally, a further vulnerability might allow an attacker to cause a denial of service by sending a crafted string to the framework. From Bosch Rexroth, only the IoT Gateway software has been identified as affected. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-572602.html ∗∗∗ SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-397453.txt ∗∗∗ Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache Log4j vulnerability (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-10-… ∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ CVE-2021-44228 Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2021-44228 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2021
by Daily end-of-shift report 20 Dec '21

20 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-12-2021 18:00 − Montag 20-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== *** News zu Log4j *** --------------------------------------------- Upgraded to log4j 2.16? Surprise, theres a 2.17 fixing DoS: https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surpri… Log4j vulnerability now used to install Dridex banking malware: https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used… Log4Shell: Mehrheit der Java-Pakete hat noch kein Log4J-Update: https://www.golem.de/news/log4shell-mehrheit-der-java-pakete-hat-noch-kein-… Answering Log4Shell-related questions: https://securelist.com/answering-log4shell-related-questions/105402/ Third Log4J Bug Can Trigger DoS; Apache Issues Patch: https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/ TellYouThePass ransomware revived in Linux, Windows Log4j attacks: https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re… New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability: https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.ht… Second Log4j Vulnerability (CVE-2021-45046) Discovered - New Patch Released: https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html Google: OSS-Fuzz soll Log4j-Fehler in Open-Source-Software finden: https://heise.de/-6298560 Erster Wurm "kriecht" durch Log4j-Sicherheitslücke: https://heise.de/-6299080 Was Geschäftsführer jetzt über Log4Shell wissen sollten: https://www.welivesecurity.com/deutsch/2021/12/17/was-geschaeftsfuehrer-ueb… Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerability: https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to… Log4j-Infos, belgisches Verteidigungsministerium betroffen?: https://www.borncity.com/blog/2021/12/20/log4j-infos-belgisches-verteidigun… --------------------------------------------- https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-ap… ∗∗∗ Western Digital warns customers to update their My Cloud devices ∗∗∗ --------------------------------------------- Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support. --------------------------------------------- https://www.bleepingcomputer.com/news/security/western-digital-warns-custom… ∗∗∗ Office 2021: VBA Project Version, (Sun, Dec 19th) ∗∗∗ --------------------------------------------- 2 years ago, in diary entry "VBA Office Document: Which Version?", I listed all internal VBA project version numbers for the Office versions I had access to. --------------------------------------------- https://isc.sans.edu/diary/rss/28150 ∗∗∗ Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store ∗∗∗ --------------------------------------------- A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge. --------------------------------------------- https://thehackernews.com/2021/12/over-500000-android-users-downloaded.html ∗∗∗ Inside a PBX - Discovering a Firmware Backdoor ∗∗∗ --------------------------------------------- This blog post illustrates how RedTeam Pentesting discovered a real-world backdoor in a widely used Auerswald phone system (see also the advisory and CVE-2021-40859). --------------------------------------------- https://blog.redteam-pentesting.de/2021/inside-a-pbx/ ∗∗∗ Weniger Datenklau am Geldautomaten: "Skimming nicht mehr interessant" ∗∗∗ --------------------------------------------- Kriminelle können mit per Skimming erbeuteten Daten von Bankkunden immer weniger anfangen. Weitaus größere Schäden richten inzwischen andere Methoden an. --------------------------------------------- https://heise.de/-6298777 ∗∗∗ Erpressergruppe Conti nutzt Sicherheitslücke "Log4Shell" für ihre Ransomware ∗∗∗ --------------------------------------------- Der Erpressungstrojaner der bekannten Conti-Gang wird bereits auf die Lücke "Log4Shell" losgelassen. Damit wächst das Bedrohungspotenzial deutlich. --------------------------------------------- https://heise.de/-6298874 ∗∗∗ Sicherheitsrisiko: Support für einige NAS-Systeme von Western Digital läuft aus ∗∗∗ --------------------------------------------- Mehrere NAS-Modelle der My-Cloud-Serie bekommen bald keine Sicherheitsupdates mehr. Diese Geräte sollten nicht mehr am Internet hängen. --------------------------------------------- https://heise.de/-6299386 ∗∗∗ Analyse, wie TeamTNT Docker-Hub-Konten kompromittiert ∗∗∗ --------------------------------------------- Und schon sind wir beim 19. Türchen im Security-Adventskalender meines Blogs und ich schiebe mal ein weiteres Sicherheitsthema hinter dieses Türchen. Der Sicherheitsanbieter Trend Micro hat einen Bericht veröffentlicht, der beleuchtet, wie der Bedrohungsakteur TeamTNT vorgeht, um Konten von Docker-Hubs [...] --------------------------------------------- https://www.borncity.com/blog/2021/12/19/analyse-wie-teamtnt-docker-hub-kon… ∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.5 ∗∗∗ --------------------------------------------- A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.5 & 4.4. --------------------------------------------- https://blog.zsec.uk/cobalt-strike-profiles/ ∗∗∗ Kernel Karnage – Part 7 (Out of the Lab and Back to Reality) ∗∗∗ --------------------------------------------- This week I emerge from the lab and put on a different hat. 1. Switching hats With Interceptor being successful in blinding $vendor2 sufficiently to run a meterpreter reverse shell, it is time to put on the red team hat and get out of the perfect lab environment. --------------------------------------------- https://blog.nviso.eu/2021/12/20/kernel-karnage-part-7-out-of-the-lab-and-b… ∗∗∗ Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password ∗∗∗ --------------------------------------------- After analyzing the infected systems of the company that suffered damage from the recent Lockis ransomware infection, the ASEC analysis team discovered that the attacker executed the ransomware after RDP accessing the infected systems with local Administrator accounts. An investigation of local Administrator information of the infected systems showed that their passwords have not been changed for 1-2 years and that they were all set with the same password. --------------------------------------------- https://asec.ahnlab.com/en/29871/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2021-0029 ∗∗∗ --------------------------------------------- VMware Workspace ONE UEM console patches address SSRF vulnerability (CVE-2021-22054) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0029.html ∗∗∗ VMSA-2021-0030 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0030.html ∗∗∗ XSA-392 ∗∗∗ --------------------------------------------- Guest can force Linux netback driver to hog large amounts of kernel memory --------------------------------------------- https://xenbits.xen.org/xsa/advisory-392.html ∗∗∗ XSA-391 ∗∗∗ --------------------------------------------- Rogue backends can cause DoS of guests via high frequency events --------------------------------------------- https://xenbits.xen.org/xsa/advisory-391.html ∗∗∗ XSA-376 ∗∗∗ --------------------------------------------- frontends vulnerable to backends --------------------------------------------- https://xenbits.xen.org/xsa/advisory-376.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2, firefox-esr, libssh2, modsecurity-apache, and tang), Fedora (lapack, log4j, rust-libsqlite3-sys, rust-rusqlite, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (bind, botan2, chromium-browser-stable, dovecot, hiredis, keepalived, log4j, matio, mediawiki, olm, openssh, pjproject, privoxy, vim, and watchdog), openSUSE (barrier, nim, and python-pip), Oracle (ipa and samba), Scientific Linux (ipa and samba), SUSE (log4j), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/879228/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0007.html ∗∗∗ Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector [...] --------------------------------------------- http://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-dete… *** Log4j Security Advisories *** --------------------------------------------- Security Advisory - Apache Log4j2 CVE 2021-44228 (Log4Shell): https://www.beyondtrust.com/blog/entry/security-advisory-apache-log4j2-cve-… Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… Log4j Vulnerability CVE-2021-45105: What You Need to Know: https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-… An update on the Apache Log4j CVE-2021-44228 vulnerability: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… Citrix Security Advisory for Apache CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105: https://support.citrix.com/article/CTX335705 Log4j Zero-Day Vulnerability: https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90… CVE-2021-45105: Denial of Service via Uncontrolled Recursion in Log4j StrSubstitutor: https://www.thezdi.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via… CVE-2021-44228 Impact of Log4j Vulnerability CVE-2021-44228 and CVE-2021-45046 (Severity: CRITICAL): https://security.paloaltonetworks.com/CVE-2021-44228 SSA-661247 V1.5 (Last Update: 2021-12-19): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt SSA-501673 V1.0: Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-501673.txt Apache Log4j Vulnerability: http://security.googleblog.com/2021/12/apache-log4j-vulnerability.html Log4j Update Patches New Vulnerability That Allows DoS Attacks: https://www.securityweek.com/log4j-update-patches-new-vulnerability-allows-… --------------------------------------------- https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-ap… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1296 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2021
by Daily end-of-shift report 17 Dec '21

17 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-12-2021 18:00 − Freitag 17-12-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Log4j attackers switch to RMI to inject code and mine Monero ∗∗∗ --------------------------------------------- Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success. --------------------------------------------- https://www.bleepingcomputer.com/news/security/log4j-attackers-switch-to-rm… ∗∗∗ Log4j Scanning and CVE-2021-44228 Exploitation - Latest Observations (2021-12-16) ∗∗∗ --------------------------------------------- After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the “log4shell” mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution. --------------------------------------------- https://www.shadowserver.org/news/log4j-scanning-and-cve-2021-44228-exploit… ∗∗∗ How to Find and Fix a WordPress Pharma Hack ∗∗∗ --------------------------------------------- Did you know that one quarter of all spam emails are accredited to pharmaceutical ads? Pharma hacks go beyond the inbox and spam websites by redirecting traffic and adding fake keywords and subdomains to the search results. Why, and how did the medical world get tangled up in spam emails, SEO spam, redirects, and website spam injection? The answer is - money. --------------------------------------------- https://blog.sucuri.net/2021/12/how-to-find-and-fix-a-wordpress-pharma-hack… ∗∗∗ SWITCH Security Report November/December 2021 ∗∗∗ --------------------------------------------- Dear Reader The latest issue of our bi-monthly SWITCH Security Report is available. The main topics of the current report are: GoldDust but no nuggets: seven REvil partners caught, but the real orchestrators are still out there / EasyHack? Data belonging to COVID-19 loan recipients stolen from EasyGov platform / Tor under siege: massive de-anonymisation attacks target Tor network [...] --------------------------------------------- https://securityblog.switch.ch/2021/12/17/switch-security-report-2021-10-11/ ∗∗∗ Kritische Lücke bedroht Desktop-Management-System VMware Workspace ONE UEM ∗∗∗ --------------------------------------------- Angreifer könnten auf Servern liegende Informationen einsehen. Dagegen abgesicherte Versionen von VMwares Management-Software sind erschienen. --------------------------------------------- https://heise.de/-6297742 ∗∗∗ CISA orders federal agencies to mitigate Log4J vulnerabilities in emergency directive ∗∗∗ --------------------------------------------- CISA had previously given civilian federal agencies until December 24 to apply any patches. --------------------------------------------- https://www.zdnet.com/article/cisa-orders-federal-agencies-to-mitigate-log4… ∗∗∗ NSA and CISA Release Final Part IV of Guidance on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- CISA has announced the joint National Security Agency (NSA) and CISA publication of the final of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part IV: Ensure Integrity of Cloud Infrastructure focuses on platform integrity, microservices infrastructure integrity, launch time integrity, and build time security to ensure that 5G cloud resources are not modified without authorization. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/16/nsa-and-cisa-rele… ∗∗∗ Conti ransomware group adopts Log4Shell exploit ∗∗∗ --------------------------------------------- The Conti gang has become the first professional ransomware operation to adopt and incorporate the Log4Shell vulnerability in their daily operations. --------------------------------------------- https://therecord.media/conti-ransomware-group-adopts-log4shell-exploit/ ∗∗∗ Insides zu Irlands Health Service Executive Ransomware-Fall im Mai 2021 ∗∗∗ --------------------------------------------- Heute ist Türchen Nummer 17 im Sicherheits-Adventskalender dran. Ich habe da einen besonderen "Leckerbissen" für Administratoren hinterlegt. Im Mai 2021 gab es einen Ransomware-Angriff auf die Gesundheitsbehörden Irlands (Health Service Executive, HSE). PricewaterhouseCoopers hat kürzlich eine Analyse vorgelegt, was da [...] --------------------------------------------- https://www.borncity.com/blog/2021/12/17/insides-zu-irlands-health-service-… ===================== = Vulnerabilities = ===================== ∗∗∗ UNIVERGE DT Series vulnerable to missing encryption of sensitive data ∗∗∗ --------------------------------------------- UNIVERGE IP Phone DT Series and PC tools for DT Series maintainers (IP Phone Manager and Data Maintenance Tool) provided by NEC Platforms, Ltd. contain a missing encryption vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN13464252/ ∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗ --------------------------------------------- Update December 17, 11:37 am IBM is focused on the original CVE-2021-44228 as the prevalent risk, requiring our attention and our customers’ attention. With so much active industry research on Log4j, we will continually see mitigation and remediation recommendations. We continue to review the latest information and share updates accordingly. --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ VMSA-2021-0028 ∗∗∗ --------------------------------------------- Revised advisory with updates to multiple products. In addition, added CVE-2021-45046 information and noted alignment with new Apache Software Foundation guidance. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (dr_libs, libsndfile, and podman), openSUSE (fetchmail, log4j, log4j12, logback, python3, and seamonkey), Oracle (go-toolset:ol8, idm:DL1, and nodejs:16), Red Hat (go-toolset-1.16 and go-toolset-1.16-golang, ipa, rh-postgresql12-postgresql, rh-postgresql13-postgresql, and samba), Slackware (xorg), SUSE (log4j, log4j12, and python3), and Ubuntu (apache-log4j2 and openjdk-8, openjdk-lts). --------------------------------------------- https://lwn.net/Articles/879020/ ∗∗∗ Xylem AquaView ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Xylem AquaView SCADA system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-01 ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Read vulnerability in Delta Electronics CNCSoft industrial automation software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-02 ∗∗∗ Wibu-Systems CodeMeter Runtime ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerability in the Wibu-Systems CodeMeter Runtime server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-03 ∗∗∗ Mitsubishi Electric GX Works2 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Handling of Length Parameter Inconsistency vulnerability in #Mitsubishi Electrics GX Works2 engineering software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-04 ∗∗∗ Mitsubishi Electric FA Engineering Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software engineering software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05 ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM MQ Blockchain bridge dependencies are vulnerable to an issue in Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-blockchain-bridge-… ∗∗∗ Security Bulletin: Apache Log4J vulnerabilities affect IBM Cloud Object Storage File Access (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ K32171392: Apache Log4j2 vulnerability CVE-2021-45046 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32171392 ∗∗∗ Logback: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2021
by Daily end-of-shift report 16 Dec '21

16 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-12-2021 18:00 − Donnerstag 16-12-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Large-scale phishing study shows who bites the bait more often ∗∗∗ --------------------------------------------- A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-s… ∗∗∗ Emotet starts dropping Cobalt Strike again for faster attacks ∗∗∗ --------------------------------------------- Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobal… ∗∗∗ Hive ransomware enters big league with hundreds breached in four months ∗∗∗ --------------------------------------------- The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-l… ∗∗∗ A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution ∗∗∗ --------------------------------------------- Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-cl… ∗∗∗ PseudoManuscrypt: a mass-scale spyware attack campaign ∗∗∗ --------------------------------------------- Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s arsenal. --------------------------------------------- https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaig… ∗∗∗ 'DarkWatchman' RAT Shows Evolution in Fileless Malware ∗∗∗ --------------------------------------------- The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access. --------------------------------------------- https://threatpost.com/darkwatchman-rat-evolution-fileless-malware/177091/ ∗∗∗ How the "Contact Forms" campaign tricks people, (Thu, Dec 16th) ∗∗∗ --------------------------------------------- "Contact Forms" is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint. --------------------------------------------- https://isc.sans.edu/diary/rss/28142 ∗∗∗ Log4j-Lücke: Erste Angriffe mit Ransomware und von staatlicher Akteuren ∗∗∗ --------------------------------------------- Die bisherigen Angriffsversuche waren wohl vor allem Tests. Doch jetzt wird es Ernst. Cybercrime und Geheimdienste nutzen die Lücke gezielt für ihre Zwecke. --------------------------------------------- https://heise.de/-6296549 ∗∗∗ When is a Scrape a Breach? ∗∗∗ --------------------------------------------- A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car. It's not clear if the car was locked or not. Is this a data breach? --------------------------------------------- https://www.troyhunt.com/when-is-a-scrape-a-breach/ ∗∗∗ Achtung: giesswein-outdoor.de ist ein Fake-Shop! ∗∗∗ --------------------------------------------- Die Webseite giesswein-outdoor.de sieht auf den ersten Blick sehr seriös aus. Doch tatsächlich handelt es sich um einen Fake-Shop, der das österreichische Unternehmen Giesswein imitiert. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-giesswein-outdoorde-ist-ein-… ∗∗∗ The dirty dozen of Latin America: From Amavaldo to Zumanek ∗∗∗ --------------------------------------------- The grand finale of our series dedicated to demystifying Latin American banking trojans. --------------------------------------------- https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavald… ∗∗∗ Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware ∗∗∗ --------------------------------------------- New ransomware used in mid-November attack, ConnectWise was likely infection vector. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/no… ∗∗∗ Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions ∗∗∗ --------------------------------------------- Check Point Research (CPR) spots a botnet variant that has stolen nearly half a million dollars’ worth of cryptocurrency through a technique called “crypto clipping”. The new variant, named Twizt and a descendant of Phorpiex, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor’s wallet address. --------------------------------------------- https://blog.checkpoint.com/2021/12/16/phorpiex-botnet-is-back-with-a-new-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Lenovo laptops vulnerable to bug allowing admin privileges ∗∗∗ --------------------------------------------- Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lenovo-laptops-vulnerable-to… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2 and mediawiki), Fedora (libmysofa, libolm, and vim), Oracle (httpd), Red Hat (go-toolset:rhel8), and Ubuntu (apache-log4j2 and mumble). --------------------------------------------- https://lwn.net/Articles/878844/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-714170: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to SPPA-T3000 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-714170.txt ∗∗∗ TYPO3-PSA-2021-004: Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2021-004 ∗∗∗ TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2021-003 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1290 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2021
by Daily end-of-shift report 15 Dec '21

15 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-12-2021 18:00 − Mittwoch 15-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ransomware now being deployed in Log4Shell attacks ∗∗∗ --------------------------------------------- The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-dep… ∗∗∗ Simple but Undetected PowerShell Backdoor, (Wed, Dec 15th) ∗∗∗ --------------------------------------------- For a while, most security people agree on the fact that antivirus products are not enough for effective protection against malicious code. If they can block many threats, some of them remain undetected by classic technologies. Here is another example with a simple but effective PowerShell backdoor that I spotted yesterday. --------------------------------------------- https://isc.sans.edu/diary/rss/28138 ∗∗∗ GitHubs Antwort auf die kritische Log4j-Lücke ∗∗∗ --------------------------------------------- Zu der kritischen Sicherheitslücke im Log4j-Logging-Framework hat der Code-Hoster Sicherheitshinweise veröffentlicht. Ein Update auf Log4j 2.16 schafft Abhilfe. --------------------------------------------- https://heise.de/-6294120 ∗∗∗ Patchday: Kritische Sicherheitslücken in SAP-Geschäftssoftware ∗∗∗ --------------------------------------------- 15 Sicherheitslücken melden die Walldorfer zum Dezember-Patchday in ihrer Business-Software. Viele schätzt SAP als hohes oder gar kritisches Risiko ein. --------------------------------------------- https://heise.de/-6294773 ∗∗∗ Patchday: Adobe schließt kritische Lücken in Experience Manager & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Anwendungen von Adobe. In einigen Fällen könnten Angreifer Schadcode auf Computern ausführen. --------------------------------------------- https://heise.de/-6295316 ∗∗∗ Patchday: Sechs Windows-Lücken öffentlich bekannt, durch eine schlüpft Emotet ∗∗∗ --------------------------------------------- Microsoft schließt zahlreiche Sicherheitslücken in beispielsweise Azure, Office und Windows. Darunter sind auch als kritisch eingestufte Lücken. --------------------------------------------- https://heise.de/-6295264 ∗∗∗ Neue Probleme - Log4j-Patch genügt nicht ∗∗∗ --------------------------------------------- Version 2.15.0 von Log4j sollte die Log4Shell-Sicherheitslücke schließen. Das reichte jedoch nicht. Log4j 2.16.0 behebt nun noch eine weitere Schwachstelle. --------------------------------------------- https://heise.de/-6295343 ∗∗∗ Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks ∗∗∗ --------------------------------------------- CISA has released CISA Insights: Preparing For and Mitigating Potential Cyber Threats to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/15/immediate-steps-s… ∗∗∗ No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages ∗∗∗ --------------------------------------------- NPM modules are a valuable target for threat actors due to their popularity amongst developers. They also have a high prevalence of complex dependencies, where one package installs another as a dependency often without the knowledge of the developer. --------------------------------------------- https://www.mandiant.com/resources/supply-chain-node-js ===================== = Vulnerabilities = ===================== ∗∗∗ Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) ∗∗∗ --------------------------------------------- After the log4j maintainers released version 2.15.0 to address the Log4Shell vulnerability, an additional attack vector was identified and reported in CVE-2021-45046. --------------------------------------------- https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Apache Log4J information, WebSphere Application Server, i2 Analyze, i2 Connect, Analyst’s Notebook Premium, Security Access Manager, Security Verify Access, App Connect, Integration Bus, QRadar SIEM Application Framework, Sterling File Gateway, Cloud Transformation Advisor, MQ Blockchain bridge, WebSphere Cast Iron, Power System, Rational Asset Analyzer, Disconnected Log Collector, SPSS Statistics, Power HMC --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Intel Product Advisory for Apache Log4j2 Vulnerabilities (CVE-2021-44228 & CVE-2021-45046) ∗∗∗ --------------------------------------------- Security vulnerabilities in Apache Log4j2 for some Intel® products may allow escalation of privilege or denial of service. --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ Apache log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗ --------------------------------------------- ABB is still investigating the potentially affected products and to date ABB has identified the following products which are likely affected by the vulnerabilities in log4j (ABB products not listed are initially evaluated as not impacted). --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libopenmpt), openSUSE (icu.691, log4j, nim, postgresql10, and xorg-x11-server), Red Hat (idm:DL1), SUSE (gettext-runtime, icu.691, runc, storm, storm-kit, and xorg-x11-server), and Ubuntu (xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/878749/ ∗∗∗ Security Advisory - Intel Microarchitectural Data Sampling (MDS) vulnerabilities ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20190712-… ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1277 ∗∗∗ OpenSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1282 ∗∗∗ Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500458-AUTHENTICATION-BYPASS-V… ∗∗∗ Lenovo Vantage Component Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500461-LENOVO-VANTAGE-COMPONEN… ∗∗∗ TLB Poisoning Attacks on AMD Secure Encrypted Virtualization (SEV) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500459-TLB-POISONING-ATTACKS-O… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2021
by Daily end-of-shift report 14 Dec '21

14 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 13-12-2021 18:00 − Dienstag 14-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== *** News zu Log4j *** --------------------------------------------- Log4j: List of vulnerable products and vendor advisories https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-pro… Log4J-Lücke: BSI gibt vorschnell Entwarnung für Verbraucher https://www.golem.de/news/log4j-luecke-bsi-gibt-vorschnell-entwarnung-fuer-… Log4Shell Is Spawning Even Nastier Mutations https://threatpost.com/apache-log4j-log4shell-mutations/176962/ Log4j: Getting ready for the long haul (CVE-2021-44228), (Tue, Dec 14th) https://isc.sans.edu/diary/rss/28130 Log4j 2.16.0 verbessert Schutz vor Log4Shell-Lücke https://heise.de/-6294053 Kommentar zu Log4j: Es funktioniert wie spezifiziert https://heise.de/-6294476 GitHubs Antwort auf die kritische Log4j-Lücke https://heise.de/-6294120 Security company offers Log4j vaccine for systems that cant be updated immediately https://www.zdnet.com/article/security-company-offers-log4j-vaccine-for-sys… CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228 https://us-cert.cisa.gov/ncas/current-activity/2021/12/13/cisa-creates-webp… The numbers behind a cyber pandemic – detailed dive https://blog.checkpoint.com/2021/12/13/the-numbers-behind-a-cyber-pandemic-… Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation https://www.intezer.com/blog/cloud-security/log4shell-mitigation/ Log4Shell log4j vulnerability (CVE-2021-44228) - cheat-sheet reference guide https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ --------------------------------------------- https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ ∗∗∗ Anubis Android malware returns to target 394 financial apps ∗∗∗ --------------------------------------------- The Anubis Android banking malware is now targeting the customers of nearly 400 financial institutions in a new malware campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/anubis-android-malware-retur… ∗∗∗ Malware und Security: Microsoft bietet Analyse potenziell gefährlicher Treiber an ∗∗∗ --------------------------------------------- Mit Hilfe eines Formulars können Kunden Treiber zu Microsoft schicken. Die werden erst automatisiert und bei Bedarf von Menschen geprüft. --------------------------------------------- https://www.golem.de/news/malware-und-security-microsoft-bietet-analyse-pot… ∗∗∗ Owowa: the add-on that turns your OWA into a credential stealer and remote access panel ∗∗∗ --------------------------------------------- We found a suspicious binary and determined it as an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. --------------------------------------------- https://securelist.com/owowa-credential-stealer-and-remote-access/105219/ ∗∗∗ How Malware Gets On Your Website ∗∗∗ --------------------------------------------- Almost since the Internet’s inception malware infections have kept pace to be the biggest nuisance a site owner experiences. With an ever growing amount of sites making up the World Wide Web, malware infections only become more common. In this article we’ll discuss what malware is, the various types we’ve come across, the methods used to inject malware into a site, and how you can harden/protect your site from these methods. --------------------------------------------- https://blog.sucuri.net/2021/12/how-malware-gets-on-your-website.html ∗∗∗ Gefährliche Lücken in Server-Backupsoftware IBM Spectrum Protect geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit IBM Spectrum Protect angreifen und im schlimmsten Fall Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6294287 ∗∗∗ Patchday: Kritische Sicherheitslücken in SAP-Geschäftssoftware ∗∗∗ --------------------------------------------- 15 Sicherheitslücken melden die Walldorfer zum Dezember-Patchday in ihrer Business-Software. Viel schätzt SAP als hohes oder gar kritisches Risiko ein. --------------------------------------------- https://heise.de/-6294773 ∗∗∗ Vorsicht, wenn Ihre Internetbekanntschaft um Geld bittet ∗∗∗ --------------------------------------------- Sie haben auf einer Dating-Plattform einen Mann kennengelernt? Er ist zuvorkommend, gutaussehend und noch dazu gebildet? Es gibt nur einen Haken: Er befindet sich gerade im Ausland. Mit Ihrer finanziellen Unterstützung steht einem baldigen Treffen aber nichts im Weg. Achtung: Sie sind an einen Love-Scammer geraten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-ihre-internetbekanntsc… ∗∗∗ Apple releases Android app to find rogue AirTags ∗∗∗ --------------------------------------------- Apple has released an Android app on Monday to help Android users detect malicious nearby AirTag devices that might be used to track them. --------------------------------------------- https://therecord.media/apple-releases-android-app-to-find-malicious-airtag… ===================== = Vulnerabilities = ===================== *** Advisories zur Log4j-Schwachstelle *** --------------------------------------------- SSA-661247: Apache Log4j Vulnerability (CVE-2021-44228, Log4Shell) - Impact to Siemens Products https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt JSA11259 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11259 Vulnerability in Apache Log4j Library https://www.qnap.com/en-us/security-advisory/QSA-21-58 Apache Log4j Vulnerability https://support.lenovo.com/product_security/PS500457-APACHE-LOG4J-VULNERABI… Security Notice – Statement About Apache Log4j2 Remote Code Execution Vulnerability(CVE-2021-44228) https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20211210-01… --------------------------------------------- https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20211210-01… ∗∗∗ Dell driver fix still allows Windows Kernel-level attacks ∗∗∗ --------------------------------------------- Dells driver fix of the CVE-2021-21551 vulnerability leaves margin for catastrophic BYOVD attacks resulting in Windows kernel driver code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dell-driver-fix-still-allows… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Info about Log4Shell in IBM Products, Novalink, WebSphere Application Server, WebSphere MQ for HP NonStop Server, MQ for HP NonStop Server, Tivoli Netcool, Netezza Analytics, Netezza Host Management --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwere Sicherheitslücken in iOS und macOS: Apple-Updates bald einspielen ∗∗∗ --------------------------------------------- iOS 15.2 und macOS 12.1 beseitigen Schwachstellen, die unter anderem den Remote-Jailbreak erlaubten. Für ältere Systemversionen fehlen Patches teilweise. --------------------------------------------- https://heise.de/-6294390 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsamplerate and raptor2), Fedora (pam-u2f and python-markdown2), openSUSE (chromium, fetchmail, ImageMagick, and postgresql10), Oracle (samba), SUSE (fetchmail, postgresql10, python-pip, python3, and sles12sp2-docker-image), and Ubuntu (apache-log4j2, flatpak, glib, and samba). --------------------------------------------- https://lwn.net/Articles/878629/ ∗∗∗ Advantech R-SeeNet ∗∗∗ --------------------------------------------- This advisory contains mitigations for SQL Injection, and Improper Privilege Management vulnerabilities in the Advantech R-SeeNet monitoring application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-01 ∗∗∗ Schneider Electric Rack PDU ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cross-site Scripting vulnerability in Schneider Electric Rack Power Distribution Unit (PDU). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02 ∗∗∗ K73710094: XSS vulnerability in undisclosed page of the NGINX Swagger UI ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73710094 ∗∗∗ ZDI-21-1536: Trend Micro Maximum Security Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1536/ ∗∗∗ ZDI-21-1535: McAfee Database Security Improper Access Control Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1535/ *** Siemens Security Advisories *** --------------------------------------------- SSA-496292: Remote Code Execution Vulnerability in POWER METER SICAM Q100 https://cert-portal.siemens.com/productcert/txt/ssa-496292.txt SSA-463116: Multiple Access Control Vulnerabilities in Siveillance Identity before https://cert-portal.siemens.com/productcert/txt/ssa-463116.txt SSA-400332: Insufficient Design IP Protection in IEEE 1735 Recommended Practice - Impact to Questa and ModelSim https://cert-portal.siemens.com/productcert/txt/ssa-400332.txt SSA-396621: Multiple File Parsing Vulnerabilities in JTTK before V10.8.1.1 and JT Utilities before V12.8.1.1 https://cert-portal.siemens.com/productcert/txt/ssa-396621.txt SSA-390195: LibVNC Vulnerabilities in SIMATIC ITC Products https://cert-portal.siemens.com/productcert/txt/ssa-390195.txt SSA-352143: Multiple File Parsing Vulnerabilities in JTTK before V11.0.3.0 and JT Utilities before V13.0.3.0 https://cert-portal.siemens.com/productcert/txt/ssa-352143.txt SSA-199605: Arbitrary File Download Vulnerability in SIMATIC eaSie PCS 7 Skill Package https://cert-portal.siemens.com/productcert/txt/ssa-199605.txt SSA-161331: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2021.3.1 https://cert-portal.siemens.com/productcert/txt/ssa-161331.txt SSA-160202: Multiple Access Control Vulnerabilities in SiPass Integrated https://cert-portal.siemens.com/productcert/txt/ssa-160202.txt SSA-133772: Zip Path Traversal Vulnerability in Teamcenter Active Workspace https://cert-portal.siemens.com/productcert/txt/ssa-133772.txt SSA-523250: Improper Certificate Validation Vulnerability in SINUMERIK Edge https://cert-portal.siemens.com/productcert/txt/ssa-523250.txt SSA-595101: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.2.0.5 https://cert-portal.siemens.com/productcert/txt/ssa-595101.txt SSA-620288: Multiple Vulnerabilities (NUCLEUS:13) in CAPITAL VSTAR https://cert-portal.siemens.com/productcert/txt/ssa-620288.txt SSA-802578: Multiple File Parsing Vulnerabilities in JTTK before V11.1.1.0 and JT Utilities before V13.1.1.0 https://cert-portal.siemens.com/productcert/txt/ssa-802578.txt --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2021
by Daily end-of-shift report 13 Dec '21

13 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-12-2021 18:00 − Montag 13-12-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Schutz vor Log4j-Lücke – was hilft jetzt und was eher nicht ∗∗∗ --------------------------------------------- "Warnstufe Rot" für Anwender und Firmen, doch was bedeutet das konkret? So testen Sie Dienste auf die Log4j-Lücke und reduzieren ihr Risiko vor Angriffen. --------------------------------------------- https://heise.de/-6292961 ∗∗∗ log4j-scan ∗∗∗ --------------------------------------------- We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability. --------------------------------------------- https://github.com/fullhunt/log4j-scan ∗∗∗ Ten families of malicious samples are spreading using the Log4j2 vulnerability Now ∗∗∗ --------------------------------------------- On December 11, 2021, at 8:00 pm, we published a blog disclosing Mirai and Muhstik botnet samples propagating through Log4j2 RCE vulnerability[1]. Over the past 2 days, we have captured samples from other families, and now the list of families has exceeded 10. --------------------------------------------- https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading… ∗∗∗ log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228 ∗∗∗ --------------------------------------------- tl;dr Run add our new tool, -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. In this post, we first offer some context on the vulnerability, the released fixes [...] --------------------------------------------- https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitiga… ∗∗∗ Malicious PyPI packages with over 10,000 downloads taken down ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers report. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-with… ∗∗∗ Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group ∗∗∗ --------------------------------------------- A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021. The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, [...] --------------------------------------------- https://thehackernews.com/2021/12/karakurt-new-emerging-data-theft-and.html ∗∗∗ HANCITOR DOC drops via CLIPBOARD ∗∗∗ --------------------------------------------- Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy method. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via… ∗∗∗ Diavol Ransomware ∗∗∗ --------------------------------------------- In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Diavol Ransomware. --------------------------------------------- https://thedfirreport.com/2021/12/13/diavol-ransomware/ ∗∗∗ Bugs in the Cloud: How One Vulnerability Exposed 'Offline' Devices to a Security Risk ∗∗∗ --------------------------------------------- The post Bugs in the Cloud: How One Vulnerability Exposed ‘Offline’ Devices to a Security Risk appeared first on Claroty. --------------------------------------------- https://claroty.com/2021/12/13/blog-research-bugs-in-the-cloud-how-one-vuln… ∗∗∗ Von wegen Darknet – Ransomware-Gangs setzen Opfer per Social Media unter Druck ∗∗∗ --------------------------------------------- Ransomware-Gruppen nutzen soziale Netzwerkkanäle, um ihre Angriffe zu bewerben und damit ihre Opfer weiter zur Lösegeldzahlung unter Druck zu setzen. --------------------------------------------- https://blog.emsisoft.com/de/39431/von-wegen-darknet-ransomware-gangs-setze… ∗∗∗ Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits ∗∗∗ --------------------------------------------- Deserialization vulnerabilities are a class of bugs that have plagued multiple languages and applications over the years. These include Exchange (CVE-2021-42321), Zoho ManageEngine (CVE-2020-10189), Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and more. Fundamentally, these bugs are a result of applications placing too much trust in data that a user (or attacker) can tamper with. --------------------------------------------- https://www.mandiant.com/resources/hunting-deserialization-exploits ===================== = Vulnerabilities = ===================== ∗∗∗ Log4j Vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-44228). --------------------------------------------- https://github.com/NCSC-NL/log4shell ∗∗∗ VMSA-2021-0028 ∗∗∗ --------------------------------------------- [...] Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Log4j Zero-Day Vulnerability ∗∗∗ --------------------------------------------- IBM X-Force Incident Command is following a recent disclosure regarding a vulnerability in the in the Log4j Java library. A report by LunaSec details the vulnerability as well as mitigation strategies for the vulnerability. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90… ∗∗∗ Bugs in billions of WiFi, Bluetooth chips allow password, data theft ∗∗∗ --------------------------------------------- Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves its possible to extract passwords and manipulate traffic on a WiFi chip by targeting a devices Bluetooth component. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-blu… ∗∗∗ IBM Security Bulletins 2021-12-10 - 2021-13 ∗∗∗ --------------------------------------------- WebSphere Application Server, Rational Application Developer for WebSphere, Spectrum Copy Data Management, Tivoli Netcool, Spectrum Protect, i2 Analystss Notebook, Decision Optimization Center, ILOG CPLEX Optimization Studio, PowerVM, Db2 --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, gitlab, grafana, grafana-agent, thunderbird, and vivaldi), Debian (apache-log4j2, privoxy, and wireshark), Fedora (firefox, grub2, mariadb, mod_auth_openidc, rust-drg, rust-tiny_http, and rust-tiny_http0.6), Mageia (chromium-browser-stable, curaengine, fetchmail, firefox, libvirt, log4j, opencontainers-runc, python-django, speex, and thunderbird), openSUSE (clamav, firefox, glib-networking, glibc, gmp, ImageMagick, log4j, [...] --------------------------------------------- https://lwn.net/Articles/878520/ ∗∗∗ CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirtee… ∗∗∗ Oracle Security Alert for CVE-2021-44228 - 10 December 2021 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html ∗∗∗ Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Citrix Security Advisory for Apache CVE-2021-44228 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX335705 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.12.2021
by Daily end-of-shift report 10 Dec '21

10 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-12-2021 18:00 − Freitag 10-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Zero-Day-Lücke in Log4j gefährdet zahlreiche Server und Apps ∗∗∗ --------------------------------------------- Eine Zero-Day-Schwachstelle in Apaches Log4j ermöglicht Angreifern, etwa auf Servern von Cloud-Diensten oder in Anwendungen Schadcode einzuschmuggeln. --------------------------------------------- https://heise.de/-6291653 ∗∗∗ Dark Mirai botnet targeting RCE on popular TP-Link router ∗∗∗ --------------------------------------------- The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dark-mirai-botnet-targeting-… ∗∗∗ Python Shellcode Injection From JSON Data, (Fri, Dec 10th) ∗∗∗ --------------------------------------------- My hunting rules detected a niece piece of Python code. It's interesting to see how the code is simple, not deeply obfuscated, and with a very low VT score: 2/56![1]. I see more and more malicious Python code targeting the Windows environments. Thanks to the library ctypes[2], Python is able to use any native API calls provided by DLLs. --------------------------------------------- https://isc.sans.edu/diary/rss/28118 ∗∗∗ Click "OK" to defeat MFA ∗∗∗ --------------------------------------------- A sophisticated threat actor has been using a very unsophisticated method to defeat multi-factor authentication. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/12/click-ok-to-defeat-mfa/ ∗∗∗ 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs ∗∗∗ --------------------------------------------- Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites. --------------------------------------------- https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/ ∗∗∗ Winterurlaub geplant? Buchen Sie nicht über dein-berghuettenurlaub.de! ∗∗∗ --------------------------------------------- Bald ist der Lockdown in Österreich vorbei. Dementsprechend freuen sich wohl schon einige auf eine Auszeit über Weihnachten oder Silvester. Was wäre aufgrund der aktuellen Corona-Lage besser geeignet als eine einsame Hütte? Doch Vorsicht, wer online eine solche Hütte buchen will, könnte auf betrügerische Seiten stoßen! --------------------------------------------- https://www.watchlist-internet.at/news/winterurlaub-geplant-buchen-sie-nich… ∗∗∗ This old malware has just picked up some nasty new tricks ∗∗∗ --------------------------------------------- The crafty Qakbot trojan has added ransomware delivery to its malware building blocks. --------------------------------------------- https://www.zdnet.com/article/this-decade-old-malware-has-picked-up-some-na… ∗∗∗ Microsoft launches center for reporting malicious drivers ∗∗∗ --------------------------------------------- Microsoft has launched this week a special web portal where users and researchers can report malicious drivers to the companys security team. --------------------------------------------- https://therecord.media/microsoft-launches-center-for-reporting-malicious-d… ∗∗∗ Twitter-Thread zur log4j-Schwachstelle ∗∗∗ --------------------------------------------- https://twitter.com/TimPhSchaefers/status/1469271197993115655 ===================== = Vulnerabilities = ===================== ∗∗∗ RCE in log4j, Log4Shell, or how things can get bad quickly, (Fri, Dec 10th) ∗∗∗ --------------------------------------------- If you have been following developments on Twitter and various other security sources, by now you have undoubtedly heard about the latest vulnerability in the very popular Apache log4j library. --------------------------------------------- https://isc.sans.edu/diary/rss/28120 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-babel), Fedora (golang-github-opencontainers-image-spec and libmysofa), openSUSE (hiredis), Oracle (firefox and thunderbird), Red Hat (thunderbird and virt:8.2 and virt-devel:8.2), Scientific Linux (thunderbird), SUSE (kernel-rt and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/878279/ ∗∗∗ WD Updates SanDisk SecureAccess to Prevent Dictionary, Brute Force Attacks ∗∗∗ --------------------------------------------- Western Digital has updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks. --------------------------------------------- https://www.securityweek.com/wd-updates-sandisk-secureaccess-prevent-dictio… ∗∗∗ Cisco Releases Security Advisory for Multiple Products Affected by Apache HTTP Server Vulnerabilities ∗∗∗ --------------------------------------------- Cisco has released a security advisory to address Cisco products affected by multiple vulnerabilities in Apache HTTP Server 2.4.48 and earlier releases. An unauthenticated remote attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisco-releases-se… ∗∗∗ Schwachstellen in Oracle-Datenbankservern (SYSS-2021-061/-062) ∗∗∗ --------------------------------------------- In Oracle-Datenbankservern wurden Schwachstellen identifiziert. Sie erlauben es Angreifern, Zugang zur Datenbank von legitimen Benutzern zu erhalten. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-061/syss-2021-062 ∗∗∗ TR-65 - Vulnerabilities and Exploitation of Log4j (Remote code injection in Log4j) ∗∗∗ --------------------------------------------- CVE-2021-44228 vulnerability enables remote code injection on systems running Log4j. The attacker has to trigger a log entry generation containing a JNDI request. The vulnerability can be exploited without authentication. The exploit needs to be processed by Log4j. Impacted Log4j versions are: 2.0 to 2.14.1. --------------------------------------------- https://www.circl.lu/pub/tr-65 ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1266 ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user elevated privileges due to allowing modification of columns of existing tasks (CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js, IBM WebSphere Application Server Liberty, and OpenSSL affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Dec. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-may-be-vulnerable… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as it uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. (CVE-2021-39002) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: The PowerVM hypervisor is vulnerable to a carefully crafted IBMi hypervisor call that can lead to a system crash ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-is… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an Information Disclosure as a user with DBADM authority is able to access other databases and read or modify files (CVE-2021-29678) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: The PowerVM hypervisor can allow an attacker that gains service access to the FSP to read and write system memory ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-ca… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2021
by Daily end-of-shift report 09 Dec '21

09 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-12-2021 18:00 − Donnerstag 09-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious NPM packages are part of a malware “barrage” hitting repositories ∗∗∗ --------------------------------------------- Peoples trust in repositories make them the perfect vectors for malware. --------------------------------------------- https://arstechnica.com/?p=1818997 ∗∗∗ New Cerber ransomware targets Confluence and GitLab servers ∗∗∗ --------------------------------------------- Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-target… ∗∗∗ Grafana fixes zero-day vulnerability after exploits spread over Twitter ∗∗∗ --------------------------------------------- Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/grafana-fixes-zero-day-vulne… ∗∗∗ Emotet now drops Cobalt Strike, fast forwards ransomware attacks ∗∗∗ --------------------------------------------- In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-stri… ∗∗∗ The life cycle of phishing pages ∗∗∗ --------------------------------------------- Weve analyzed the life cycle of phishing pages, how they transform during their active period, and the domains where they're located. --------------------------------------------- https://securelist.com/phishing-page-life-cycle/105171/ ∗∗∗ Moobot Botnet Chews Up Hikvision Surveillance Systems ∗∗∗ --------------------------------------------- Attackers are milking unpatched Hikvision video systems to drop a DDoS botnet, researchers warned. --------------------------------------------- https://threatpost.com/moobot-botnet-hikvision-surveillance-systems/176879/ ∗∗∗ PHP Re-Infectors – The Malware that Keeps On Giving ∗∗∗ --------------------------------------------- Attackers have developed some methods for protecting their work as we will explore in this post. We will also look at how you can remove this infection from a compromised website. --------------------------------------------- https://blog.sucuri.net/2021/12/php-re-infectors-the-malware-that-keeps-on-… ∗∗∗ Over 300,000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs ∗∗∗ --------------------------------------------- At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices. --------------------------------------------- https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html ∗∗∗ Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks ∗∗∗ --------------------------------------------- Vulnerabilities in Microsoft and others’ popular OAuth2.0 implementations lead to redirection attacks that bypass most phishing detection solutions and email security solutions. --------------------------------------------- https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oaut… ∗∗∗ Virtualisiertes USB als Sicherheitslücke ∗∗∗ --------------------------------------------- USB+Cloud=Gefahr. Lücken in USB-über-Ethernet-Treibern für Clouddienste erlauben Angreifern, lokal und serverseitig beliebigen Code im Kernel-Modus auszuführen. --------------------------------------------- https://heise.de/-6289521 ∗∗∗ Is your web browser vulnerable to data theft? XS-Leak explained ∗∗∗ --------------------------------------------- IT security researchers recently exposed new cross-site leak (XS-Leak) attacks against modern-day browsers. But what is XS-Leak anyway? --------------------------------------------- https://blog.malwarebytes.com/explained/2021/12/is-your-web-browser-vulnera… ∗∗∗ Was threat actor KAX17 de-anonymizing the Tor network? ∗∗∗ --------------------------------------------- A threat actor was found to be running a high percentage of the Tor Networks servers. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/12/was-threat-actor-kax17-de-ano… ∗∗∗ Detecting Patient Zero Web Threats in Real Time With Advanced URL Filtering ∗∗∗ --------------------------------------------- Patient zero web threats are malicious URLs that are being seen for the first time. We discuss how to stop them despite attacker cloaking techniques. --------------------------------------------- https://unit42.paloaltonetworks.com/patient-zero-web-threats/ ∗∗∗ CISA Releases Guidance on Protecting Organization-Run Social Media Accounts ∗∗∗ --------------------------------------------- CISA has released Capability Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisa-releases-gui… ∗∗∗ Two Birds with One Stone: An Introduction to V8 and JIT Exploitation ∗∗∗ --------------------------------------------- In this special blog series, ZDI Vulnerability Researcher Hossein Lotfi looks at the exploitation of V8 – Google’s open-source high-performance JavaScript and WebAssembly engine – through the lens of a bug used during Pwn2Own Vancouver 2021. --------------------------------------------- https://www.thezdi.com/blog/2021/12/6/two-birds-with-one-stone-an-introduct… ∗∗∗ Kernel Karnage – Part 6 (Last Call) ∗∗∗ --------------------------------------------- Having covered process, thread and image callbacks in the previous blogposts, I think it’s only fair if we conclude this topic with registry and object callbacks. --------------------------------------------- https://blog.nviso.eu/2021/12/09/kernel-karnage-part-6-last-call/ ===================== = Vulnerabilities = ===================== ∗∗∗ SanDisk SecureAccess bug allows brute forcing vault passwords ∗∗∗ --------------------------------------------- Western Digital has fixed a security vulnerability that enabled attackers to brute force SanDisk SecureAccess passwords and access the users protected files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sandisk-secureaccess-bug-all… ∗∗∗ IBM Security Bulletins 2021-12-07 and 2021-12-08 ∗∗∗ --------------------------------------------- DB2, WebSphere Application Server, Tivoli Business Service Manager, PowerHA, Guardium Data Encryption, Watson Speech Services, Process Designer, Business Automation Workflow --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Jetzt patchen! Root-Lücke in Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen unter anderem kritische Schwachstellen in Secure-Mobile-Access-Appliances. --------------------------------------------- https://heise.de/-6290012 ∗∗∗ FortiOS- und FortiProxy-Updates schließen Sicherheitslücken, Check empfohlen ∗∗∗ --------------------------------------------- Fortinet ist auf ein unterwandertes System gestoßen und empfiehlt Administratoren die Überprüfung auf Einbruchsspuren. Zudem stehen Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6290546 ∗∗∗ LibreOffice zieht Update wegen kritischer Schwachstelle vor ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der NSS-Bibliothek betrifft auch LibreOffice und ermöglicht das Unterschieben von Schadcode. Updates zur Absicherung stehen bereit. --------------------------------------------- https://heise.de/-6290069 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nss), Fedora (rubygem-rmagick), openSUSE (xen), Red Hat (firefox and nss), SUSE (kernel and xen), and Ubuntu (mailman and nss). --------------------------------------------- https://lwn.net/Articles/878038/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, libopenmpt, matrix-synapse, vim, and xen), Mageia (gmp, heimdal, libsndfile, nginx/vsftpd, openjdk, sharpziplib/mono-tools, and vim), Red Hat (java-1.8.0-ibm), Scientific Linux (firefox), SUSE (kernel-rt), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/878142/ ∗∗∗ Bentley BE-2021-0005: Out-of-bounds and use-after-free vulnerabilities in Bentley MicroStation and Bentley View ∗∗∗ --------------------------------------------- https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 ∗∗∗ Helmholz: Remote user enumeration in myREX24/myREX24-virtual ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-058/ ∗∗∗ Helmholz: Privilege Escalation in shDialup ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-057/ ∗∗∗ Hitachi Energy RTU500 OpenLDAP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-341-01 ∗∗∗ Hitachi Energy XMC20 and FOX61x ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-341-02 ∗∗∗ FANUC Robot Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-243-02 ∗∗∗ Hillrom Welch Allyn Cardio Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-343-01 ∗∗∗ Hitachi Energy GMS600, PWC600, and Relion ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-343-01 ∗∗∗ WECON LeviStudioU ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-343-02 ∗∗∗ Multiple Vulnerabilities in Bosch BT software products ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html ∗∗∗ Stack Buffer Overflow Vulnerability in Surveillance Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-46 ∗∗∗ Reflected XSS Vulnerability in Kazoo Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-54 ∗∗∗ Improper Authentication Vulnerability in Qfile ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-55 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2021
by Daily end-of-shift report 07 Dec '21

07 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 06-12-2021 18:00 − Dienstag 07-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Code-Schmuggel-Sicherheitslücke in Windows nur halbherzig geschlossen ∗∗∗ --------------------------------------------- Eine Lücke in Windows, die bösartige Webseiten zum Ausführen von Schadcode missbrauchen könnte, lässt sich trotz Update noch eingeschränkt missbrauchen. --------------------------------------------- https://heise.de/-6288402 ∗∗∗ Achtung: Jobangebote von „ab-group.info“ & „mctrl-marktforschung.com“ sind Fake ∗∗∗ --------------------------------------------- Homeoffice, flexible Arbeitszeiten, frei wählbare Anstellungsverhältnisse und obendrein gut bezahlt. Das versprechen Marktforschungsagenturen wie „ab-group.info“ & „mctrl-marktforschung.com“. Doch Vorsicht: Dabei handelt es sich um betrügerische Jobangebote. Interessierte übermitteln bei einer Bewerbung persönliche Daten sowie Ausweiskopien an Kriminelle. Im schlimmsten Fall werden im eigenen Namen Bankkonten für Kriminelle eröffnet! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-jobangebote-von-ab-groupinfo… ∗∗∗ STOP Ransomware vaccine released to block encryption ∗∗∗ --------------------------------------------- German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims files after infection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stop-ransomware-vaccine-rele… ∗∗∗ Apache Kafka Cloud Clusters Expose Sensitive Data for Large Companies ∗∗∗ --------------------------------------------- The culprit is misconfigured Kafdrop interfaces, used for centralized management of the open-source platform. --------------------------------------------- https://threatpost.com/apache-kafka-cloud-clusters-expose-data/176778/ ∗∗∗ WooCommerce Credit Card Swiper Injected Into Random Plugin Files ∗∗∗ --------------------------------------------- It’s that time of year again! While website owners always need to be on guard, the holidays season is when online scams and credit card theft are most rampant. Administrators of ecommerce websites need to be extra vigilant as this case will demonstrate. --------------------------------------------- https://blog.sucuri.net/2021/12/woocommerce-credit-card-swiper-injected-int… ∗∗∗ Cryptominers arent just a headache – theyre a big neon sign that Bad Things are on your network ∗∗∗ --------------------------------------------- So says Sophos in warning about Tor2Mine Monero malware Cryptominer malware removal is a routine piece of the cybersecurity landscape these days. Yet if criminals are hijacking your compute cycles to mine cryptocurrencies, chances are theres something worse lurking on your network too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/12/07/sophos_tor2m… ∗∗∗ Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm ∗∗∗ --------------------------------------------- Author: Margit Hazenbroek tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted. --------------------------------------------- https://blog.fox-it.com/2021/12/07/encryption-does-not-equal-invisibility-d… ∗∗∗ XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit ∗∗∗ --------------------------------------------- In 2020 and 2021, Volexity identified multiple compromises related to a relatively unknown criminal threat actor that refers to itself as "XE Group". Volexity believes that XE Group is likely a Vietnamese-origin criminal threat actor whose intrusions follow an approximate pattern: Compromise of externally facing services via known exploits (e.g., Telerik UI vulnerabilities) Monetization of these compromises through installation of password theft or credit card skimming code for web [...] --------------------------------------------- https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hackin… ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer attackieren PC-Management-Software Zoho ManageEngine Desktop Central ∗∗∗ --------------------------------------------- Nur die neusten Versionen schützen die Software. Zoho rät zu zügigen Updates. --------------------------------------------- https://heise.de/-6287937 ∗∗∗ 27 flaws in USB-over-network SDK affect millions of cloud users ∗∗∗ --------------------------------------------- Researchers have discovered 27 vulnerabilities in Eltima SDK, a library used by numerous cloud providers to remotely mount a local USB device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/27-flaws-in-usb-over-network… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (nss), Debian (roundcube and runc), openSUSE (aaa_base, brotli, clamav, glib-networking, gmp, go1.16, hiredis, kernel, mozilla-nss, nodejs12, nodejs14, openexr, openssh, php7, python-Babel, ruby2.5, speex, wireshark, and xen), Oracle (kernel and nss), Red Hat (kpatch-patch, nss, rpm, and thunderbird), SUSE (brotli, clamav, glib-networking, gmp, kernel, mariadb, mozilla-nss, nodejs12, nodejs14, openssh, php7, python-Babel, and wireshark), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/877945/ ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1252 ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1251 ∗∗∗ Security Bulletin: Multiple vulnerabilities in Redis affecting the IBM Event Streams UI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Event Streams through Apache Kafka key/password validation (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-even… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in the Java runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-20254) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affecting IBM Event Streams (CVE-2021-22960 and CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2021
by Daily end-of-shift report 06 Dec '21

06 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-12-2021 18:00 − Montag 06-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Is My Site Hacked? 4 Gut Checks ∗∗∗ --------------------------------------------- Today, we’re looking at 4 quick gut check tests you can do to get the answer to the question, “is my site hacked?” --------------------------------------------- https://blog.sucuri.net/2021/12/is-my-site-hacked-4-gut-checks.html ∗∗∗ Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks ∗∗∗ --------------------------------------------- Enterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months. The issue, assigned the identifier CVE-2021-44515, is an authentication bypass vulnerability ... --------------------------------------------- https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html ∗∗∗ Malicious KMSPico Windows Activator Stealing Users Cryptocurrency Wallets ∗∗∗ --------------------------------------------- Users looking to activate Windows without using a digital license or a product key are being targeted by tainted installers to deploy malware designed to plunder credentials and other information in cryptocurrency wallets. The malware, dubbed "CryptBot," is an information stealer capable of obtaining credentials for browsers, cryptocurrency wallets, browser cookies, credit cards, and capturing screenshots from the infected systems. --------------------------------------------- https://thehackernews.com/2021/12/malicious-kmspico-windows-activator.html ∗∗∗ The Importance of Out-of-Band Networks ∗∗∗ --------------------------------------------- Out-of-band (or "OoB") networks are usually dedicated to management tasks. Many security appliances and servers have dedicated management interfaces that are used to set up, control, and monitor the device. A best practice is to connect those management interfaces to a dedicated network that is not directly connected to the network used to carry applications/users data. --------------------------------------------- https://isc.sans.edu/diary/rss/28102 ∗∗∗ Who Is the Network Access Broker ‘Babam’? ∗∗∗ --------------------------------------------- Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in stealing remote access credentials -- such as usernames and passwords needed to remotely connect to the targets network. In this post well look at the clues left behind by "Babam," the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions ... --------------------------------------------- https://krebsonsecurity.com/2021/12/who-is-the-network-access-broker-babam/ ∗∗∗ Emotet’s back and it isn’t wasting any time ∗∗∗ --------------------------------------------- Last month we reported on how another notorious bit of malware, TrickBot, was helping Emotet come back from the dead. And then yesterday, several security researchers saw another huge spike in Emotet’s activity. --------------------------------------------- https://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wast… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Small Business 220 Series Smart Switches Link Layer Discovery Protocol Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: - Execute code on the affected device or cause it to reload unexpectedly - Cause LLDP database corruption on the affected device --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins 2021-12-03 ∗∗∗ --------------------------------------------- IBM Event Streams, IBM Cloud Automation Manager, IBM Data Studio Client, EDB PostreSQL with IBM, EDB Postgres Advanced Server with IBM, IBM Data Management Platform (Enterprise, Standard), IBM QRadar SIEM --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (isync, lib32-nss, nss, opera, and vivaldi), Debian (gerbv and xen), Fedora (autotrace, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, libsndfile, nss, pfstools, php-pecl-imagick, psiconv, q, R-magick, rss-glx, rubygem-rmagick, seamonkey, skopeo, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, vim, vips, and WindowMaker), Mageia (golang, kernel, kernel-linus, mariadb, and vim), openSUSE (aaa_base, python-Pygments, singularity, and tor), Red Hat (nss), Slackware (mozilla), SUSE (aaa_base, kernel, openssh, php74, and xen), and Ubuntu (libmodbus, lrzip, samba, and uriparser). --------------------------------------------- https://lwn.net/Articles/877821/ ∗∗∗ ABB Cyber Security Advisory: OmniCore RobotWare Missing Authentication Vulnerability CVE ID: CVE-2021-22279 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCod… ∗∗∗ F5 K50839343: NGINX ModSecurity WAF vulnerability CVE-2021-42717 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50839343 ∗∗∗ F5 K12705583: OpenSSH vulnerability CVE-2021-41617 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12705583 ∗∗∗ Auerswald COMpact Multiple Backdoors ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/ ∗∗∗ Auerswald COMpact Arbitrary File Disclosure ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-006/ ∗∗∗ Auerswald COMpact Privilege Escalation ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-005/ ∗∗∗ Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2021
by Daily end-of-shift report 06 Dec '21

06 Dec '21

-- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2021
by Daily end-of-shift report 03 Dec '21

03 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-12-2021 18:00 − Freitag 03-12-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Key Characteristics of Malicious Domains: Report ∗∗∗ --------------------------------------------- Newer top-level domains and certain hosting providers are frequent sources of malicious content, while newly registered domains and free SSL certificates are not any more likely than average to be risky, new research shows. --------------------------------------------- https://www.darkreading.com/threat-intelligence/research-outs-the-providers… ∗∗∗ Vorsicht: „Neue Weihnachts-Emoji für Whatsapp“ ist eine Falle ∗∗∗ --------------------------------------------- Über eine WhatsApp-Nachricht, die Weihnachts-Emoji verspricht, werden Abo-Fallen und Schadsoftware verbreitet. --------------------------------------------- https://futurezone.at/apps/vorsicht-neue-weihnachts-emoji-fuer-whatsapp-fal… ∗∗∗ The UPX Packer Will Never Die!, (Fri, Dec 3rd) ∗∗∗ --------------------------------------------- Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code. --------------------------------------------- https://isc.sans.edu/diary/rss/28096 ∗∗∗ Exploring Container Security: A Storage Vulnerability Deep Dive ∗∗∗ --------------------------------------------- Recently, the GKE Security team discovered a high severity vulnerability in Kubernetes (CVE-2021-25741) that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community. --------------------------------------------- https://security.googleblog.com/2021/12/exploring-container-security-storag… ∗∗∗ Analysis: AWS SageMaker Jupyter Notebook Instance Takeover ∗∗∗ --------------------------------------------- During our research about security in data science tools we decided to look at Amazon SageMaker which is a fully managed machine learning service in AWS. Here is the long and short of our recent discovery. [...] Using the access token, the attacker can read data from S3 buckets, create VPC endpoints and more actions that are allowed by the SageMaker execution role and the “AmazonSageMakerFullAccess” policy. We reported the vulnerability we discovered to the AWS security team [...] --------------------------------------------- https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability ∗∗∗ Beispiele für Viren-Mails nach Übernahme eines Exchange-Servers ∗∗∗ --------------------------------------------- Und schon sind wir beim dritten Türchen im Security-Adventskalender meines Blogs. Ich hatte ja hier im Blog mehrfach gewarnt, dass ungepatchte Exchange-Server übernommen und zum Spam-Versand missbraucht werden. Ein Blog-Leser hat mir nun eine kurze Info zukommen lassen (danke), weil er einen kompromittierten Exchange-Server gefunden hat, der kompromittiert war und infizierte Spam-Mails verschickte. --------------------------------------------- https://www.borncity.com/blog/2021/12/03/beispiele-fr-viren-mails-nach-bern… ∗∗∗ Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension ∗∗∗ --------------------------------------------- Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems. --------------------------------------------- https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertisin… ∗∗∗ Mehrwertdienste versuchen Sie in die Abo-Falle zu locken! ∗∗∗ --------------------------------------------- Einmal die falsche App am Handy installiert, einen falschen Link geöffnet oder auf einen vermeintlich harmlosen Button geklickt: Am Smartphone kann es sehr schnell passieren, dass Sie in einer Abo-Falle landen und Ihre Telefonrechnung plötzlich deutlich höher ausfällt als gewohnt. Doch keine Sorge: Auch wenn bereits Geld abgebucht wurde, können Sie die Rechnung bei Ihrem Mobilfunkanbieter beanstanden. --------------------------------------------- https://www.watchlist-internet.at/news/mehrwertdienste-versuchen-sie-in-die… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers discover 14 new data-stealing web browser attacks ∗∗∗ --------------------------------------------- IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of XS-Leak cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-discover-14-new-… ∗∗∗ CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus ∗∗∗ --------------------------------------------- This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-rele… ∗∗∗ IBM Security Bulletins 2021-12-02 ∗∗∗ --------------------------------------------- IBM Integration Bus, Power System, IBM Cloud Pak System, IBM SDK (Java Technology Edition), IBM Semeru Runtime, IBM Cognos Analytics --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050) ∗∗∗ --------------------------------------------- The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP requests. --------------------------------------------- https://research.nccgroup.com/2021/12/02/technical-advisory-authenticated-s… ∗∗∗ Free Micropatches for the "InstallerFileTakeOver" 0day ∗∗∗ --------------------------------------------- Wow, this is the third 0day found by the same researcher we're patching in the last two weeks. Abdelhamid Naceri, a talented security researcher, has been keeping us busy with 0days this year. In January we micropatched a local privilege escalation in Windows Installer they had found (already fixed by Microsoft), and in the last two weeks we fixed an incompletely patched local privilege escalation in User Profile Service and a local privilege escalation [...] --------------------------------------------- https://blog.0patch.com/2021/12/free-micropatches-for.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (krb5 and mailman), Debian (gmp and librecad), Fedora (php-symfony4 and wireshark), Mageia (bluez, busybox, docker-containerd, gfbgraph, hivex, nss, perl/perl-Encode, and udisks2/libblockdev), openSUSE (permissions), Oracle (mailman and mailman:2.1), Red Hat (mailman, mailman:2.1, and nss), Scientific Linux (mailman and nss), and SUSE (nodejs14). --------------------------------------------- https://lwn.net/Articles/877582/ ∗∗∗ Schneider Electric SESU ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficient Entropy vulnerability in the Schneider Electric Software Update. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-01 ∗∗∗ Johnson Controls Entrapass ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Johnson Controls Entrapass security management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-02 ∗∗∗ Distributed Data Systems WebHMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass by Primary Weakness, and Unrestricted Upload of File with Dangerous Type vulnerabilities in Distributed Data Systems WebHMI SCADA systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03 ∗∗∗ Hitachi Energy RTU500 series BCI ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Hitachi Energy RTU500 series BCI remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-04 ∗∗∗ Hitachi Energy Relion 670/650/SAM600-IO ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insecure Default Initialization of Resource vulnerability in Hitachi Energy Relion 670/650/SAM600-IO Intelligent Electronic Devices (IEDs). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-05 ∗∗∗ Hitachi Energy APM Edge ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Using Components with Known Vulnerabilities vulnerability in Hitachi Energy Transformer Asset Performance Management (APM) Edge software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-06 ∗∗∗ Hitachi Energy PCM600 Update Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Improper Certificate Validation vulnerability in Hitachi Energy PCM600 Update Manager protection and control IED software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-07 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- This advisory contains mitigations for Observable Discrepancy, Buffer Over-read, and Out-of-bounds Read vulnerabilities in Hitachi Energy RTU500 remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-08 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2021
by Daily end-of-shift report 02 Dec '21

02 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-12-2021 18:00 − Donnerstag 02-12-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New malware hides as legit nginx process on e-commerce servers ∗∗∗ --------------------------------------------- eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions. [...] Because NginRAT hides as a normal Nginx process and the code exists only in the server’s memory, detecting it may be a challenge. However, the malware is launched using two variables, LD_PRELOAD and LD_L1BRARY_PATH. Administrators can use the latter, which contains the “typo,” to reveal the active malicious processes --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-n… ∗∗∗ Nine WiFi routers used by millions were vulnerable to 226 flaws ∗∗∗ --------------------------------------------- Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-mi… ∗∗∗ WordPress Admin Creator – A Simple, But Effective Attack ∗∗∗ --------------------------------------------- Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates these malicious users can hide in plain sight. Injecting a malicious admin user into a WordPress site can allow attackers easy access back into a victims’ website after it has been cleaned. --------------------------------------------- https://blog.sucuri.net/2021/12/wordpress-admin-creator-a-simple-but-effect… ∗∗∗ pip-audit ∗∗∗ --------------------------------------------- pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports. --------------------------------------------- https://pypi.org/project/pip-audit/ ∗∗∗ Digitale Vignette nur in offiziellen Shops kaufen! ∗∗∗ --------------------------------------------- Bereits ab 1. Dezember ist die Vignette für das Jahr 2022 auf österreichischen Autobahnen gültig. Die digitale Vignette kann dabei nicht nur an verschiedenen offiziellen Verkaufsstellen, sondern auch online gekauft werde. Das machen sich unseriöse AnbieterInnen zu Nutze und bieten die digitale Vignette ungerechtfertigt zu höheren Preisen an. --------------------------------------------- https://www.watchlist-internet.at/news/digitale-vignette-nur-in-offiziellen… ∗∗∗ Azure Privilege Escalation via Azure API Permissions Abuse ∗∗∗ --------------------------------------------- In this post, I will explain how one of those permissions systems can be abused to escalate to Global Admin. I’ll explain how you as an attacker can abuse this system, and I will also explain how you as a defender can find, clean up, and prevent these abusable configurations. --------------------------------------------- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permis… ∗∗∗ Windows 10/11: Falle beim "trusted" Apps-Installer; Emotet nutzt das ∗∗∗ --------------------------------------------- Hoh hoh, Leute, wir können heute das zweite Türchen im Adventskalender öffnen und schauen, was Microsoft so schönes dahinter versteckt hat, um Administratoren zu erschrecken. Heute finden wir den AppX-Installer, der in Windows 10 und Windows 11 zum Installieren von Anwendungen und Apps verwendet wird. Hier ein kleiner Überblick, warum man das Wörtchen Trusted Apps nicht so ganz wörtlich nehmen soll. Denn der zugehörige Installer kann durchaus Malware auf das System spülen (Emotet nutzt das aktuell bei Angriffen), die Apps aber wegen eines gravierenden Design-Fehlers als Trusted ausweisen. --------------------------------------------- https://www.borncity.com/blog/2021/12/02/windows-10-11-falle-beim-trusted-a… ===================== = Vulnerabilities = ===================== ∗∗∗ BigSig-Lücke: Mozilla schließt kritische Schwachstelle in Krypto-Bibliothek NSS ∗∗∗ --------------------------------------------- Setzen Anwendungen zur sicheren Kommunikation Mozillas Network Security Services ein, könnte eine kritische Lücke für Probleme sorgen. [...] Die Programmbibliothek kommt beispielsweise im E-Mail-Client Thunderbird, LibreOffice und verschiedenen PDF-Betrachtern zum Einsatz. Einer Warnmeldung von Mozilla zufolge ist der hauseigene Webbrowser Firefox nicht von der als „kritisch“ eingestuften Sicherheitslücke (CVE-2021-43527) betroffen. --------------------------------------------- https://heise.de/-6281977 ∗∗∗ Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields" ∗∗∗ --------------------------------------------- Users of this product may do the following: - Browse unauthorized data on the database - CVE-2021-20865 - Obtain a list of information that an user do not have the privilege for - CVE-2021-20866 - Move field groups that an user do not have permission to use - CVE-2021-20867 Solution: Update the plugin --------------------------------------------- https://jvn.jp/en/jp/JVN09136401/ ∗∗∗ ZDI-21-1373: Jenkins Report Info XML External Entity Processing Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Jenkins Report Info. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1373/ ∗∗∗ Multiple vulnerabilities in OrbiTeam BSCW Server ∗∗∗ --------------------------------------------- The BSCW Server of OrbiTeam Software GmbH & Co. KG is prone to multiple vulnerabilities like reflected and stored XSS, LFI and Open Redirect. It is possible to chain these vulnerabilities and compromise the server even without a valid login. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, openssh, and rpm), Debian (nss), Fedora (seamonkey), Mageia (glibc), openSUSE (go1.16, go1.17, kernel, mariadb, netcdf, openexr, poppler, python-Pygments, python-sqlparse, ruby2.5, speex, and webkit2gtk3), Oracle (nss), Red Hat (nss), SUSE (clamav, glibc, gmp, go1.16, go1.17, kernel, mariadb, netcdf, OpenEXR, openexr, openssh, poppler, python-Pygments, python-sqlparse, ruby2.1, ruby2.5, speex, webkit2gtk3, and xen), and Ubuntu (nss and thunderbird). --------------------------------------------- https://lwn.net/Articles/877410/ ∗∗∗ Delta Electronics CNCSoft - ICS Advisory (ICSA-21-334-03) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-03 ∗∗∗ Security Bulletin: OpenSSH for IBM i is affected by CVE-2021-41617 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssh-for-ibm-i-is-affe… ∗∗∗ Security Bulletin: Apache Commons FileUpload vulnerability affects IBM Tivoli Business Service Manager (CVE-2013-0248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-fileupload… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Netty.io ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-applicati… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Apache Wink as used by IBM Disconnected Log Collector is vulnerable to an XML External Entity Error (XXE) (CVE-2010-2245) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-wink-as-used-by-ib… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2021
by Daily end-of-shift report 01 Dec '21

01 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-11-2021 18:00 − Mittwoch 01-12-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft Exchange servers hacked to deploy BlackByte ransomware ∗∗∗ --------------------------------------------- BlackByte ransomware actors were observed exploiting the ProxyShell set of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to compromise Microsoft Exchange servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-h… ∗∗∗ Info-Stealer Using webhook.site to Exfiltrate Data, (Wed, Dec 1st) ∗∗∗ --------------------------------------------- We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site. --------------------------------------------- https://isc.sans.edu/diary/rss/28088 ∗∗∗ Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors ∗∗∗ --------------------------------------------- RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel… ∗∗∗ l+f: Emotet-Fehlalarm vom Microsoft Defender ∗∗∗ --------------------------------------------- Microsofts Virenschutz hat Nutzer und Administratoren unnötig aufgeschreckt: Ein fehlerhaftes Erkennungs-Update sah Emotet-Infektionen, wo keine waren. --------------------------------------------- https://heise.de/-6280766 ∗∗∗ Tracking a P2P network related with TA505 ∗∗∗ --------------------------------------------- For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them. --------------------------------------------- https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-wit… ∗∗∗ Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome. --------------------------------------------- http://blog.talosintelligence.com/2021/12/vuln-spotlight-chrome-.html ∗∗∗ E-Mail: „Ihr Paket ist in der Warteschleife“ ist Fake ∗∗∗ --------------------------------------------- Warten Sie gerade auf ein Paket? Dann nehmen Sie sich vor E-Mails mit dem Betreff „Ihr Paket ist in der Warteschleife“ in Acht. Kriminelle geben sich als DHL aus und behaupten, dass Zollgebühren ausständig sind. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-ihr-paket-ist-in-der-wartesch… ∗∗∗ Play Your Cards Right: Detecting Wildcard DNS Abuse ∗∗∗ --------------------------------------------- Wildcard DNS records can be used constructively, but their flexibility also provides attackers with a variety of options for executing attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/wildcard-dns-abuse/ ∗∗∗ Shodan Verified Vulns 2021-12-01 ∗∗∗ --------------------------------------------- Insgesamt gibt es kaum Veränderungen zum Vormonat, wobei die Anzahl der verwundbaren Microsoft Exchange Server relativ deutlich zurückging – Props an die Administrator:innen! --------------------------------------------- https://cert.at/de/aktuelles/2021/12/shodan-verified-vulns-2021-12-01 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-kn… ∗∗∗ FBI document shows what data can be obtained from encrypted messaging apps ∗∗∗ --------------------------------------------- A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr. --------------------------------------------- https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-e… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2021-11-30 ∗∗∗ --------------------------------------------- IBM QRadar SIEM, IBM Integration Bus, IBM App Connect Enterprise, IBM HTTP Server, IBM Cloud Pak for Data, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Match 360, IBM SDK (Java™ Technology Edition), IBM WebSphere Application Server --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rsync, rsyslog, and uriparser), Fedora (containerd, freeipa, golang-github-containerd-ttrpc, libdxfrw, libldb, librecad, mingw-speex, moby-engine, samba, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and samba), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, [...]) --------------------------------------------- https://lwn.net/Articles/877284/ ∗∗∗ Verwaltungssoftware Jamf Pro für Apple-Geräte könnte Zugangsdaten leaken ∗∗∗ --------------------------------------------- https://heise.de/-6281352 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211201-… ∗∗∗ XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/12/xss-vulnerability-patched-in-plugin-… ∗∗∗ Mozilla Foundation Security Advisory 2021-51: Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ ∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02 ∗∗∗ Johnson Controls CEM Systems AC2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-04 ∗∗∗ Hitachi Energy Retail Operations and CSB Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2021
by Daily end-of-shift report 30 Nov '21

30 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 29-11-2021 18:00 − Dienstag 30-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Printing Shellz: Sicherheitslücken in HP-Druckern/-Multifunktionsgeräten ∗∗∗ --------------------------------------------- Passend zum 30. November, dem Computer Security Day habe ich noch was. Es gibt eine Sicherheitslücke in der Firmware bestimmter HP LaserJet, HP LaserJet Managed, HP PageWide und HP PageWide Managed Produkte. Diese sind möglicherweise für einen Pufferüberlauf anfällig. Das bedeutet, Angreifer könnten Druckaufträge oder Scans abfangen und ggf. die Firmennetzwerke lahmlegen. --------------------------------------------- https://www.borncity.com/blog/2021/11/30/printing-shellz-sicherheitslcken-i… ∗∗∗ Gefälschtes BAWAG SMS im Umlauf ∗∗∗ --------------------------------------------- Momentan kursieren gefälschte SMS-Nachrichten im Namen der BAWAG. Im SMS mit „BawagPSK“ als Absender werden EmpfängerInnen darüber informiert, dass ihr Konto angeblich gesperrt wurde und eine Sicherheitsapp installiert werden muss. Klicken Sie keinesfalls auf den Link. Dieser führt auf eine gefälschte BAWAG-Website! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-bawag-sms-im-umlauf/ ∗∗∗ Malicious USB drives: Still a security problem ∗∗∗ --------------------------------------------- A malicious USB drive dropped in a parking lot - this image has become a bit of a trope in IT security circles. Still, the threat is very real and more relevant than ever. --------------------------------------------- https://www.gdatasoftware.com/blog/2021/11/usb-drives-still-a-danger ∗∗∗ What We’ve Learned About SSH Brute Force Attacks ∗∗∗ --------------------------------------------- The first time I encountered brute force attacks I was a hosting specialist who received calls from frustrated site owners that wanted to know who’d gained access to their server. Many of them didn’t understand the importance of a password’s character strength, or how frequent attacks on “root” are as a username, including myself at one point in time. I’ve learned more about SSH Brute Force attacks throughout my years at Sucuri. --------------------------------------------- https://blog.sucuri.net/2021/11/what-weve-learned-about-ssh-brute-force-att… ∗∗∗ 300.000+ infections via Droppers on Google Play Store ∗∗∗ --------------------------------------------- In this blog we will discuss the recent techniques used to spread Android banking trojans via Google Play (MITRE T1475) resulting in significant financial loss for targeted banks. We will also discuss the, sometimes forgotten, by-product of collecting contacts and keystrokes by Banking trojans, resulting in severe data leakage. --------------------------------------------- https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html ∗∗∗ Sabbath Ransomware Operators Target Critical Infrastructure ∗∗∗ --------------------------------------------- Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources. --------------------------------------------- https://www.securityweek.com/sabbath-ransomware-operators-target-critical-i… ∗∗∗ Yanluowang: Further Insights on New Ransomware Threat ∗∗∗ --------------------------------------------- At least one attacker now using Yanluowang may have previously been linked to Thieflock ransomware operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ya… ∗∗∗ Kernel Karnage – Part 5 (I/O & Callbacks) ∗∗∗ --------------------------------------------- After showing interceptor’s options, it’s time to continue coding! On the menu are registry callbacks, doubly linked lists and a struggle with I/O in native C. --------------------------------------------- https://blog.nviso.eu/2021/11/30/kernel-karnage-part-5-i-o-callbacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba), Fedora (kernel), openSUSE (netcdf and tor), SUSE (netcdf and python-Pygments), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/877186/ ∗∗∗ ZDI-21-1371: (0Day) Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1371/ ∗∗∗ ZDI-21-1370: (0Day) Esri ArcReader PMF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1370/ ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1244 ∗∗∗ Cross-Site Request Forgery im Team Password Manager (SYSS-2021-059) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-request-forgery-im-team-passwor… ∗∗∗ Host Header Poisoning im Team Password Manager (SYSS-2021-060) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/host-header-poisoning-im-team-password-man… ∗∗∗ Advisory: Vulnerabilities in B&R Automation Studio and PVI Windows Services ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16367454… ∗∗∗ Advisory: Number:Jack in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16367454… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM® WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2021-38999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Operations Analytics – Log Analysis (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability in GNU Binutils affects IBM Netezza Performance Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a code injection vulnerability (CVE-2021-38967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM Java Runtime affects IBM License Key Server Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a disclosure of sensitive information vulnerability (CVE-2021-39000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2021
by Daily end-of-shift report 29 Nov '21

29 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-11-2021 18:00 − Montag 29-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ TrickBot phishing checks screen resolution to evade researchers ∗∗∗ --------------------------------------------- The TrickBot malware operators have been using a new method to check the screen resolution of a victim system to evade detection of security software and analysis by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-phishing-checks-scr… ∗∗∗ IT-Security: ETSI veröffentlicht erste Norm für sichere Smartphones ∗∗∗ --------------------------------------------- Ein neuer Standard des europäischen Normungsinstituts ETSI soll Herstellern weltweit helfen, die IT-Sicherheit bei Mobiltelefonen für Verbraucher zu erhöhen. --------------------------------------------- https://heise.de/-6278376 ∗∗∗ Google-Analyse: Cloud-Dienste durch schwache Passwörter angreifbar ∗∗∗ --------------------------------------------- Das Unternehmen hat Einbrüche in Cloud-Instanzen untersucht, nennt Ursachen und liefert daraus resultierende Handlungsempfehlungen. --------------------------------------------- https://heise.de/-6277514 ∗∗∗ Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) ∗∗∗ --------------------------------------------- In June 2021, security researcher Abdelhamid Naceri published a blog post about an "unpatched information disclosure" vulnerability in Windows. The post details the mechanics of the issue and its exploitation, allowing a non-admin Windows user to read arbitrary files even if they do not have permissions to do so. --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html ∗∗∗ Ghidra 101: Binary Patching ∗∗∗ --------------------------------------------- There are several circumstances where it can be helpful to make a modification to code or data within a compiled program. Sometimes, it is necessary to fix a vulnerability or compatibility issue without functional source code or compilers. This can happen when source code gets lost, systems go out of support, or software firms go out of business. In case you should find yourself in this situation, keep calm and read on to learn how to do this within Ghidra. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/ghidra-… ∗∗∗ AVM warnt vor Phishing-Mails mit FRITZ!Box-Anrufbeantworternachricht ∗∗∗ --------------------------------------------- Der Hersteller der FRITZ!Boxen, die Berliner-Firma AVM warnt aktuell von einer Welle von Phishing-Mails, die im Anhang angeblich eine Sprachnachricht des FRITZ!Box-Anrufbeantworters enthalten. Wer diesen Anhang per Doppelklick unter Windows abhören möchte, installiert sich Schadsoftware. --------------------------------------------- https://www.borncity.com/blog/2021/11/28/avm-warnt-vor-phishing-mails-mit-f… ∗∗∗ Cobalt Strike: Decrypting DNS Traffic – Part 5 ∗∗∗ --------------------------------------------- Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post. --------------------------------------------- https://blog.nviso.eu/2021/11/29/cobalt-strike-decrypting-dns-traffic-part-… ===================== = Vulnerabilities = ===================== ∗∗∗ Backdoor.Win32.Coredoor.10.a / Authentication Bypass RCE ∗∗∗ --------------------------------------------- Description: The malware listens on TCP port 21000. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution. --------------------------------------------- https://cxsecurity.com/issue/WLB-2021110120 ∗∗∗ FortiClientWindows & FortiClient EMS - Privilege escalation via DLL Hijacking ∗∗∗ --------------------------------------------- An unsafe search path vulnerability in FortiClient and FortiClient EMS may allow an attacker to perform a DLL Hijack attack on affected devices via a malicious OpenSSL engine library in the search path. --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-21-088 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, icu, libntlm, libvorbis, libvpx, opensc, roundcube, and tar), Fedora (kernel, kernel-headers, kernel-tools, puppet, slurm, stargz-snapshotter, and suricata), openSUSE (netcdf), Oracle (bluez, kernel, kernel-container, krb5, mailman:2.1, openssh, python3, and rpm), Red Hat (samba), and SUSE (xen). --------------------------------------------- https://lwn.net/Articles/877105/ ∗∗∗ Insulet OmniPod Insulin Management System vulnerability ∗∗∗ --------------------------------------------- https://omnipod.lyrebirds.dk/ ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2021
by Daily end-of-shift report 26 Nov '21

26 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-11-2021 18:00 − Freitag 26-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IT threat evolution Q3 2021 ∗∗∗ --------------------------------------------- WildPressure and LuminousMoth threat actors, FinSpy implants, zero-day vulnerabilities and PrintNightmare, threats for Linux and macOS in our review of Q3 2021. --------------------------------------------- https://securelist.com/it-threat-evolution-q3-2021/104876/ ∗∗∗ YARAs Private Strings, (Thu, Nov 25th) ∗∗∗ --------------------------------------------- YARA supports private strings. A string can be marked as private by including string modifier "private". Here is a use case. [...] --------------------------------------------- https://isc.sans.edu/diary/rss/28010 ∗∗∗ Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090, (Fri, Nov 26th) ∗∗∗ --------------------------------------------- Over the past 7 days, my honeypot captured a few hundred POST for a vulnerability which appeared to be tracked as a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware. If successfully exploited, could allow unauthenticated remote actors to bypass authentication and add the router to the botnet Mirai botnet. --------------------------------------------- https://isc.sans.edu/diary/rss/28072 ∗∗∗ EU needs more cybersecurity graduates, says ENISA infosec agency – pointing at growing list of masters degree courses ∗∗∗ --------------------------------------------- The EU needs more cybersecurity graduates to plug the political blocs shortage of skilled infosec bods, according to a report from the ENISA online security agency. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/11/26/enisa_cybers… ∗∗∗ RATDispenser: JavaScript-Loader installiert Remote Access Trojaners (RAT) in Windows ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag in Punkto Sicherheit, welcher mir die Tage unter die Augen gekommen ist. Die Sicherheitsforscher von HP Thread-Research sind auf einen in JavaScript geschriebenen Loader gestoßen, der auf Windows-Systemen Remote Access Trojaner (RAT) installiert. Der Entwickler scheint [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/26/ratdispenser-javascript-loader-ins… ===================== = Vulnerabilities = ===================== ∗∗∗ Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices ∗∗∗ --------------------------------------------- Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L. Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises. --------------------------------------------- https://securityaffairs.co/wordpress/125016/hacking/0-day-tp-link-wi-fi-6.h… ∗∗∗ Angreifer könnten die Kontrolle über Videoüberwachungssysteme von Qnap erlangen ∗∗∗ --------------------------------------------- Ein wichtiges Update schließt unter anderem eine kritische Lücke in einigen Netzwerk-Videorekordern von Qnap. --------------------------------------------- https://heise.de/-6277445 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (freerdp, gnome-boxes, gnome-connections, gnome-remote-desktop, guacamole-server, hydra, java-1.8.0-openjdk-aarch32, medusa, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, php, pidgin-sipe, remmina, vinagre, and weston), openSUSE (kernel and netcdf), and SUSE (kernel and netcdf). --------------------------------------------- https://lwn.net/Articles/876922/ ∗∗∗ Zoom Video Communications Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1235 ∗∗∗ Security Bulletin: Vulnerability in jsoup may affect Cúram Social Program Management (CVE-2021-37714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jsoup-ma… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affect-ib… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Dojo may affect IBM Cúram Social Program Management (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-may… ∗∗∗ Security Bulletin: Vulnerability in Apache Santuario XML Security for Java may affect Cúram Social Program Management (CVE-2021-40690) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2021
by Daily end-of-shift report 25 Nov '21

25 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-11-2021 18:00 − Donnerstag 25-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New CronRAT malware infects Linux systems using odd day cron jobs ∗∗∗ --------------------------------------------- Security researchers have discovered a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cronrat-malware-infects-… ∗∗∗ Discord malware campaign targets crypto and NFT communities ∗∗∗ --------------------------------------------- A new malware campaign on Discord uses the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/discord-malware-campaign-tar… ∗∗∗ Improving security for mobile devices: CISA issues guides ∗∗∗ --------------------------------------------- CISA has released actionable guides with advice on how to improve security for mobile devices, both for consumers and organizations. --------------------------------------------- https://blog.malwarebytes.com/android/2021/11/improving-security-for-mobile… ∗∗∗ Bitcoin-Erpressung mit Masturbationsaufnahmen ∗∗∗ --------------------------------------------- Alle Jahre wieder versuchen Kriminelle durch erfundene Behauptungen, Geld zu erpressen. Angeblich wurden Ihre Systeme gehackt und Sie dadurch während dem Aufruf pornografischer Inhalte gefilmt. Die Nachricht ist frei erfunden und wird massenhaft ausgesendet. --------------------------------------------- https://www.watchlist-internet.at/news/bitcoin-erpressung-mit-masturbations… ∗∗∗ Sophisticated Tardigrade malware launches attacks on vaccine manufacturing infrastructure ∗∗∗ --------------------------------------------- Security researchers are warning biomanufacturing facilities around the world that they are being targeted by a sophisticated new strain of malware, known as Tardigrade. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/sophist… ∗∗∗ Black-Friday-Spam-Kampagnen in den Startlöchern ∗∗∗ --------------------------------------------- Am 26. November 2021 ist Black Friday – da gibt es fast alles umsonst. Das ruft auch Cyber-Kriminelle auf den Plan und diese greifen Verbraucher verstärkt mit Online-Shopping-Betrugsversuchen an. --------------------------------------------- https://www.borncity.com/blog/2021/11/25/black-friday-spam-kampagnen-in-den… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware dichtet Schwachstellen in vSphere Web Client ab - zum Teil ∗∗∗ --------------------------------------------- Der Hersteller meldet Sicherheitslücken, teils mit hohem Risiko. Es gibt jedoch noch nicht für alle betroffenen Produkte Updates. --------------------------------------------- https://heise.de/-6276216 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (busybox, getdata, and php), Mageia (couchdb, freerdp, openexr, postgresql, python-reportlab, and rsh), openSUSE (bind, java-1_8_0-openjdk, and kernel), SUSE (java-1_7_0-openjdk), and Ubuntu (icu). --------------------------------------------- https://lwn.net/Articles/876852/ ∗∗∗ ModSecurity DoS Vulnerability in JSON Parsing (CVE-2021-42717) ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Ant affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affect-ib… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2021
by Daily end-of-shift report 24 Nov '21

24 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-11-2021 18:00 − Mittwoch 24-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Phishing page hiding itself using dynamically adjusted IP-based allow list, (Wed, Nov 24th) ∗∗∗ --------------------------------------------- It can be instructive to closely examine even completely usual-looking phishing messages from time to time, since they may lead one to unusual phishing sites or may perhaps use some novel technique that might not be obvious at first glance. --------------------------------------------- https://isc.sans.edu/diary/rss/28070 ∗∗∗ Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery, and Webshells ∗∗∗ --------------------------------------------- This blog series explores methods attackers might use to maintain persistent access to a compromised linux system. --------------------------------------------- https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persi… ∗∗∗ Nach Windows-Update: Zero-Day-Lücke erlaubt lokale Rechteausweitung ∗∗∗ --------------------------------------------- Eines der Windows-Updates im November sollte eine gefährliche Lücke schließen. Doch sie lässt sich noch immer zur Erhöhung der eigenen Rechte missbrauchen. --------------------------------------------- https://heise.de/-6274893 ∗∗∗ Vorsicht vor Love Scams auf Facebook Dating! ∗∗∗ --------------------------------------------- Immer wieder melden uns besorgte LeserInnen sogenannte Love- oder Romance-Scammer. Dabei handelt es sich um Online-Bekanntschaften, die sich durch Liebesbeteuerungen das Vertrauen der Opfer erschleichen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-love-scams-auf-facebook… ∗∗∗ New JavaScript malware works as a “RAT dispenser” ∗∗∗ --------------------------------------------- Cybersecurity experts from HP said they discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy much dangerous remote access trojans (RATs). --------------------------------------------- https://therecord.media/new-javascript-malware-works-as-a-rat-dispenser/ ∗∗∗ ASEC Weekly Malware Statistics (November 15th, 2021 – November 21st, 2021) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from November 15th, 2021 (Monday) to November 21st, 2021 (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/28954/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (libxls, roundcubemail, and vim), openSUSE (bind, java-1_8_0-openjdk, and redis), Red Hat (kernel, kernel-rt, kpatch-patch, krb5, mailman:2.1, openssh, and rpm), Scientific Linux (kernel, krb5, openssh, and rpm), SUSE (bind, java-1_8_0-openjdk, redis, and webkit2gtk3), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/876799/ ∗∗∗ Schwachstelle in MediaTek-Chips von Android-Smartphones ∗∗∗ --------------------------------------------- Sicherheitsforscher von Check Point haben in einer Android-APU, die APU ist die AI Processing Unit in MediaTek-Chips, eine Schwachstelle entdeckt. Die Sicherheitsforscher warnen, dass Nutzer über den Audio-Prozessor abgehört werden können. Die Mediatek-Chips sind in 37 % aller Android-Geräte verbaut. --------------------------------------------- https://www.borncity.com/blog/2021/11/24/schwachstelle-in-mediatek-chips-vo… ∗∗∗ ZDI-21-1333: Adobe Creative Cloud Incorrect Permission Assignment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1333/ ∗∗∗ Security Advisory - Possible Out-Of-Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211124-… ∗∗∗ Security Bulletin: Weak Cryptographic Control Vulnerability Affects IBM Sterling Connect:Direct Web Services (CVE-2021-38891) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-weak-cryptographic-contro… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Account Lockout Vulnerability Affects IBM Sterling Connect:Direct Web Services (CVE-2021-38890) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-account-lockout-vulnerabi… ∗∗∗ Security Bulletin: PostgreSQL Sensitive Information Exposure Vulnerability Affects IBM Connect:Direct Web Services (CVE-2021-32029) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-sensitive-info… ∗∗∗ K20072454: Linux kernel vulnerability CVE-2021-43267 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20072454 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2021
by Daily end-of-shift report 23 Nov '21

23 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-11-2021 18:00 − Dienstag 23-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung: ProxyShell, Squirrelwaffle und ein PoC-Eploit, patcht endlich eure Exchange-Server ∗∗∗ --------------------------------------------- Wie oft denn noch? Aktuell warne ich fast im Tagesrhythmus vor dem Betrieb ungepatchter Exchange-Schwachstellen und ProxyShell-Angriffen. Vor einigen Tagen hat Trend Micro eine Warnung vor Angriffen auf die ProxyShell-Schwachstellen über den Squirrelwaffle-Exploit und der Übernahme der Exchange-E-Mail-Postfächer gewarnt. Seit wenigen Stunden ist ein weitere Exploit als Proof of Concept öffentlich, die Ausnutzung gegen ungepatchte Exchange-Server ist wahrscheinlich. Patcht also endlich die Systeme. --------------------------------------------- https://www.borncity.com/blog/2021/11/23/warnung-proxyshell-squirrelwaffle-… ∗∗∗ GoDaddy-Datenpanne betrifft 1,2 Millionen WordPress-Kunden ∗∗∗ --------------------------------------------- Hacker verschafft sich Zugang zu den persönlichen Daten von mehr als 1,2 Millionen Kunden des WordPress-Hostingdienstes von GoDaddy. --------------------------------------------- https://heise.de/-6274187 ∗∗∗ FBI warnt vor Einbrüchen via VPN-Software ∗∗∗ --------------------------------------------- Bei Untersuchungen stießen Strafverfolger vom FBI auf Sicherheitslücken in VPN-Software, durch die Cyberkriminelle derzeit in Netzwerke eindringen. --------------------------------------------- https://heise.de/-6274101 ∗∗∗ ZDF-Reportage: Wie Betrüger online abzocken ∗∗∗ --------------------------------------------- Wer sind die Cyber-Kriminellen hinter den unzähligen Fake-Shops und wie können sie entlarvt werden? "WISO crime" - ein ZDF-Format berichtet über Fake-Shops im Internet und versucht, einem Fake-Shop-Betreiber auf die Schliche zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/zdf-reportage-wie-betrueger-online-a… ∗∗∗ Over nine million Android devices infected by info-stealing trojan ∗∗∗ --------------------------------------------- A large-scale malware campaign on Huaweis AppGallery has led to approximately 9,300,000 installs of Android trojans masquerading as over 190 different apps --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-nine-million-android-de… ∗∗∗ How to investigate service provider trust chains in the cloud ∗∗∗ --------------------------------------------- This blog outlines DART’s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/22/how-to-investigate-servi… ∗∗∗ Simple YARA Rules for Office Maldocs, (Mon, Nov 22nd) ∗∗∗ --------------------------------------------- In diary entry "Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches" I shared 2 simple YARA rules to triage Office documents with VBA code. --------------------------------------------- https://isc.sans.edu/diary/rss/28062 ∗∗∗ Observing Attacks Against Hundreds of Exposed Services in Public Clouds ∗∗∗ --------------------------------------------- Insecurely exposed services are common misconfigurations in cloud environments. We used a honeypot infrastructure to learn about attacks against them. --------------------------------------------- https://unit42.paloaltonetworks.com/exposed-services-public-clouds/ ∗∗∗ What to do if you receive a data breach notice ∗∗∗ --------------------------------------------- Receiving a breach notification doesn't mean you’re doomed - here's what you should consider doing in the hours and days after learning that your personal data has been exposed --------------------------------------------- https://www.welivesecurity.com/2021/11/22/what-do-if-you-receive-data-breac… ∗∗∗ GÉANT launches new security services website ∗∗∗ --------------------------------------------- As technology becomes more complex and threats more sophisticated, it’s a challenge to keep any organisation’s online environment and physical infrastructure secure. Security services protect both the networks and services from attacks, but also help secure individuals using the networks. --------------------------------------------- https://connect.geant.org/2021/11/23/geant-launches-new-security-services-w… ∗∗∗ The digital operational resilience act (DORA): what you need to know about it, the requirements and challenges we see. ∗∗∗ --------------------------------------------- TL;DR - In this blogpost, we will give you an introduction to DORA, as well as how you can prepare yourself to be ready for it. More specifically, throughout this blogpost we will try to formulate an answer to following questions: What is DORA and what are the key requirements of DORA? What are the biggest [...] --------------------------------------------- https://blog.nviso.eu/2021/11/23/the-digital-operational-resilience-act-dor… ∗∗∗ GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks ∗∗∗ --------------------------------------------- In part three of a series, GoSecure ethical hackers have found another way to exploit insecure Windows Server Update Services (WSUS) configurations. By taking advantage of the authentication provided by the Windows update client and relaying it to other domain services, we found this can lead to remote code execution. In this blog, we’ll share our findings and recommend mitigations. --------------------------------------------- https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-wind… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2021-0027 ∗∗∗ --------------------------------------------- VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0027.html ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- XSA-385 - guests may exceed their designated memory limit XSA-387 - grant table v2 status pages may remain accessible after de-allocation (take two) XSA-388 - PoD operations on misaligned GFNs XSA-389 - issues with partially successful P2M updates on x86 --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Vulnerability Spotlight: PHP deserialize vulnerability in CloudLinux Imunity360 could lead to arbitrary code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution. Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security. --------------------------------------------- https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-php-dese… ∗∗∗ A review of Azure Sphere vulnerabilities: Unsigned code execs, kernel bugs, escalation chains and firmware downgrades ∗∗∗ --------------------------------------------- Summary of all the vulnerabilities reported by Cisco Talos in Microsoft Azure Sphere --------------------------------------------- https://blog.talosintelligence.com/2021/11/a-review-of-azure-sphere.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mbedtls), Red Hat (kernel and rpm), and Ubuntu (freerdp2). --------------------------------------------- https://lwn.net/Articles/876723/ ∗∗∗ 0-Day LPE-Schwachstelle im Windows Installer (Nov. 2021) ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine eine 0-Day-Schwachstelle im Windows Installer gefunden, über die ein lokaler Angreifer Administratorrechte erlangen kann. Die Windows Installer Elevation of Privilege"-Schwachstelle CVE-2021-41379 ist zwar im November 2021 gepatcht worden. Aber es gibt eine Umgehungslösung, der Patch ist wirkungslos. Betroffen sind alle Windows-Versionen, einschließlich Windows 10, dass brandneue Windows 11 sowie alle Windows Server-Versionen. --------------------------------------------- https://www.borncity.com/blog/2021/11/23/0-day-lpe-schwachstelle-im-windows… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple issues within the IBM® Runtime Environment Java™ Technology Edition, Version 8 shipped with IBM MQ (CVE-2021-2432, CVE-2021-2388) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: Vulnerability in MIT Kerberos 5 (CVE-2020-28196) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-mit-kerb… ∗∗∗ Security Bulletin: Vulnerability in Apache HTTP (CVE-2018-17199 and CVE-2020-11993) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-h… ∗∗∗ Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat (CVE-2021-42340) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing messages. (CVE-2021-38875) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Vulnerability in Bash (CVE-2019-18276) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-cve… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in glib2 (CVE-2021-27218 and CVE-2021-27219) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-glib2-cv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2021
by Daily end-of-shift report 22 Nov '21

22 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-11-2021 18:00 − Montag 22-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Picky PPID Spoofing ∗∗∗ --------------------------------------------- Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships. --------------------------------------------- https://captmeelo.com/redteam/maldev/2021/11/22/picky-ppid-spoofing.html ∗∗∗ Command injection prevention for Python ∗∗∗ --------------------------------------------- This is a command/code injection prevention cheat sheet by r2c. It contains code patterns of potential ways to run an OS command or arbitrary code in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in this cheat sheet pave a safe road for developers that mitigates the possibility of command/code injection in your code. --------------------------------------------- https://semgrep.dev/docs/cheat-sheets/python-command-injection/ ∗∗∗ Missing Link: Wie sicher ist der Anonymisierungsdienst Tor? ∗∗∗ --------------------------------------------- Tor gilt als Wunderwaffe gegen den Überwachungswahn von Geheimdiensten. Wie gut lässt sich die Technologie knacken? Ist Tor tatsächlich NSA- und BND-proof? --------------------------------------------- https://heise.de/-6272025 ∗∗∗ Virtuelle Mobilfunknetze mit Open RAN: BSI sieht Sicherheitsrisiken ∗∗∗ --------------------------------------------- Mehr "Security by Design" empfehlen die Autoren einer Risikoanalyse des BSI für die Weiterentwicklung von Open RAN – nachträgliche Korrekturen seien aufwändig. --------------------------------------------- https://heise.de/-6274060 ∗∗∗ UEFI virtual machine firmware hardening through snapshots and attack surface reduction. (arXiv:2111.10167v1 [cs.SE]) ∗∗∗ --------------------------------------------- This paper introduces Amaranth project - a solution to some of the contemporary security issues related to UEFI firmware. In this work we focused our attention on virtual machines as it allowed us to simplify the development of secure UEFI firmware. Security hardening of our firmware is achieved through several techniques, the most important of which are an operating system integrity checking mechanism (through snapshots) and overall firmware size reduction. --------------------------------------------- http://arxiv.org/abs/2111.10167 ∗∗∗ Oh ... Ransomware verschlüsselt meine virtuellen Maschinen direkt im Hypervisor ... Wie jetzt? ∗∗∗ --------------------------------------------- Viele Ransomware- oder Ransomware-as-a-Service (RaaS)- Gruppen besitzen inzwischen die Fähigkeit, virtuelle Maschinen direkt auf Hypervisor-Ebene zu verschlüsseln. Das heisst, es sind nicht einzelne Clients, Workstations oder Server auf Windows Betriebsystem-Ebene, sondern alle Maschinen, die virtualisiert - auf zum Beispiel VMware ESXi oder Microsoft Hyper-V - laufen, gleichzeitig betroffen. Die Cybersecurityfirma Crowdstrike hat dieser Thematik zwei interessante Blog-Posts gewidmet --------------------------------------------- https://cert.at/de/blog/2021/11/oh-ransomware-verschlusselt-meine-virtuelle… ∗∗∗ NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- CISA has announced the joint National Security Agency (NSA) and CISA publication of the second of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part II: Securely Isolate Network Resources examines threats to 5G container-centric or hybrid container/virtual network, also known as Pods. The guidance provides several aspects of pod security including limiting permissions on deployed containers, avoiding resource contention and denial-of-service attacks, and implementing real-time threat detection. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/nsa-and-cisa-rele… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet ∗∗∗ --------------------------------------------- R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. CVEs: CVE-2021-21920, CVE-2021-21921, CVE-2021-21922, CVE-2021-21923, CVE-2021-21915, CVE-2021-21916, CVE-2021-21917, CVE-2021-21918, CVE-2021-21919, CVE-2021-21910, CVE-2021-21911, CVE-2021-21912 --------------------------------------------- http://blog.talosintelligence.com/2021/11/re-see-net-advantched-vuln-spotli… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firebird3.0, libmodbus, and salt), Fedora (js-jquery-ui and wordpress), Mageia (arpwatch, chromium-browser-stable, php, rust, and wireshark), openSUSE (barrier, firefox, hylafax+, opera, postgresql12, postgresql13, postgresql14, and tomcat), SUSE (ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma, ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma, firefox, kernel, postgresql, postgresql13, postgresql14, postgresql10, postgresql12, postgresql13, postgresql14, postgresql96, and samba), and Ubuntu (libreoffice). --------------------------------------------- https://lwn.net/Articles/876655/ ∗∗∗ Serious Vulnerabilities Found in Wi-Fi Module Designed for Critical Industrial Applications ∗∗∗ --------------------------------------------- Talos has published 18 separate advisories describing the vulnerabilities. The researchers have reproduced the vulnerabilities on Lantronix PremierWave 2050 version 8.9.0.0R4, and Talos claims there are no official patches for the security holes, despite the vendor knowing about them since June 15. --------------------------------------------- https://www.securityweek.com/serious-vulnerabilities-found-wi-fi-module-des… ∗∗∗ ZDI-21-1332: Commvault CommCell AppStudioUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1332/ ∗∗∗ ZDI-21-1331: Commvault CommCell Demo_ExecuteProcessOnGroup Exposed Dangerous Function Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1331/ ∗∗∗ ZDI-21-1330: Commvault CommCell DownloadCenterUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1330/ ∗∗∗ ZDI-21-1329: Commvault CommCell DataProvider JavaScript Sandbox Escape Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1329/ ∗∗∗ ZDI-21-1328: Commvault CommCell CVSearchService Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1328/ ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. (CVE-2021-29843) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2021
by Daily end-of-shift report 19 Nov '21

19 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-11-2021 18:00 − Freitag 19-11-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitsbedrohungen im Web: Die größten Risiken laut OWASP Top Ten 2021 ∗∗∗ --------------------------------------------- Die OWASP Top Ten 2021 aktualisiert die Liste der Sicherheitsbedrohungen im Web. Defekte Zugriffsbeschränkungen stehen an erster Stelle. --------------------------------------------- https://heise.de/-6271591 ∗∗∗ Qnap veröffentlicht NAS-Updates und deaktiviert aus Sicherheitsgründen eine App ∗∗∗ --------------------------------------------- Angreifer könnten Netzwerkspeicher von Qnap attackieren. Der Sicherheitspatch für eine Lücke steht noch aus. --------------------------------------------- https://heise.de/-6272271 ∗∗∗ Azure Active Directory: Sicherheitslücke entblößt private Schlüssel ∗∗∗ --------------------------------------------- In Azure Automation waren private Schlüssel für jeden Nutzer des AD einsehbar. Obwohl Microsoft das Problem gelöst hat, ist ein Schlüsseltausch angeraten. --------------------------------------------- https://heise.de/-6272248 ∗∗∗ ProxyNoShell: Mandiant warnt vor neuen Angriffsmethoden auf Exchange-Server (Nov. 2021) ∗∗∗ --------------------------------------------- Cyber-Angreifer verwenden seit Monaten drei bekannte Schwachstellen in Microsofts Exchange Servern, für die es bereits seit Monaten Updates gibt. Trotzdem sind um die 30.000 Microsoft Exchange Sever per Internet erreichbar, die über diese Schwachstellen angreifbar sind. Sicherheitsforscher haben jetzt eine [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/19/proxynoshell-mandiant-warnt-vor-ne… ∗∗∗ Malware downloaded from PyPI 41,000 times was surprisingly stealthy ∗∗∗ --------------------------------------------- Malware infiltrating open source repositories is getting more sophisticated. --------------------------------------------- https://arstechnica.com/?p=1814211 ∗∗∗ Android malware BrazKing returns as a stealthier banking trojan ∗∗∗ --------------------------------------------- The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-brazking-ret… ∗∗∗ Ransomware Phishing Emails Sneak Through SEGs ∗∗∗ --------------------------------------------- The MICROP ransomware spreads via Google Drive and locally stored passwords. --------------------------------------------- https://threatpost.com/ransomware-phishing-emails-segs/176470/ ∗∗∗ Downloader Disguised as Excel Add-In (XLL), (Fri, Nov 19th) ∗∗∗ --------------------------------------------- At the Internet Storm Center, we like to show how exotic extensions can be used to make victims feel confident to open malicious files. There is an interesting webpage that maintains a list of dangerous extensions used by attackers: filesec.io[1]. The list is regularly updated and here is an example of malicious file that is currently not listed: "XLL". It's not a typo, it's not a "DLL" but close to! --------------------------------------------- https://isc.sans.edu/diary/rss/28052 ∗∗∗ New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks ∗∗∗ --------------------------------------------- Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control. "The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers Keyu Man, Xin'an Zhou, and Zhiyun Qian said. --------------------------------------------- https://thehackernews.com/2021/11/new-side-channel-attacks-re-enable.html ∗∗∗ Web trust dies in darkness: Hidden Certificate Authorities undermine public crypto infrastructure ∗∗∗ --------------------------------------------- Security researchers have checked the webs public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/11/19/web_trust_ce… ∗∗∗ Patch now! FatPipe VPN zero-day actively exploited ∗∗∗ --------------------------------------------- The FBI has revealed that APT actors have been abusing a zero-day in FatPipes MPVPN, WARP, and IPVPN products since May. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-no… ∗∗∗ New Aggah Campaign Hijacks Clipboards to Replace Cryptocurrency Addresses ∗∗∗ --------------------------------------------- Aggah is a threat group known for espionage and information theft worldwide, as well as its deft use of free and open-source infrastructure to conduct its attacks. Weve recently reported that the group is linked with the Mana Tools malware distribution and command and control (C2) panel. RiskIQ recently identified a new Aggah campaign via our global monitoring of malicious VBScript code posted on websites. In this latest campaign, operators deployed clipboard hijacking code that replaces a [...] --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/aggah-clipboard-hija… ∗∗∗ Ransomware is now a giant black hole that is sucking in all other forms of cybercrime ∗∗∗ --------------------------------------------- File-encrypting malware is where the money is -- and thats changing the whole online crime ecosystem. --------------------------------------------- https://www.zdnet.com/article/ransomware-is-now-a-giant-black-hole-that-is-… ∗∗∗ All Roads Lead to OpenVPN: Pwning Industrial Remote Access Clients ∗∗∗ --------------------------------------------- [...] Team82’s research uncovered four vulnerabilities in popular industrial VPN solutions from vendors HMS Industrial Networks, Siemens, PerFact, and MB connect line. The vulnerabilities expose users to remote and arbitrary code execution attacks, and also enable attackers to elevate privileges. All four vendors have either provided a fix in an updated version of their respective products, or suggested mitigations. --------------------------------------------- https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwni… ∗∗∗ Kernel Karnage – Part 4 (Inter(ceptor)mezzo) ∗∗∗ --------------------------------------------- To make up for the long wait between parts 2 and 3, we’re releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor. --------------------------------------------- https://blog.nviso.eu/2021/11/19/kernel-karnage-part-4-interceptormezzo/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletin: Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products ∗∗∗ --------------------------------------------- A vulnerability in the sed command could allow an authenticated attacker to escape from a restricted shell to obtain sensitive information and cause a denial of service. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sed-affe… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2021-29843 ∗∗∗ --------------------------------------------- IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. The issue is described by CVE-2021-29843. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Xen Security Advisory CVE-2021-28710 / XSA-390 - certain VT-d IOMMUs may not work in shared page table mode ∗∗∗ --------------------------------------------- Impact: A malicious guest may be able to escalate its privileges to that of the host. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-390.html ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome. --------------------------------------------- https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-user-aft… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird). --------------------------------------------- https://lwn.net/Articles/876528/ ∗∗∗ QNX-2021-002 Vulnerability in BMP Image Codec Impacts BlackBerry QNX Software Development Platform (SDP) ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ K48382137: Bootstrap vulnerability CVE-2018-14040 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K48382137 ∗∗∗ K19785240: Bootstrap vulnerability CVE-2018-14042 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19785240 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2021
by Daily end-of-shift report 18 Nov '21

18 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-11-2021 18:00 − Donnerstag 18-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ PerSwaysion Phishing Campaign Continues to Be an Active Threat for Organizations ∗∗∗ --------------------------------------------- Research shows that multiple attack groups have been using the Microsoft file-sharing service - leveraging phishing kit for much longer than previously thought. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/-perswaysion-phishing-c… ∗∗∗ Fake Ransomware Infection Hits WordPress Sites ∗∗∗ --------------------------------------------- WordPress sites have been splashed with ransomware warnings that are as real as dime-store cobwebs made out of spun polyester. --------------------------------------------- https://threatpost.com/fake-ransomware-infection-wordpress/176410/ ∗∗∗ Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs ∗∗∗ --------------------------------------------- Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property. [...] As a precautionary measure, Microsoft is recommending customers using these services take action as described in “Affected products/services,”... --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/11/17/guidance-for-azure-active-di… ∗∗∗ [Conti] Ransomware Group In-Depth Analysis ∗∗∗ --------------------------------------------- Providing a detailed perspective towards different fundamental aspects of Conti's Operation, our report approaches this case through different angles such as "Business Model", "Conti Attack Kill Chain", "Management Panel" and "Money Operation". --------------------------------------------- https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analys… ∗∗∗ Portable Malware Analyzis Lab ∗∗∗ --------------------------------------------- Short tutorial about the installation of a malware analyzis lab on Proxmox. --------------------------------------------- https://blog.rootshell.be/2021/11/17/portable-malware-analyzis-lab/ ∗∗∗ New ETW Attacks Can Allow Hackers to Blind Security Products ∗∗∗ --------------------------------------------- Researchers have described two new attack methods that can be used to “blind” cybersecurity products that rely on a logging mechanism named Event Tracing for Windows (ETW). ETW, which is present by default in Windows since Windows XP, is designed for tracing and logging events associated with user-mode applications and kernel-mode drivers. --------------------------------------------- https://www.securityweek.com/new-etw-attacks-can-allow-hackers-blind-securi… ∗∗∗ biovea.net und biovea.com: Häufig Probleme bei Bestellungen ∗∗∗ --------------------------------------------- Biovea bietet auf den Websites biovea.net und biovea.com diverse Nahrungsergänzungsmittel, Körperpflegeprodukte und Waren aus dem Gesundheitsbereich an. Bestellte Produkte werden tatsächlich versandt, doch fehlende Kontaktinformationen, Versand teils aus Amerika und der Import der Produkte beim Zoll können zu zahlreichen Problemen für Bestellende führen. --------------------------------------------- https://www.watchlist-internet.at/news/bioveanet-und-bioveacom-haeufig-prob… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011 ∗∗∗ --------------------------------------------- 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to --------------------------------------------- https://www.drupal.org/sa-core-2021-011 ∗∗∗ Drupal: OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044 ∗∗∗ --------------------------------------------- 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default This module enables users to authenticate through their Microsoft Azure AD account.The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another --------------------------------------------- https://www.drupal.org/sa-contrib-2021-044 ∗∗∗ Vulnerability Spotlight: Multiple code execution vulnerabilities in LibreCAD ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in LibreCAD’s libdfxfw open-source library. This library reads and writes .dxf and .dwg files — the primary file format for vector graphics in CAD software. LibreCAD, a free computer-aided design software for 2-D models, uses this libdfxfw. [...] Users are encouraged to update these affected products as soon as possible: LibreCad libdxfrw, version 2.2.0-rc2-19-ge02f3580. Talos tested and confirmed these versions of the library could be exploited by this vulnerability. --------------------------------------------- http://blog.talosintelligence.com/2021/11/libre-cad-vuln-spotlight-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (binutils, firefox, flatpak, freerdp, httpd, java-1.8.0-openjdk, java-11-openjdk, kernel, openssl, and thunderbird), Fedora (python-sport-activities-features, rpki-client, and vim), and Red Hat (devtoolset-10-annobin and devtoolset-10-binutils). --------------------------------------------- https://lwn.net/Articles/876413/ ∗∗∗ Reflected XSS Vulnerability in Ragic Cloud DB ∗∗∗ --------------------------------------------- A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already disabled and removed Ragic Cloud DB from the QNAP App Center, pending a security patch from Ragic. To secure your device, we recommend uninstalling Ragic Cloud DB until a security patch is available. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-48 ∗∗∗ CSRF Vulnerability in QmailAgent ∗∗∗ --------------------------------------------- A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running QmailAgent. If exploited, this vulnerability allows remote attackers to trick a victim into performing unintended actions on the web application while the victim is logged in. We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 (2021/08/25) and later --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-49 ∗∗∗ Heap-Based Buffer Overflow Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- A heap-based buffer overflow vulnerability has been reported to affect QNAP NAS devices that have Apple File Protocol (AFP) enabled in QTS or QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS and QuTS hero: [...] --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-50 ∗∗∗ Security Bulletin: Vulnerabilitiy affects IBM Observability with Instana ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-affects-ib… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Nov V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Philips IntelliBridge EC 40 and EC 80 Hub ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-322-01 ∗∗∗ Philips Patient Information Center iX (PIC iX) and Efficia CM Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-322-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2021
by Daily end-of-shift report 17 Nov '21

17 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-11-2021 18:00 − Mittwoch 17-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ These are the cryptomixers hackers use to clean their ransoms ∗∗∗ --------------------------------------------- Cryptomixers have always been at the epicenter of cybercrime activity, allowing hackers to "clean" cryptocurrency stolen from victims and making it hard for law enforcement to track them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/these-are-the-cryptomixers-h… ∗∗∗ 6 Tips To Keep in Mind for Ransomware Defense ∗∗∗ --------------------------------------------- Ransomware is everywhere, including the nightly news. Most people know what it is, but how do ransomware attackers get in, and how can we defend against them? --------------------------------------------- https://www.darkreading.com/edge-articles/6-tips-to-keep-in-mind-for-ransom… ∗∗∗ Github: NPM-Pakete konnten beliebig überschrieben werden ∗∗∗ --------------------------------------------- Ein Fehler in der NPM-Registry hat das Überschreiben von Paketen ermöglicht. Github weiß nicht sicher, ob dies ausgenutzt wurde. --------------------------------------------- https://www.golem.de/news/github-npm-pakete-konnten-beliebig-ueberschrieben… ∗∗∗ Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma ∗∗∗ --------------------------------------------- Thanks to the work of Google’s TAG team, we were able to grab two versions of the backdoor used by the threat actors, which we will label UserAgent 2019 and UserAgent 2021. --------------------------------------------- https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-target… ∗∗∗ Lücken in Industrie-IoT-Protokoll ermöglichen Fremdsteuerung ∗∗∗ --------------------------------------------- Implementierungen eines Datenaustauschprotokolls für industrielle Steuerungen sind anfällig für Manipulationen, die zu Schäden führen könnten. --------------------------------------------- https://heise.de/-6268372 ∗∗∗ Bestellung auf fotoexperte24.de führt in Abo-Falle! ∗∗∗ --------------------------------------------- Auf der Webseite fotoexperte24.de können günstige Passbilder für verschiedene Ausweise bestellt werden. Doch tatsächlich handelt es sich um einen Fake-Shop, der keine Bilder liefert. Stattdessen bucht der unseriöse Anbieter deutlich mehr Geld von der Kreditkarte ab als beim Bestellprozess angezeigt wurde. --------------------------------------------- https://www.watchlist-internet.at/news/bestellung-auf-fotoexperte24de-fuehr… ∗∗∗ Cobalt Strike: Decrypting Obfuscated Traffic – Part 4 ∗∗∗ --------------------------------------------- Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic. --------------------------------------------- https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffi… ∗∗∗ ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities ∗∗∗ --------------------------------------------- In several recent Incident Response engagements, Mandiant has observed threat actors exploiting the vulnerabilities in different ways than previously reported. --------------------------------------------- https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 15 Security Bulletins veröffentlicht. Davon wird eine als "Kritisch", sechs als "High", und acht als "Medium" eingestuft. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr). --------------------------------------------- https://lwn.net/Articles/876327/ ∗∗∗ Netgear patches severe pre-auth RCE in 61 router and modem models ∗∗∗ --------------------------------------------- Networking equipment vendor Netgear has patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year. --------------------------------------------- https://therecord.media/netgear-deals-with-its-fifth-wave-of-severe-rce-bug… ∗∗∗ ZDI-21-1320: Trend Micro Antivirus for Mac Improper Access Control Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1320/ ∗∗∗ ZDI-21-1319: (0Day) Autodesk Design Review PNG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1319/ ∗∗∗ ZDI-21-1317: (0Day) Autodesk Design Review PDF File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1317/ ∗∗∗ ZDI-21-1316: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1316/ ∗∗∗ ZDI-21-1315: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1315/ ∗∗∗ Cisco Common Services Platform Collector Improper Logging Restriction Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Common Services Platform Collector SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WooCommerce Extension – Reflected XSS Vulnerability ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-… ∗∗∗ Synology-SA-21:29 Samba ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_29 ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-320-01 ∗∗∗ Mitsubishi Electric GOT products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-320-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2021
by Daily end-of-shift report 16 Nov '21

16 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-11-2021 18:00 − Dienstag 16-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Malware: Emotet ist zurück ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine neue Variante von Emotet entdeckt. Noch wird der Schädling von einer anderen Malware nachgeladen. --------------------------------------------- https://www.golem.de/news/malware-emotet-ist-zurueck-2111-161124-rss.html ∗∗∗ Windows Sonder-Updates gegen DC-Authentifizierungsprobleme und Druckprobleme ∗∗∗ --------------------------------------------- Die Sicherheitsupdates vom November für Windows verursachen teils Authentifizierungsprobleme bei Domain Controllern sowie Druckprobleme. Microsoft patcht nach. --------------------------------------------- https://heise.de/-6267784 ∗∗∗ Fake Ransomware Infection Spooks Website Owners ∗∗∗ --------------------------------------------- Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for “FOR RESTORE SEND 0.1 BITCOIN” were sitting at 6 last week and increased to 291 at the time of writing this. --------------------------------------------- https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-ow… ∗∗∗ GitHub Confirms Another Major NPM Security Defect ∗∗∗ --------------------------------------------- Microsoft-owned GitHub is again flagging major security problems in the npm registry, warning that a pair of newly discovered vulnerabilities continue to expose the soft underbelly of the open-source software supply chain. --------------------------------------------- https://www.securityweek.com/github-confirms-another-major-npm-security-def… ∗∗∗ Black Friday: Vorsicht vor Fake-Angeboten ∗∗∗ --------------------------------------------- Am 26. November 2021 ist Black Friday. Und darauf folgt am 29. November schon der Cyber Monday - für Schnäppchenjäger wahre Shopping-Feiertage. Wir raten aber zur Vorsicht: Nicht nur seriöse Anbieter locken mit günstigen Preisen und Rabatten, auch Fake-Shops werben mit Black Friday Angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/black-friday-vorsicht-vor-fake-angeb… ∗∗∗ An update on the state of the NIS2 draft ∗∗∗ --------------------------------------------- This is a TLP:WHITE summary of my presentation at the 15th CSIRTs Network meeting in Ljubljana on November 11th. This is not a complete review of the current state of the NIS2 discussions. --------------------------------------------- https://cert.at/en/blog/2021/11/an-update-on-the-state-of-the-nis2-draft ∗∗∗ New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks ∗∗∗ --------------------------------------------- [...] today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/16/new-federal-gover… ∗∗∗ A new Android banking trojan named SharkBot is makings its presence felt ∗∗∗ --------------------------------------------- Security researchers have discovered a new Android banking trojan capable of hijacking users smartphones and emptying out e-banking and cryptocurrency accounts. --------------------------------------------- https://therecord.media/a-new-android-banking-trojan-named-sharkbot-is-maki… ∗∗∗ New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk ∗∗∗ --------------------------------------------- Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors and puts common admin tools at risk. We have identified a number of open-source Go packages that are susceptible to ChainJacking given that some of these vulnerable packages are embedded in popular admin [...] --------------------------------------------- https://www.intezer.com/blog/malware-analysis/chainjacking-supply-chain-att… ∗∗∗ Kernel Karnage – Part 3 (Challenge Accepted) ∗∗∗ --------------------------------------------- [...] The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that didn’t impress our blue team, so I received a challenge to bypass $vendor2. I have to admit, after trying all week to get around the protections, $vendor2 is definitely a bigger beast to tame. --------------------------------------------- https://blog.nviso.eu/2021/11/16/kernel-karnage-part-3-challenge-accepted/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/876227/ ∗∗∗ Synology-SA-21:28 Mail Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Mail Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_28 ∗∗∗ AMD Windows 10-Grafiktreiber mit Schwachstellen (Nov. 2021) ∗∗∗ --------------------------------------------- Nutzer mit AMD-Grafikkarten und Windows 10 sollten sich mit dem Thema Aktualisierung von AMD-Grafiktreibern befassten. Der Hersteller hat eingestanden, dass seine Windows 10-Grafiktreiber zahlreiche Sicherheitslücken aufweisen. Einige Schwachstellen (z.B. im Grafiktreiber) werden als sicherheitstechnisch Hoch eingestuft. --------------------------------------------- https://www.borncity.com/blog/2021/11/16/amd-windows-10-treiber-mit-schwach… ∗∗∗ WAGO: Denial of Service Vulnerability in CODESYS Runtime 2.3 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-049/ ∗∗∗ WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack. ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-050/ ∗∗∗ WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 and WebVisualisation ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-056/ ∗∗∗ Grafana: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1205 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1207 ∗∗∗ ZDI-21-1312: Open Design Alliance (ODA) ODAViewer DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1312/ ∗∗∗ ZDI-21-1311: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1311/ ∗∗∗ ZDI-21-1310: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1310/ ∗∗∗ Security Bulletin: A vulnerability in filesystem audit logging affects IBM Spectrum Scale. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-filesy… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse Jetty (CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-mq-for-hp-n… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse (CVE-2020-27225) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM MQ can inadvertently display cleartext credentials via diagnostic logs (CVE-2021-38949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-can-inadvertently-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2021
by Daily end-of-shift report 15 Nov '21

15 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-11-2021 18:00 − Montag 15-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ PSA: Apple isn’t actually patching all the security holes in older versions of macOS ∗∗∗ --------------------------------------------- Big Sur got a fix 234 days before Catalina did, although both are supported. --------------------------------------------- https://arstechnica.com/?p=1812611 ∗∗∗ FTC shares ransomware defense tips for small US businesses ∗∗∗ --------------------------------------------- The US Federal Trade Commission (FTC) has shared guidance for small businesses on how to secure their networks from ransomware attacks by blocking threat actors attempts to exploit vulnerabilities using social engineering or exploits targeting technology. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-shares-ransomware-defens… ∗∗∗ Video: Obfuscated Maldoc: Reversed BASE64, (Sun, Nov 14th) ∗∗∗ --------------------------------------------- I made a video of the maldoc analysis I explained in yesterday's diary entry "Obfuscated Maldoc: Reversed BASE64". --------------------------------------------- https://isc.sans.edu/diary/rss/28032 ∗∗∗ Changing your AD Password Using the Clipboard - Not as Easy as Youd Think!, (Mon, Nov 15th) ∗∗∗ --------------------------------------------- Let me know if this scenario is familiar? [...] Microsoft won't allow you to paste a password into their GUI "password change". Apparantly Microsoft wants us to continue to use passwords like "Passw0rd1!" and "Winter2021!" forever, until all AD domains are "passwordless" --------------------------------------------- https://isc.sans.edu/diary/rss/28036 ∗∗∗ Microsoft Out of Band Update Resolves Kerberos Issue, (Mon, Nov 15th) ∗∗∗ --------------------------------------------- Since Patch Tuesday, we've been tracking a Kerboros issue in November's patch bundle that affected authentication in several deployment scenarios: [...] This was fixed out of band yesterday (November 14, 2021). If you have applied November's update and are affected, you'll want to apply the "November-take-two" update on any affected servers. --------------------------------------------- https://isc.sans.edu/diary/rss/28040 ∗∗∗ Exploiting CSP in Webkit to Break Authentication & Authorization ∗∗∗ --------------------------------------------- [...] Long story short, there was a vulnerability that we reported to Safari that Apple didn’t consider severe enough to fix quickly which then after waiting for a significant amount of time, we decided to exploit and earn some bounties by reporting them to bug bounty programs. --------------------------------------------- https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-… ∗∗∗ E-Mail-Server des FBI gehackt - für Fake-Warnungen über Cyber-Angriffe genutzt ∗∗∗ --------------------------------------------- Cyberkriminelle haben einen E-Mail-Server des FBI gekapert. Anschließend verschickten sie über 100.000 Spam-Mails mit einer Warnung vor einem Cyberangriff. --------------------------------------------- https://heise.de/-6266349 ∗∗∗ POC2021 – Pwning the Windows 10 Kernel with NFTS and WNF Slides ∗∗∗ --------------------------------------------- Alex Plaskett presented “Pwning the Windows 10 Kernel with NTFS and WNF” at Power Of Community (POC) on the 11th of November 2021. The abstract of the talk is as follows: A local privilege escalation vulnerability (CVE-2021-31956) 0day was identified as being exploited in the wild by Kaspersky. At the time it affected a broad [...] --------------------------------------------- https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kern… ∗∗∗ Exchange Exploit Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. ProxyShell is a name given to [...] --------------------------------------------- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-… ∗∗∗ AutoPoC - Validating the Lack of Validation in PoCs ∗∗∗ --------------------------------------------- HoneyPoC was a project to look at how popular CVE PoCs could be. AutoPoC took that concept and enabled the mass creation of disinformation. Also, Data is beautiful. --------------------------------------------- https://blog.zsec.uk/honeypoc-ultimate/ ∗∗∗ AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits ∗∗∗ --------------------------------------------- AT&T Alien Labs™ has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp). --------------------------------------------- https://lwn.net/Articles/876135/ ∗∗∗ Security Bulletin: Use of a one way hash without a salt in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-use-of-a-one-way-hash-wit… ∗∗∗ Security Bulletin: Hazardous Input Validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38972) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Password stored in cleartext in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-password-stored-in-cleart… ∗∗∗ Security Bulletin: Missing http strict transport security header in in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38978) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-http-strict-trans… ∗∗∗ Security Bulletin: Cross-Site scripting in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38982) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-in-i… ∗∗∗ Security Bulletin: Missing cookie secure attribute in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38977) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-cookie-secure-att… ∗∗∗ Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38985) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38983) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-str… ∗∗∗ Security Bulletin: Using components with known vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-using-components-with-kno… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Denial of service in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38974) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-… ∗∗∗ Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38973) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Information exposure in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38975) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-exposure-in-i… ∗∗∗ Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38984) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-str… ∗∗∗ Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38981) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2021
by Daily end-of-shift report 12 Nov '21

12 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-11-2021 18:00 − Freitag 12-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom dichtet Sicherheitslücken in mehreren Produkten und Clients ab ∗∗∗ --------------------------------------------- In einigen Produkten des Webkonferenz-Anbieters Zoom hat der Hersteller Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6265648 ∗∗∗ Kriminelle versenden betrügerische Mails im Namen der Post! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche LeserInnen ein betrügerisches E-Mail, das im Namen der Post verschickt wird. Darin behaupten die Kriminellen, dass für eine Bestellung zusätzliche Einfuhrgebühren notwendig seien. Auch wenn Sie gerade auf ein Paket warten, sollten Sie bei solchen E-Mails skeptisch sein. In diesem Fall versuchen die BetrügerInnen an Ihr Geld zu kommen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-betruegerische-… ∗∗∗ HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks ∗∗∗ --------------------------------------------- HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-hi… ∗∗∗ Malware uses namesilo Parking pages and Googles custom pages to spread ∗∗∗ --------------------------------------------- Recently, we found a suspicious GoELFsample, which is a downloder mainly to spread mining malwares. The interesting part is that we noticed it using namesilos Parking page and Googles user-defined page to spread the sample and configuration. Apparently this is yet another attempt to hide control channel to avoid [...] --------------------------------------------- https://blog.netlab.360.com/zhatuniubility-malware-uses-namesilo-parking-pa… ∗∗∗ Murder-for-hire, money laundering, and more: How organised criminals work online ∗∗∗ --------------------------------------------- Europol has released an extensive report into serious and organized crime, including how these groups use the internet to aid in their criminal behaviour. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/11/murder-for-hire-money-launder… ∗∗∗ “We wait, because we know you.” Inside the ransomware negotiation economics. ∗∗∗ --------------------------------------------- Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is now classified as the most prominent form of cybercrime and the most devastating and pervasive threat to functioning [...] --------------------------------------------- https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside… ∗∗∗ Researcher Shows Windows Flaw More Serious After Microsoft Releases Incomplete Patch ∗∗∗ --------------------------------------------- A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed. --------------------------------------------- https://www.securityweek.com/researcher-shows-windows-flaw-more-serious-aft… ∗∗∗ When the alarms go off: 10 key steps to take after a data breach ∗∗∗ --------------------------------------------- It’s often said that data breaches are no longer a matter of ‘if’, but ‘when’ – here’s what your organization should do, and avoid doing, in the case of a security breach --------------------------------------------- https://www.welivesecurity.com/2021/11/11/alarms-go-off-10-steps-take-data-… ∗∗∗ Network Code on Cybersecurity is out for public consultation ∗∗∗ --------------------------------------------- The draft for the Network Code for cybersecurity aspects of cross-border electricity flows has been released today for public consultation. ENCS has collaborated on the writing of the Network Code as part of the drafting team. During the public consultation period, stakeholders within the energy sector have the opportunity of sharing their views on the [...] --------------------------------------------- https://encs.eu/news/network-code-on-cybersecurity-is-out-for-public-consul… ∗∗∗ Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays, Breaking Records ∗∗∗ --------------------------------------------- Highlights: Check Point Research (CPR) spots over 5300 different malicious websites per week, marking the highest since the beginning of 2021 Numbers show a 178% increase compared to 2021 so far 1 out of 38 corporate networks are being impacted on average per week in November, compared to 1 in 47 in October, and [...] --------------------------------------------- https://blog.checkpoint.com/2021/11/12/number-of-malicious-shopping-website… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 15 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284) ∗∗∗ --------------------------------------------- Victure’s WR1200 WiFi router, also sometimes referred to as AC1200, was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. Three vulnerabilities were uncovered, with links to the associated technical advisories below: [...] --------------------------------------------- https://research.nccgroup.com/2021/11/12/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-tar, postgresql-11, postgresql-13, and postgresql-9.6), Fedora (autotrace, botan2, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, R-magick, radeontop, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, and WindowMaker), Mageia (kernel, kernel-linus, and openafs), openSUSE (kernel), Red Hat (freerdp), SUSE (bind and kernel), [...] --------------------------------------------- https://lwn.net/Articles/875931/ ∗∗∗ WECON PLC Editor ∗∗∗ --------------------------------------------- This advisory contains mitigation for Stack-based Buffer Overflow, and Out-of-bounds Write vulnerabilities in WECON PLC Editor ladder logic software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-315-01 ∗∗∗ Multiple Data Distribution Service (DDS) Implementations ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in Multiple Data Distribution Service (DDS) Implementations developed by a number of different vendors. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-315-02 ∗∗∗ VMware Releases Security Update for Tanzu Application Service for VMs ∗∗∗ --------------------------------------------- VMware has released a security update to address a vulnerability in Tanzu Application Service for VMs. A remote attacker could exploit this vulnerability to cause a denial-of-service condition. CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0026 and apply the necessary update. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/12/vmware-releases-s… ∗∗∗ SYSS-2021-057: Open Redirect durch HTML Injection in Cryptshare ∗∗∗ --------------------------------------------- Im Cryptshare-Server besteht eine Schwachstelle. Sie erlaubt Angreifenden, die Empfänger einer manipulierten Nachricht auf beliebige Seiten weiterzuleiten. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-057-open-redirect-durch-html-inj… ∗∗∗ Unlimited Sitemap Generator vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN58407606/ ∗∗∗ PostgreSQL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1201 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2021
by Daily end-of-shift report 11 Nov '21

11 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-11-2021 18:00 − Donnerstag 11-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more! ∗∗∗ --------------------------------------------- The crooks have shown that the'yre willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too. --------------------------------------------- https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/ ∗∗∗ Understanding .htaccess Malware ∗∗∗ --------------------------------------------- The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with blackhat SEO tactics, hide backdoors, inject content, modify php.ini values; the possibilities are endless. Many site owners are unaware of this file, due to it starting with a “.” making it a hidden file. .htaccess malware can be hard to pinpoint and clean on a server [...] --------------------------------------------- https://blog.sucuri.net/2021/11/understanding-htaccess-malware.html ∗∗∗ A Detailed Analysis of Lazarus’ RAT Called FALLCHILL ∗∗∗ --------------------------------------------- FALLCHILL is a RAT that has been used by Lazarus Group since 2016. It implements a custom algorithm that is used to decode multiple DLL names and export functions, which will be imported at runtime. --------------------------------------------- https://lifars.com/knowledge-center/a-detailed-analysis-of-lazarus-rat-call… ∗∗∗ The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. ∗∗∗ --------------------------------------------- Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way...The post The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. appeared first on McAfee Blogs. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-a… ∗∗∗ ClusterFuzzLite: Continuous fuzzing for all ∗∗∗ --------------------------------------------- Posted by Jonathan Metzman, Google Open Source Security TeamIn recent years, continuous fuzzing has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. NIST’s guidelines for software verification, recently released in response to the White House Executive Order on --------------------------------------------- http://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-f… ∗∗∗ HändlerInnen aufgepasst: BetrügerInnen geben Fake-Bestellungen im Namen von ATOS auf ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als das Unternehmen ATOS aus und bekunden per Mail Interesse an einer Großbestellung. Für die betroffenen HändlerInnen mag das nach einem schnellen und leichten Geschäft klingen, doch tatsächlich hat die seriöse Firma ATOS nichts mit dieser Bestellung am Hut. Stattdessen würden Sie ihre Produkte an Kriminelle versenden, Geld dafür erhalten Sie nicht. --------------------------------------------- https://www.watchlist-internet.at/news/haendlerinnen-aufgepasst-betruegerin… ∗∗∗ Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications ∗∗∗ --------------------------------------------- [...] In simple terms, capability abstraction provides a way to describe how a given attack technique interacts with the internal components of a targeted system. The abstraction map that this process produces helps us to understand the common denominator between distinct implementations of the same technique. --------------------------------------------- https://posts.specterops.io/capability-abstraction-case-study-detecting-mal… ∗∗∗ A Peek into Top-Level Domains and Cybercrime ∗∗∗ --------------------------------------------- We analyze which top-level domains (TLDs) have the highest rate of malicious domains and why, and suggest strategies for blocking malicious domains. --------------------------------------------- https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/ ∗∗∗ BazarBackdoor now abuses Windows 10 apps feature in call me back attack ∗∗∗ --------------------------------------------- AppInstaller.exe has been twisted in a new form of phishing attack. --------------------------------------------- https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-apps-featur… ∗∗∗ October 2021’s Most Wanted Malware: Trickbot Takes Top Spot for Fifth Time ∗∗∗ --------------------------------------------- Check Point Research reveals that Trickbot is the most prevalent malware and a new vulnerability in Apache is one of the most exploited vulnerabilities worldwide. --------------------------------------------- https://blog.checkpoint.com/2021/11/11/october-2021s-most-wanted-malware-tr… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1303: NETGEAR R6400v2 UPnP uuid Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1303/ ∗∗∗ Wordpress-Plug-in WP Reset Pro fixt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- In WP Reset Pro klaffte eine Sicherheitslücke, durch die angemeldete Nutzer auch ohne entsprechende Rechte ganze Wordpress-Webauftritte löschen konnten. --------------------------------------------- https://heise.de/-6264564 ∗∗∗ Sicherheitsupdate: Kritische Root-Lücke bedroht Firewalls von Palo Alto ∗∗∗ --------------------------------------------- Sind bestimmte Einstellungen aktiviert und Voraussetzungen gegeben, könnten Angreifer Palo-Alto-Firewalls attackieren. --------------------------------------------- https://heise.de/-6264656 ∗∗∗ Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin ∗∗∗ --------------------------------------------- On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates” [...] --------------------------------------------- https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vul… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py). --------------------------------------------- https://lwn.net/Articles/875813/ ∗∗∗ iCloud for Windows 13 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212953 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by Cross-Site Scripting (CVE-2020-4140) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by vulnerability CVE-2020-4146 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ VMSA-2021-0026 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0026.html ∗∗∗ NGINX Ingress Controller vulnerability CVE-2021-23055 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01051452?utm_source=f5support&utm_mediu… ∗∗∗ Micropatching Incompletely Patched Local Privilege Escalation in User Profile Service (CVE-2021-34484) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html ∗∗∗ Stack Buffer Overflow Vulnerability in Multimedia Console ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-45 ∗∗∗ Reflected XSS Vulnerability in QmailAgent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-47 ∗∗∗ TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-64 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2021
by Daily end-of-shift report 10 Nov '21

10 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-11-2021 18:00 − Mittwoch 10-11-2021 18:00 Handler: Stephan Richter Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Researcher Details Vulnerabilities Found in AWS API Gateway ∗∗∗ --------------------------------------------- AWS fixed the security flaws that left the API service at risk of so-called HTTP header-smuggling attacks, says the researcher who discovered them. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/researcher-details-vuln… ∗∗∗ Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog ∗∗∗ --------------------------------------------- Using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox. All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0. --------------------------------------------- https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by… ∗∗∗ Patchday: Microsoft warnt vor Attacken auf Excel und Exchange ∗∗∗ --------------------------------------------- Abermals haben es Angreifer Exchange Server abgesehen. Außerdem gibt es wichtige Sicherheitsupdates für Azure, Office, Windows & Co. --------------------------------------------- https://heise.de/-6263036 ∗∗∗ Patchday: SAP schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Am Patch-Tuesday hat auch SAP Aktualisierungen für seine Produkte veröffentlicht. Ein Fix behandelt eine kritische Lücke im ABAP Platform Kernel. --------------------------------------------- https://heise.de/-6263099 ∗∗∗ Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton ∗∗∗ --------------------------------------------- Today, we’re disclosing another 10 vulnerabilities in Azure Sphere — two of which are on the Linux side, seven that exist in Security Monitor and one in the Pluton security subsystem. --------------------------------------------- https://blog.talosintelligence.com/2021/11/cisco-talos-finds-10-vulnerabili… ∗∗∗ Achtung: Momentan kursieren zahlreiche E-Mails mit Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden momentan gefälschte E-Mails im Namen von Electrolux, Weitzer Parkett Vertriebs GmbH und der TU Wien. Wer ein komisches E-Mail mit der Aufforderung einen Anhang zu öffnen erhält, sollte besonders vorsichtig sein. Im Anhang befindet sich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-momentan-kursieren-zahlreich… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Server Vulnerabilities – November 2021 ∗∗∗ --------------------------------------------- During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Platform Security Processor (PSP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV) and other platform components were discovered and have been mitigated in AMD EPYC™ AGESA™ PI packages. --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Cloud Pak for Multicloud Management Infrastructure Management, Cloud Pak for Multicloud Management Managed Services, Rational Business Developer, InfoSphere Information Server --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Open Design Alliance (ODA) Security Advisories ∗∗∗ --------------------------------------------- ODA PRC SDK, Drawings SDK, ODA Viewer --------------------------------------------- https://www.opendesign.com/security-advisories ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-8 and samba), Fedora (community-mysql, firefox, and vim), openSUSE (binutils, kernel, and tinyxml), Red Hat (annobin, autotrace, babel, bind, binutils, bluez, compat-exiv2-026, container-tools:2.0, container-tools:3.0, container-tools:rhel8, cups, curl, dnf, dnsmasq, edk2, exiv2, file, file-roller, firefox, gcc, gcc-toolset-10-annobin, gcc-toolset-10-binutils, gcc-toolset-10-gcc, gcc-toolset-11-annobin, gcc-toolset-11-binutils,[...] --------------------------------------------- https://lwn.net/Articles/875708/ ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/adobe-releases-se… ∗∗∗ BSRT-2021-003 Vulnerabilities Impact BlackBerry Protect for Windows ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ ZDI-21-1302: Ivanti Avalanche EnterpriseServer Service SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1302/ ∗∗∗ ZDI-21-1301: Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1301/ ∗∗∗ ZDI-21-1300: Ivanti Avalanche User Management Improper Authentication Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1300/ ∗∗∗ ZDI-21-1299: Ivanti Avalanche Filestore Management Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1299/ ∗∗∗ ZDI-21-1298: Ivanti Avalanche JNLP File Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1298/ ∗∗∗ Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signa… ∗∗∗ INTEL-SA-00481 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00560 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00568 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00569 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00567 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ VMSA-2021-0025 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0025.html ∗∗∗ Samba 4.15.2, 4.14.10, 4.13.14 security releases available ∗∗∗ --------------------------------------------- https://lwn.net/Articles/875565/ ∗∗∗ Philips MRI 1.5T and 3T ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01 ∗∗∗ OSIsoft PI Vision ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05 ∗∗∗ OSIsoft PI Web API ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-06 ∗∗∗ NVIDIA GPU Display Driver Advisory - October 2021 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500449-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ NetApp Clustered Data ONTAP Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500448-NETAPP-CLUSTERED-DATA-O… ∗∗∗ Realtek Driver Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500447-REALTEK-DRIVER-PRIVILEG… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (November 2021) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500446-MULTI-VENDOR-BIOS-SECUR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2021
by Daily end-of-shift report 09 Nov '21

09 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-11-2021 18:00 − Dienstag 09-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus ∗∗∗ --------------------------------------------- Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-ex… ∗∗∗ Abcbot, an evolving botnet ∗∗∗ --------------------------------------------- Business on the cloud and security on the cloud is one of the industry trends in recent years. 360Netlab is also continuing to focus on security incidents and trends on the cloud from its own expertise in the technology field. The following is a recent security incident we observed, --------------------------------------------- https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/ ∗∗∗ (Ab)Using Security Tools & Controls for the Bad, (Mon, Nov 8th) ∗∗∗ --------------------------------------------- As security practitioners, we give daily advice to our customers to increase the security level of their infrastructures. Install this tool, enable this feature, disable this function, etc. When enabled, these techniques can also be (ab)used by attackers to perform nasty actions. --------------------------------------------- https://isc.sans.edu/diary/rss/28014 ∗∗∗ WooCommerce Skimmer Spoofs Checkout Page ∗∗∗ --------------------------------------------- Recently a client of ours was reporting a bogus checkout page appearing on their website. When trying to access their “my-account” page an unfamiliar prompt appeared in their browser soliciting credit card billing information: This form was foreign to our client and was clearly placed during a website compromise. Interestingly, the website itself doesn’t even accept payments at all. If this was an attempt at a targeted credit card theft infection (as quite a few of them are) [...] --------------------------------------------- https://blog.sucuri.net/2021/11/woocommerce-skimmer-spoofs-checkout-page.ht… ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Security Flaws ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released a total of 20 Patch Tuesday advisories to address more than 50 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ „media-markt-outlet.de“ ist Fake ∗∗∗ --------------------------------------------- Die Webseite media-markt-outlet.de gibt vor, ein Outlet-Store von Media Markt zu sein. Da es sich bei diesem Fake-Shop angeblich um ein Outlet handelt, erscheinen die günstigen Preise auf dem ersten Blick nicht untypisch. Doch Vorsicht: media-markt-outlet.de ist Fake - Sie erhalten trotz Bezahlung keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-outletde-ist-fake/ ∗∗∗ The Invisible JavaScript Backdoor ∗∗∗ --------------------------------------------- A few months ago we saw a post on the r/programminghorror subreddit: A developer describes the struggle of identifying a syntax error resulting from an invisible Unicode character hidden in JavaScript source code. This post inspired an idea: What if a backdoor literally cannot be seen and thus evades detection even from thorough code reviews? --------------------------------------------- https://certitude.consulting/blog/en/invisible-backdoor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf CMS Sitecore Experience Platform beobachtet ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf eine Schadcode-Lücke im Content Management System Sitecore XP abgesehen. Sicherheitspatches gibt es bereits seit Oktober 2021. --------------------------------------------- https://heise.de/-6262157 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, grafana, jenkins, opera, and thunderbird), Debian (botan1.10 and ckeditor), openSUSE (chromium, kernel, qemu, and rubygem-activerecord-5_1), SUSE (qemu and rubygem-activerecord-5_1), and Ubuntu (docker.io, kernel, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux, linux-aws, linux-aws-5.4, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/875531/ ∗∗∗ Adobe Patches Critical RoboHelp Server Security Flaw ∗∗∗ --------------------------------------------- Software maker Adobe on Tuesday released patches to cover at least four documented security defects that expose users to malicious hacker attacks. The most serious of the flaw was addressed in RoboHelp Server and is rated “critical” because it exposes corporate environments to arbitrary code execution attacks. --------------------------------------------- https://www.securityweek.com/adobe-patches-critical-robohelp-server-securit… ∗∗∗ IPAS: Security Advisories for November 2021 ∗∗∗ --------------------------------------------- Hi everyone, Today we released 25 security advisories addressing 72 vulnerabilities. Through our internal security research and the investment we make in our bug bounty programs, 96% of the issues being addressed today are the result of our proactive product security assurance efforts. Given that almost half of today’s advisories address drivers in various components, [...] --------------------------------------------- https://blogs.intel.com/technology/2021/11/intel-security-advisories-for-no… ∗∗∗ NUCLEUS:13 vulnerabilities impact Siemens medical & industrial equipment ∗∗∗ --------------------------------------------- Security researchers have disclosed today a set of 13 vulnerabilities that impact a crucial Siemens software library that is included with medical devices, automotive, and industrial systems. --------------------------------------------- https://therecord.media/nucleus13-vulnerabilities-impact-siemens-medical-in… ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX330728 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Ant vulnerability (CVE-2021-36374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Ant vulnerability (CVE-2021-36373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by CVE-2021-23509 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: A vulnerability in Apache Commons Compress Library affects IBM LKS ART and Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK (July 2021) affects IBM InfoSphere Information Server (CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities (CVE-2020-25648, CVE-2021-31535, CVE-2021-20305, CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities (CVE-2020-4152, CVE-2020-4160, CVE-2020-4153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM Safer Payments v5.7 to v6.3 releases are affected by an OpenSSL Security Advisory (CVE-2021-3711) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-safer-payments-v5-7-t… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Nov. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2021
by Daily end-of-shift report 08 Nov '21

08 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-11-2021 18:00 − Montag 08-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Unbekannte infiltrieren Paketmanager npm und verseuchen Tools mit Schadcode ∗∗∗ --------------------------------------------- Die Betreiber des Paketmanagers npm warnen davor, dass Unbefugte die Pakete coa und rc trojanisiert haben. --------------------------------------------- https://heise.de/-6260153 ∗∗∗ Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer ∗∗∗ --------------------------------------------- A malicious campaign against ManageEngine ADSelfService Plus used Godzilla webshells, the NGLite backdoor and KdcSponge, a credential stealer. --------------------------------------------- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ ∗∗∗ Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice ∗∗∗ --------------------------------------------- Trend Micros ZDI has awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021, with competitors successfully pwning the Samsung Galaxy S21 again and hacking an HP LaserJet printer to play AC/DCs Thunderstruck on the contests third day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwn2own-printer-plays-ac-dc-… ∗∗∗ Sitecore XP RCE flaw patched last month now actively exploited ∗∗∗ --------------------------------------------- The Australian Cyber Security Center (ACSC) is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP). --------------------------------------------- https://www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched… ∗∗∗ Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory, (Sun, Nov 7th) ∗∗∗ --------------------------------------------- I made a video showing the steps to take to decrypt Cobalt Strike traffic that I covered in my diary entry "Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory". --------------------------------------------- https://isc.sans.edu/diary/rss/28008 ∗∗∗ ICS Threat Hunting: “Theyre Shootin’ at the Lights!” - PART 2 ∗∗∗ --------------------------------------------- [...] In this PART 2 of the blog series we will: Identify several critical and targeted ICS assets to protect, Identify related data sources for those assets, Focus on aspects of threat intel to use for a hunt, Build a threat hunt package template to prepare for executing the actual hunt --------------------------------------------- https://www.sans.org/blog/ics-threat-hunting-they-are-shootin-at-the-lights… ∗∗∗ TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access ∗∗∗ --------------------------------------------- NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the [...] --------------------------------------------- https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnera… ∗∗∗ DDoS Attack Trends for Q3 2021 ∗∗∗ --------------------------------------------- The third quarter of 2021 was a busy quarter for DDoS attackers. Cloudflare observed and mitigated record-setting HTTP DDoS attacks, terabit-strong network-layer attacks, one of the largest botnets ever deployed (Meris), and more recently, ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world. --------------------------------------------- https://blog.cloudflare.com/ddos-attack-trends-for-2021-q3/ ∗∗∗ ASEC Weekly Malware Statistics (October 25th, 2021 – October 31st, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 25th, 2021 (Monday) to October 31st, 2021 (Sunday). For the main category, info-stealer ranked top with 48.3%, followed by RAT (Remote Administration Tool) malware with 24.5%, Downloader with 18.3%, Backdoor malware with 4.6%, Ransomware with 4.1%, and Banking malware with 0.2%. --------------------------------------------- https://asec.ahnlab.com/en/28464/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (containerd, redis, and sqlalchemy), Fedora (kernel, radeontop, rpki-client, and webkit2gtk3), openSUSE (java-1_8_0-openj9, libvirt, mailman, transfig, and webkit2gtk3), Oracle (thunderbird), SUSE (libvirt), and Ubuntu (icu). --------------------------------------------- https://lwn.net/Articles/875420/ ∗∗∗ Security Bulletin:Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinmultiple-security-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting in Guardium STAP vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: XSS vulerability in Dojo affects IBM Tivoli Business Service Manager (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-vulerability-in-dojo-… ∗∗∗ Security Bulletin: IBM MQ Appliance vulnerable to a denial of service attack (CVE-2021-29843) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Apache Commons FileUpload vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2014-0034, CVE-2014-0050, CVE-2013-2186, CVE-2016-3092) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-commons-f… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2021
by Daily end-of-shift report 05 Nov '21

05 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-11-2021 18:00 − Freitag 05-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing emails deliver spooky zombie-themed MirCop ransomware ∗∗∗ --------------------------------------------- A new phishing campaign pretending to be supply lists infects users with the MirCop ransomware that encrypts a target system in under fifteen minutes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-emails-deliver-spoo… ∗∗∗ Bluetooth-Lücken Braktooth: Das Patchen geht nur schleppend voran ∗∗∗ --------------------------------------------- Für Braktooth-Attacken anfällige Bluetooth-Geräte könnten zeitnah in den Fokus von Angreifern rücken. Patches sind noch längst nicht flächendeckend verfügbar. --------------------------------------------- https://heise.de/-6254474 ∗∗∗ SSL certificate research highlights pitfalls for company data, competition ∗∗∗ --------------------------------------------- Analysis reveals hidden risks for organizations that do not monitor their certificate usage. --------------------------------------------- https://www.zdnet.com/article/ssl-certificate-research-highlights-pitfalls-… ∗∗∗ The IoT is getting a lot bigger, but security is still getting left behind ∗∗∗ --------------------------------------------- Four in five Internet of Things device vendors dont provide any information on how to disclose security vulnerabilities. That means problems just dont get fixed. --------------------------------------------- https://www.zdnet.com/article/the-iot-is-getting-a-lot-bigger-but-security-… ∗∗∗ Malware found in coa and rc, two npm packages with 23M weekly downloads ∗∗∗ --------------------------------------------- The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware. --------------------------------------------- https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-2… ∗∗∗ Datenbank mit Millionen Daten von VPN-Nutzern ungeschützt im Internet (Okt. 2021) ∗∗∗ --------------------------------------------- Wer VPN-Anbieter nutzt, muss sich auf deren Sicherheit und Integrität verlassen können. Sicherheitsforscher Bob Diachenko von comparitech ist kürzlich im Internet auf eine ungeschützte Datenbank (kein Passwort) gestoßen, die mehr als 300 Millionen Datensätze mit den persönlichen Daten [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/05/datenbank-mit-millionen-daten-von-… ∗∗∗ Phishing PDF Files with CAPTCHA Screen Being Mass-distributed ∗∗∗ --------------------------------------------- Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by AhnLab’s ASD infrastructure since July up till now amount to 1,500,000. --------------------------------------------- https://asec.ahnlab.com/en/28431/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1278: Hewlett Packard Enterprise iLO Amplifier Pack backup Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise iLO Amplifier Pack. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1278/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python3.5, redis, and udisks2), Fedora (rust), openSUSE (binutils, java-1_8_0-openj9, and qemu), Oracle (firefox and httpd), Red Hat (thunderbird), Scientific Linux (thunderbird), and SUSE (binutils, qemu, and systemd). --------------------------------------------- https://lwn.net/Articles/875212/ ∗∗∗ SYSS-2021-048/SYSS-2021-049: PHP Event Calendar – SQL Injection und Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- Im "PHP Event Calendar" wurden zwei Sicherheitslücken gefunden. So kann die Datenbank ausgelesen oder die Sitzung anderer Nutzer kompromittiert werden. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-048/syss-2021-049-php-event-cale… ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1157 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29753 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by the following vulnerabilities ( CVE-2021-29773, CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilites ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2021
by Daily end-of-shift report 04 Nov '21

04 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-11-2021 18:00 − Donnerstag 04-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Wichtige Cisco-Updates: Recycelte SSH-Keys vereinfachten unbefugte Root-Zugriffe ∗∗∗ --------------------------------------------- Neue Versionen schließen eine kritische Lücke in Ciscos Policy Suite. Auch Catalyst PON Switches & weitere Produkte wurden gegen Angriffe abgesichert. --------------------------------------------- https://heise.de/-6251668 ∗∗∗ BSI-Paper: Technische Grundlagen sicherer Messenger-Dienste ∗∗∗ --------------------------------------------- Milliardenfach kommt weltweit ein Kommunikationsmittel zum Zuge: Messenger-Dienste. Die kurze geschriebene oder gesprochene Nachricht überrundet schon lange die SMS. Doch wie funktionieren Messenger? Was macht sie sicher und was eher nicht? Auf diese und weitere Fragen gibt das BSI-Paper „Moderne Messenger – heute verschlüsselt, morgen interoperabel?“ Antwort. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Cyberkriminelle verkaufen Zugänge zu internationalen Logistikfirmen ∗∗∗ --------------------------------------------- Es handelt sich oft um Schwachstellen in RDP und VPN. Angeboten werden aber auch gestohlene Zugangsdaten. Sicherheitsforscher warnen vor weiteren negativen Folgen für die Lieferkette. --------------------------------------------- https://www.zdnet.de/88397581/cyberkriminelle-verkaufen-zugaenge-zu-interna… ∗∗∗ Betrug mit Verdopplung Ihrer Bitcoins und Kryptowährungen! ∗∗∗ --------------------------------------------- Kriminelle machen ein attraktives Angebot: Sie versprechen eine Verdopplung eingezahlter Kryptowährungen durch einfaches Übetragen auf eine Wallet. Der Haken an der Sache: Übertragene Währungen sind verloren, denn sie landen direkt auf den Wallets der Kriminellen. Genau das passiert auch auf spacegetbonus.com mit Bitcoin, Ethereum und Dogecoin! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-verdopplung-ihrer-bitcoin… ∗∗∗ Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware ∗∗∗ --------------------------------------------- A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxyshel… ∗∗∗ Samsung Galaxy S21 hacked on second day of Pwn2Own Austin ∗∗∗ --------------------------------------------- Contestants hacked the Samsung Galaxy S21 smartphone during the second day of the Pwn2Own Austin 2021 competition, as well as routers, NAS devices, speakers, and printers from Cisco, TP-Link, Western Digital, Sonos, Canon, Lexmark, and HP. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-galaxy-s21-hacked-on… ∗∗∗ 5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls ∗∗∗ --------------------------------------------- Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques. --------------------------------------------- https://www.darkreading.com/edge-threat-monitor/5-mitre-attck-tactics-most-… ∗∗∗ Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns ∗∗∗ --------------------------------------------- Much has been written about the role of webinjects in the evolution of banking trojans, facilitating the interception and manipulation of victim connections to the customer portals of a burgeoning list of targets which now includes e-commerce, retail, and telecommunications brands. --------------------------------------------- https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-van… ∗∗∗ Credit card skimmer evades Virtual Machines ∗∗∗ --------------------------------------------- After code obfuscation, anti-debugger tricks we now see virtual machine detection used by credit card skimmers. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimm… ∗∗∗ The Vagabon Kit Highlights ‘Frankenstein’ Trend in Phishing ∗∗∗ --------------------------------------------- In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself "Vagabon," looks to collect PayPal login credentials and complete credit card information from the victim. The kit doesnt display many unique characteristics and is a textbook example of a "Frankenstein" kit. In this increasingly popular trend, threat actors piece together new phish kits from modular, free, or readily available kits and services. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/vagabon-kit-frankens… ∗∗∗ Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server ∗∗∗ --------------------------------------------- GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we investigated an incident that occurred on a new Intezer Protect user’s GitLab server. After the user installed the Intezer Protect sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/ ∗∗∗ Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 ∗∗∗ --------------------------------------------- We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decr… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Vulnerability Reported in Linux Kernels TIPC Module ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in the Linux Kernels Transparent Inter Process Communication (TIPC) module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. The heap overflow vulnerability "can be exploited locally or remotely within a network to gain kernel [...] --------------------------------------------- https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/875106/ ∗∗∗ Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server ∗∗∗ --------------------------------------------- [...] Summary: Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-051/ ∗∗∗ VISAM VBASE Editor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Access Control, Cross-site Scripting, Using Components with Known Vulnerabilities, and Improper Restriction of XML External Entity Reference vulnerabilities in the VISAM VBASE Editor automation platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-308-01 ∗∗∗ AzeoTech DAQFactory ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Inherently Dangerous Function, Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information, and Modification of Assumed-Immutable Data (MAID) vulnerabilities in the AzeoTech DAQFactory software and application development platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02 ∗∗∗ BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities ∗∗∗ --------------------------------------------- On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/04/braktooth-proof-c… ∗∗∗ Security Bulletin: Vulnerability in Oracle, Java SE Affecting Watson Speech Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-oracle-j… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Bouncy Castle vulnerability (CVE-2020-26939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Reflected cross-site scripting vulnerability in IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Grafana: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1154 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2021
by Daily end-of-shift report 03 Nov '21

03 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-11-2021 18:00 − Mittwoch 03-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions ∗∗∗ --------------------------------------------- This article provides an overview of what the App Sandbox is and the vulnerability details as disclosed to Apple. --------------------------------------------- https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassin… ∗∗∗ Ransomware: "BlackMatter"-Gang will aufhören – mal wieder ∗∗∗ --------------------------------------------- Druck von Ermittlern veranlasst BlackMatter zum Aufhören. Ein endgültiger Abschied der alten Hasen aus dem Erpresser-Business scheint aber eher fraglich. --------------------------------------------- https://heise.de/-6247924 ∗∗∗ Sicherheitsforscher warnen vor zehntausenden verwundbaren GitLab-Servern ∗∗∗ --------------------------------------------- Obwohl es bereits mehrere Monate Sicherheitspatches für eine kritische Lücke gibt, sind einem Bericht zufolge immer noch viele GitLab-Server angreifbar. --------------------------------------------- https://heise.de/-6249588 ∗∗∗ This Steam phish baits you with free Discord Nitro ∗∗∗ --------------------------------------------- Theres another scam making rounds on Discord. And its cleverly phishing for Steam credentials. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/11/this-steam-phish-ba… ∗∗∗ Kleinanzeigenbetrug mit angeblichem Post-Kurier boomt! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen wenden sich derzeit an uns, da Kriminelle eine gefälschte Webseite der Post für Kleinanzeigenbetrug verwenden. Dabei suchen die BetrügerInnen auf Willhaben, Ebay, Shpock und Co. nach teuren Angeboten und erklären den VerkäuferInnen, dass der Kauf über einen Kurierdienst der Post abgewickelt werden soll. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-angeblichem-… ∗∗∗ Almost half of rootkits are used for cyberattacks against government organizations ∗∗∗ --------------------------------------------- On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage. --------------------------------------------- https://www.zdnet.com/article/almost-half-of-rootkits-are-used-to-strike-go… ∗∗∗ "Trojan Source": Was ist da dran? ∗∗∗ --------------------------------------------- An sich schätze ich Brian Krebs, er schreibt wirklich gute Artikel, aber bei ‘Trojan Source’ Bug Threatens the Security of All Code hat er etwas übertrieben. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/trojan-source-was-ist-da-dran ∗∗∗ CISA Issues BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to addresses vulnerabilities that establishes specific timeframes for federal civilian agencies to remediate vulnerabilities that are being actively exploited by known adversaries. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/03/cisa-issues-bod-2… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 16 Security Advisories veröffentlicht. Zwei davon werden als "Critical" eingestuft, zwei als "High", und zwölf als "Medium". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Patchday: Angreifer attackieren gezielt Android-Geräte ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Eine Lücke im Kernel nutzen Angreifer derzeit aus. --------------------------------------------- https://heise.de/-6247997 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak). --------------------------------------------- https://lwn.net/Articles/874980/ ∗∗∗ ZDI-21-1277: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1277/ ∗∗∗ ZDI-21-1276: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1276/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211103-… ∗∗∗ Security Bulletin: Vulnerabilities in HAProxy Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-haprox… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/ ∗∗∗ Red Hat Integration - Service Registry: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1143 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2021
by Daily end-of-shift report 02 Nov '21

02 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-10-2021 18:00 − Dienstag 02-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trojan Source: Programmiersprachen lassen sich per Unicode trojanisieren ∗∗∗ --------------------------------------------- Ein Forschungsteam zeigt systematisch, wie sich mit Unicode-Tricks Code manipulieren lässt. Open-Source-Communitys und die IT-Industrie reagieren. --------------------------------------------- https://www.golem.de/news/trojan-source-programmiersprachen-lassen-sich-per… ∗∗∗ BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool ∗∗∗ --------------------------------------------- The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports. --------------------------------------------- https://www.securityweek.com/blackmatter-ransomware-operators-develop-custo… ∗∗∗ FBI Publishes IOCs for Hello Kitty Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has published a flash alert to share details on the tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) associated with the Hello Kitty ransomware, which is also known as FiveHands. --------------------------------------------- https://www.securityweek.com/fbi-publishes-iocs-hello-kitty-ransomware ∗∗∗ Webseiten-BetreiberInnen aufgepasst: Gefälschte E-Mails von WORLD4YOU im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Webseiten-BetreiberInnen erhalten momentan betrügerische E-Mails im Namen von Wordl4You. In den betrügerischen E-Mails wird behauptet, dass die Domain gesperrt wurde, abgelaufen ist oder verlängert werden muss. --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ EU Digital Green Certificate: Was gilt eigentlich bei uns? ∗∗∗ --------------------------------------------- Nachdem der digitale grüne Pass gerade in den Medien ist, und ich für den Standard den Erklärbären mache, will ich hier ein paar technische Informationen dokumentieren, die für einen Zeitungsartikel dann doch zu technisch sind. --------------------------------------------- https://cert.at/de/blog/2021/10/eu-digital-green-certificate-was-gilt-eigen… ∗∗∗ Shodan Verified Vulns 2021-11-01 ∗∗∗ --------------------------------------------- Das "Cyber-Security-Month" Oktober ist vorbei, aber, wie ein Blick in unsere Shodan-Daten vom 2021-11-01 verrät, hatte es keinen direkt sichtbaren Effekt: Die Veränderungen zu Anfang Oktober sind überschaubar. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/shodan-verified-vulns-2021-11-01 ∗∗∗ From Zero to Domain Admin ∗∗∗ --------------------------------------------- This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. --------------------------------------------- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ ===================== = Vulnerabilities = ===================== ∗∗∗ Android November patch fixes actively exploited kernel bug ∗∗∗ --------------------------------------------- Google has released the Android November 2021 security updates, which address 18 vulnerabilities in the framework and system components, and 18 more flaws in the kernel and vendor components. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-november-patch-fixes… ∗∗∗ Alert! Hackers Exploiting GitLab Unauthenticated RCE Flaw in the Wild ∗∗∗ --------------------------------------------- A now-patched critical remote code execution (RCE) vulnerability in GitLabs web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks. --------------------------------------------- https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Tivoli Composite Application Manager for Transactions, InfoSphere Information Server, InfoSphere DataStage Flow Designer, API Connect, Application Discovery and Delivery Intelligence, MessageGateway, PowerSC. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Firefox-Updates schließen zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- Die Entwickler der Mozilla Foundation haben im Webbrowser Firefox mehr als ein Dutzend Sicherheitslücken gestopft. --------------------------------------------- https://heise.de/-6245344 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, webkit2gtk). --------------------------------------------- https://lwn.net/Articles/874623/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman). --------------------------------------------- https://lwn.net/Articles/874818/ ∗∗∗ Kaspersky Patches Vulnerability That Can Lead to Unbootable System ∗∗∗ --------------------------------------------- Kaspersky published two advisories on Monday to warn customers about a vulnerability that can lead to unbootable systems and a phishing campaign involving messages sent from a Kaspersky email address. --------------------------------------------- https://www.securityweek.com/kaspersky-patches-vulnerability-can-lead-unboo… ∗∗∗ November 1, 2021 TNS-2021-18 [R1] Nessus 10.0.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-18 ∗∗∗ Synology-SA-21:27 ISC BIND ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_27 ∗∗∗ Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-306-01 ∗∗∗ WECON PI Studio (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSA-18-277-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2021
by Daily end-of-shift report 29 Oct '21

29 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-10-2021 18:00 − Freitag 29-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Wie Ransomware eine Stadtverwaltung Tage lang lahmlegte ∗∗∗ --------------------------------------------- Neustadt am Rübenberge war Ziel eines großen IT-Angriffs. Der Fall zeigt, wie stark sich das auswirken kann, welche Lehren Institutionen daraus ziehen sollten. --------------------------------------------- https://heise.de/-6236592 ∗∗∗ Betrügerische Mails und SMS im Namen der Volksbank im Umlauf! ∗∗∗ --------------------------------------------- Derzeit geben sich BetrügerInnen vermehrt als Volksbank aus, um per Mail oder SMS an die Online-Banking-Zugangsdaten von potenziellen Opfer zu kommen. Die Kriminellen behaupten dabei, dass eine App installiert werden müsste oder der Zugang zu dieser App gesperrt wurde. Achtung: Es handelt sich um Phishing und Smishing! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mails-und-sms-im-name… ∗∗∗ SEO Poisoning Used to Distribute Ransomware ∗∗∗ --------------------------------------------- This tactic - used to distribute REvil ransomware and the SolarMarker backdoor - is part of a broader increase in such attacks in recent months, researchers say. --------------------------------------------- https://www.darkreading.com/attacks-breaches/seo-poisoning-used-to-distribu… ∗∗∗ Google Chrome is Abused to Deliver Malware as ‘Legit’ Win 10 App ∗∗∗ --------------------------------------------- Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency. --------------------------------------------- https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/ ∗∗∗ Pink, a botnet that competed with the vendor to control the massive infected devices ∗∗∗ --------------------------------------------- Most of the following article was completed around early 2020, at that time the vendor was trying different ways to recover the massive amount of infected devices, we shared our findings with the vendor, as well as to CNCERT, and decided to not publish the blog while the vendors working [...] --------------------------------------------- https://blog.netlab.360.com/pink-en/ ∗∗∗ This New Android Malware Can Gain Root Access to Your Smartphones ∗∗∗ --------------------------------------------- An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis. --------------------------------------------- https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.ht… ∗∗∗ Update your OptinMonster WordPress plugin immediately ∗∗∗ --------------------------------------------- We look at a recent WordPress plugin compromise, explain what it is, and also what you have to do to ensure your blog and visitors are safe. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-y… ∗∗∗ Network Scanning Traffic Observed in Public Clouds ∗∗∗ --------------------------------------------- Cybercriminals can use scanning results to identify potential victims. We share our observations of network scanning traffic in public clouds. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-network-scanning-traffic/ ∗∗∗ NSA-CISA Series on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures. Security Guidance for 5G Cloud Infrastructures – Part I: Prevent and Detect Lateral Movement provides recommendations for mitigating lateral movement attempts by threat actors who have gained initial access to cloud infrastructures. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/nsa-cisa-series-s… ===================== = Vulnerabilities = ===================== ∗∗∗ All Windows versions impacted by new LPE zero-day vulnerability ∗∗∗ --------------------------------------------- A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/all-windows-versions-impacte… ∗∗∗ Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X ∗∗∗ --------------------------------------------- CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN69304877/ ∗∗∗ Shrootless: Microsoft finds Apple macOS vulnerability ∗∗∗ --------------------------------------------- Shrootless is a vulnerability found in macOS that can bypass the System Integrity Protection by abusing inherited permissions. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/shrootle… ∗∗∗ XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites ∗∗∗ --------------------------------------------- On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations. --------------------------------------------- https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-soc… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/874354/ ∗∗∗ Sensormatic Electronics victor ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Sensormatic Electronics victor video management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-301-01 ∗∗∗ Delta Electronics DOPSoft (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-238-04 Delta Electronics DOPSoft that was published August 26, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04 ∗∗∗ GoCD Authentication Vulnerability ∗∗∗ --------------------------------------------- GoCD has released a security update to address a critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0. GoCD is an open-source Continuous Integration and Continuous Delivery system. A remote attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/29/gocd-authenticati… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Advisory: RCE Vulnerability in Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ Advisory: ZipSlip Vulnerability in Automation Studio Project Import ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ Advisory: DLL Hijacking Vulnerability in Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60553023/ ∗∗∗ ZDI-21-1273: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1273/ ∗∗∗ ZDI-21-1272: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1272/ ∗∗∗ ZDI-21-1271: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1271/ ∗∗∗ ZDI-21-1270: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1270/ ∗∗∗ ZDI-21-1275: NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1275/ ∗∗∗ ZDI-21-1274: NETGEAR Multiple Routers httpd Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1274/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2021
by Daily end-of-shift report 28 Oct '21

28 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-10-2021 18:00 − Donnerstag 28-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ QR Codes Help Attackers Sneak Emails Past Security Controls ∗∗∗ --------------------------------------------- A recently discovered campaign shows how attackers are constantly developing new techniques to deceive phishing victims. --------------------------------------------- https://www.darkreading.com/attacks-breaches/qr-codes-help-attackers-sneak-… ∗∗∗ How we took part in MLSEC and (almost) won ∗∗∗ --------------------------------------------- How we took part in the Machine Learning Security Evasion Competition (MLSEC) — a series of trials testing contestants’ ability to create and attack machine learning models. --------------------------------------------- https://securelist.com/how-we-took-part-in-mlsec-and-almost-won/104699/ ∗∗∗ EU’s Green Pass Vaccination ID Private Key Leaked ∗∗∗ --------------------------------------------- The private key used to sign the vaccine passports was leaked and is being passed around to create fake passes for the likes of Mickey Mouse and Adolf Hitler. --------------------------------------------- https://threatpost.com/eus-green-pass-vaccination-id-private-key-leaked/175… ∗∗∗ New Wslink Malware Loader Runs as a Server and Executes Modules in Memory ∗∗∗ --------------------------------------------- Cybersecurity researchers on Wednesday took the wraps off a "simple yet remarkable" malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East. Codenamed "Wslink" by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. --------------------------------------------- https://thehackernews.com/2021/10/new-wslink-malware-loader-runs-as.html ∗∗∗ Threat profile: Ranzy Locker ransomware ∗∗∗ --------------------------------------------- What you need to know about Ranzy Locker ransomware. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/10/threat-profile-ranzy-locke… ∗∗∗ PSA: Widespread Remote Working Scam Underway ∗∗∗ --------------------------------------------- Attackers are posting jobs pretending to be from existing companies and steal money and/or personal information from jobseekers. --------------------------------------------- https://www.wordfence.com/blog/2021/10/psa-widespread-remote-working-scam-u… ∗∗∗ Trends und Entwicklungen bei Fake-Shops ∗∗∗ --------------------------------------------- Fake-Shops gibt es wie Sand am Meer - und auch sie entwickeln sich nach Trends: Von E-Bikes bis zur Playstation5. Diese Trends sind von der Saison, aber auch von Angebot und Nachfrage abhängig. Was die Watchlist Internet im letzten Jahr über Fake-Shop-Trends erfahren hat, lesen Sie hier. --------------------------------------------- https://www.watchlist-internet.at/news/trends-und-entwicklungen-bei-fake-sh… ∗∗∗ Free decrypters released for AtomSilo, Babuk, and LockFile ransomware strains ∗∗∗ --------------------------------------------- Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strains—AtomSilo, Babuk, and LockFile. --------------------------------------------- https://therecord.media/free-decrypters-released-for-atomsilo-babuk-and-loc… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 19 Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, neun als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (salt), Slackware (bind), SUSE (salt), and Ubuntu (php5, php7.0, php7.2, php7.4, php8.0). --------------------------------------------- https://lwn.net/Articles/874210/ ∗∗∗ 2021 CWE Most Important Hardware Weaknesses ∗∗∗ --------------------------------------------- The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses List. The 2021 Hardware List is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in hardware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/2021-cwe-most-imp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2021
by Daily end-of-shift report 27 Oct '21

27 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 25-10-2021 18:00 − Mittwoch 27-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Babuk ransomware decryptor released to recover files for free ∗∗∗ --------------------------------------------- Czech cybersecurity software firm Avast has created and released a decryption tool to help Babuk ransomware victims recover their files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-r… ∗∗∗ Vorsicht: Neue Betrugswelle mit vermeintlichen DHL-SMS ∗∗∗ --------------------------------------------- Wieder sind betrügerische SMS zu Paketlieferungen im Umlauf. Ziel ist es, eine Schadsoftware aufs Handy zu bringen. --------------------------------------------- https://futurezone.at/digital-life/betrug-dhl-sms-phishing-ausstehendes-pak… ∗∗∗ Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads ∗∗∗ --------------------------------------------- UltimaSMS leverages at least 151 apps that have been downloaded collectively more than 10 million times, to extort money through a fake premium SMS subscription service. --------------------------------------------- https://threatpost.com/android-scammed-sms-fraud-tik-tok/175739/ ∗∗∗ Mozilla Firefox Blocks Malicious Add-Ons Installed by 455K Users ∗∗∗ --------------------------------------------- The misbehaving Firefox add-ons were misusing an API that controls how Firefox connects to the internet. --------------------------------------------- https://threatpost.com/mozilla-firefox-blocks-malicious-add-ons-installed-b… ∗∗∗ Conti Ransom Gang Starts Selling Access to Victims ∗∗∗ --------------------------------------------- The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Contis malware who refuse to negotiate a ransom payment are added to Contis victim shaming blog, where confidential files stolen from victims may be published or sold. --------------------------------------------- https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access… ∗∗∗ „Hallo Mama“ - Vorsicht vor Betrug über WhatsApp! ∗∗∗ --------------------------------------------- Aktuell versuchen BetrügerInnen über WhatsApp an das Geld von potentiellen Opfern zu kommen. Dafür geben Sie sich in einer Nachricht als Tochter oder Sohn der EmpfängerInnen aus und fordern die Überweisung von mehreren tausend Euro. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-vorsicht-vor-betrug-ueber… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Erneute Sicherheitslücke im Plugin Ninja Forms ∗∗∗ --------------------------------------------- Das beliebte Formular-Framework ist erneut von einer Sicherheitslücke betroffen. Das WordPress-Plugin ist auf mehr als einer Million Webseiten aktiv. --------------------------------------------- https://heise.de/-6229249 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7). --------------------------------------------- https://lwn.net/Articles/874045/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mosquitto and php7.0), Fedora (python-django-filter and qt), Mageia (fossil, opencryptoki, and qtbase5), openSUSE (apache2, busybox, dnsmasq, ffmpeg, pcre, and wireguard-tools), Red Hat (kpatch-patch), SUSE (apache2, busybox, dnsmasq, ffmpeg, java-11-openjdk, libvirt, open-lldp, pcre, python, qemu, util-linux, and wireguard-tools), and Ubuntu (apport and libslirp). --------------------------------------------- https://lwn.net/Articles/874143/ ∗∗∗ Belden Security Bulletin – BSECV-2020-03: Potential denial of service vulnerability in PROFINET Devices via DCE-RPC Packets ∗∗∗ --------------------------------------------- A vulnerability in the PROFINET stack implementation in Classic Firmware, HiOS, and HiLCOS could lead to a denial of service via an out of memory condition. --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=13688&mediaformat… ∗∗∗ Security Bulletin: A vulnerability exists in the restricted shell of the IBM FlashSystem 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software – September 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: Openstack Compute (Nova) noVNC proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openstack-compute-nova-no… ∗∗∗ Security Bulletin: Insufficient session expiration in IBM i2 iBase ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-session-expi… ∗∗∗ Grafana vulnerability CVE-2021-39226 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22322802 ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1114 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1121 ∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-299-01 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/adobe-releases-se… ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/apple-releases-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2021
by Daily end-of-shift report 25 Oct '21

25 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-10-2021 18:00 − Montag 25-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CISA Urges Sites to Patch Critical RCE in Discourse ∗∗∗ --------------------------------------------- The patch, urgently rushed out on Friday, is an emergency fix for the widely deployed platform, whose No. 1 most trafficked site is Amazon’s Seller Central. --------------------------------------------- https://threatpost.com/cisa-critical-rce-discourse/175705/ ∗∗∗ Schadcode in weit verbreiteter JavaScript-Bibliothek UAParser.js entdeckt ∗∗∗ --------------------------------------------- Angreifer haben die JavaScript-Bibliothek UAParser.js mit Schadcode versehen, der auf betroffenen Rechnern Kryptogeld-Miner installiert. --------------------------------------------- https://heise.de/-6226975 ∗∗∗ Ransomware BlackMatter: Forscher bieten Gratis-Decryption für einige Varianten ∗∗∗ --------------------------------------------- Wer in den letzten Monaten eine Erpresserbotschaft der "BlackMatter"-Gang auf seinen Systemen entdeckt hat, kann jetzt auf Hilfe hoffen. --------------------------------------------- https://heise.de/-6227925 ∗∗∗ Betrügerische Smartphone-Ortungsdienste ∗∗∗ --------------------------------------------- Sie haben Ihr Handy verloren – was nun? Eine Google-Suche nach „Handyortung“ ergibt über 1,5 Millionen Treffer. Apps und Services zur Handyortung erfreuen sich großer Beliebtheit. Doch Vorsicht vor „gratis“ Ortungs-Apps wie www.locating.mobi, www.geolite.mobi, www.goandfind.online. Diese führen in eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-smartphone-ortungsdie… ∗∗∗ Bericht: Ransomware-Gruppe REvil durch koordinierte Aktion mehrerer Staaten zerschlagen ∗∗∗ --------------------------------------------- An der Aktion sind unter anderem die USA beteiligt. In Sicherheitskreisen ist die Aktion wohl schon seit mehreren Tagen bekannt. --------------------------------------------- https://www.zdnet.de/88397355/bericht-ransomware-gruppe-revil-durch-koordin… ∗∗∗ DDoS attacks hit multiple email providers ∗∗∗ --------------------------------------------- At least six email service providers have been hit by large distributed denial of service (DDoS) attacks on Friday, resulting in prolonged outages, The Record has learned. --------------------------------------------- https://therecord.media/ddos-attacks-hit-multiple-email-providers/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt ∗∗∗ JSA11236 ∗∗∗ --------------------------------------------- 2021-10 Security Bulletin: Junos OS: QFX5000 Series: Traffic from the network internal to the device (128.0.0.0) may be forwarded to egress interfaces (CVE-2021-31371) --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11236 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (faad2 and mailman), Fedora (java-11-openjdk, libzapojit, nodejs, python-reportlab, vim, and watchdog), Mageia (ansible, docker-containerd, flatpak, tomcat, and virtualbox), openSUSE (containerd, docker, runc), Oracle (firefox and thunderbird), Red Hat (xstream), Scientific Linux (xstream), SUSE (cairo and containerd, docker, runc), and Ubuntu (apport and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/873965/ ∗∗∗ Red Hat Enterprise Linux (xstream): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1107 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1109 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2021
by Daily end-of-shift report 22 Oct '21

22 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-10-2021 18:00 − Freitag 22-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Evil Corp demands $40 million in new Macaw ransomware attacks ∗∗∗ --------------------------------------------- Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million… ∗∗∗ Hacking gang creates fake firm to hire pentesters for ransomware attacks ∗∗∗ --------------------------------------------- The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacking-gang-creates-fake-fi… ∗∗∗ Using Kerberos for Authentication Relay Attacks ∗∗∗ --------------------------------------------- This blog post is a summary of some research I've been doing into relaying Kerberos authentication in Windows domain environments. To keep this blog shorter I am going to assume you have a working knowledge of Windows network authentication, and specifically Kerberos and NTLM. For a quick primer on Kerberos see this page which is part of Microsoft's Kerberos extension documentation or you can always read RFC4120. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentic… ∗∗∗ Windows Exploitation Tricks: Relaying DCOM Authentication ∗∗∗ --------------------------------------------- In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-… ∗∗∗ GPS Daemon (GPSD) Rollover Bug ∗∗∗ --------------------------------------------- Critical Infrastructure (CI) owners and operators and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021). On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive. CISA urges affected CI owners and operators to ensure systems—that use GPSD to obtain timing information from GPS devices—are using GPSD version 3.23 (released August 8, 2021) or newer. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/21/gps-daemon-gpsd-r… ∗∗∗ CVE-2021-28632 & CVE-2021-39840: Bypassing Locks in Adobe Reader ∗∗∗ --------------------------------------------- Over the past few months, Adobe has patched several remote code execution bugs in Adobe Acrobat and Reader that were reported by researcher Mark Vincent Yason (@MarkYason) through our program. Two of these bugs, in particular, CVE-2021-28632 and CVE-2021-39840, are related Use-After-Free bugs even though they were patched months apart. Mark has graciously provided this detailed write-up of these vulnerabilities and their root cause. --------------------------------------------- https://www.thezdi.com/blog/2021/10/20/cve-2021-28632-amp-cve-2021-39840-by… ∗∗∗ ASEC Weekly Malware Statistics (October 11th, 2021 – October 17th, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 11th, 2021 (Monday) to October 17th, 2021 (Sunday). For the main category, info-stealer ranked top with 58.2%, followed by Downloader with 24.6%, RAT (Remote Administration Tool) malware with 7.4%, Backdoor malware with 4.7%, Ransomware with 4.1%, and Banking malware with 0.9%. --------------------------------------------- https://asec.ahnlab.com/en/28007/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco SD-WAN Security Bug Allows Root Code Execution ∗∗∗ --------------------------------------------- The high-severity bug, tracked as CVE-2021-1529, is an OS command-injection flaw. --------------------------------------------- https://threatpost.com/cisco-sd-wan-bug-code-execution-root/175669/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman). --------------------------------------------- https://lwn.net/Articles/873746/ ∗∗∗ Pulse Secure Pulse Connect Secure: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1103 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1105 ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Connect:Direct Web Service (CVE-2021-32028) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cross-Site scripting vulnerability affect IBM Business Automation Workflow – CVE-2021-29835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2021
by Daily end-of-shift report 21 Oct '21

21 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-10-2021 18:00 − Donnerstag 21-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Cybercrime matures as hackers are forced to work smarter ∗∗∗ --------------------------------------------- An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-matures-as-hacker… ∗∗∗ Franken-phish: TodayZoo built from other phishing kits ∗∗∗ --------------------------------------------- A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. --------------------------------------------- https://www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-b… ∗∗∗ "Stolen Images Evidence" campaign pushes Sliver-based malware, (Thu, Oct 21st) ∗∗∗ --------------------------------------------- On Wednesday 2021-10-20, Proofpoint reported the TA551 (Shathak) campaign started pushing malware based on Sliver. Sliver is a framework used by red teams for adversary simluation and penetration testing. --------------------------------------------- https://isc.sans.edu/diary/rss/27954 ∗∗∗ Die Rückkehr der Rootkits – signiert von Microsoft ∗∗∗ --------------------------------------------- Forscher haben in den vergangenen Monaten verstärkt die vermeintlich ausgestorbenen Kernelschadprogramme wiederentdeckt. Eingeschleust werden sie heute anders. --------------------------------------------- https://heise.de/-6224944 ∗∗∗ Innovation aus Österreich: Fake-Shop Detector entlarvt Online-Betrüger ∗∗∗ --------------------------------------------- Fake-Shops im Internet werden immer zahlreicher und zugleich schwieriger zu erkennen. Unterstützung bietet ab sofort die Beta-Version des Fake-Shop Detectors: Das Tool untersucht im Internet-Browser in Echtzeit, ob es sich um seriöse oder betrügerische Onlineshops handelt und stellt somit ein Best Practice für den Nutzen und die Chancen des Einsatzes von Künstlicher Intelligenz für Konsumentinnen und Konsumenten dar. --------------------------------------------- https://www.watchlist-internet.at/news/innovation-aus-oesterreich-fake-shop… ∗∗∗ Using Discord infrastructure for malicious intent ∗∗∗ --------------------------------------------- Research by: Idan Shechter & Omer Ventura Check Point Research (CPR) spotted a multi-functional malware with the capability to take screenshots, download and execute additional files, and perform keylogging – all by using the core features of Discord There are currently over 150 million monthly active users on Discord Users must be aware that Discord’s bot… --------------------------------------------- https://blog.checkpoint.com/2021/10/21/using-discord-infrastructure-for-mal… ∗∗∗ Google unmasks two-year-old phishing & malware campaign targeting YouTube users ∗∗∗ --------------------------------------------- Almost two years after a wave of complaints flooded Googles support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Googles security team has finally tracked down the root cause of these attacks. --------------------------------------------- https://therecord.media/google-unmasks-two-year-old-phishing-malware-campai… ∗∗∗ Kernel Karnage – Part 1 ∗∗∗ --------------------------------------------- I start the first week of my internship in true spooktober fashion as I dive into a daunting subject that’s been scaring me for some time now: The Windows Kernel. 1. KdPrint(“Hello, world!\n”); --------------------------------------------- https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM veröffentlichte 19 Security Bulletins. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat acht Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, eines als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127 ∗∗∗ --------------------------------------------- Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. --------------------------------------------- https://jira.atlassian.com/browse/JRASERVER-72003 ∗∗∗ WinRAR’s vulnerable trialware: when free software isn’t free ∗∗∗ --------------------------------------------- In this article we discuss a vulnerability in the trial version of WinRAR which has significant consequences for the management of third-party software. This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. --------------------------------------------- https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-softwar… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-babel, squashfs-tools, and uwsgi), Fedora (gfbgraph and rust-coreos-installer), Mageia (aom, libslirp, redis, and vim), openSUSE (fetchmail, go1.16, go1.17, mbedtls, ncurses, python, squid, and ssh-audit), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (fetchmail, git, go1.16, go1.17, ncurses, postgresql10, python, python36, and squid), and Ubuntu (linux, linux-aws, --------------------------------------------- https://lwn.net/Articles/873601/ ∗∗∗ B. Braun Infusomat Space Large Volume Pump ∗∗∗ --------------------------------------------- This advisory contains mitigation for Unrestricted Upload of File with Dangerous Type, Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, and Improper Input Validation vulnerabilities in the B. Braun Infusomat Space Large Volume Pump. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-294-01 ∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, and Out-of-bounds Write vulnerabilities in ICONICS GENESIS64 and Mitsubishi Electric MC Works64 HMI SCADA systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-01 ∗∗∗ Delta Electronics DIALink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cleartext Transmission of Sensitive Information, Cross-site Scripting, Improper Neutralization of Formula Elements in a CSV File, Cleartext Storage of Sensitive Information, Uncontrolled Search Path Element, and Incorrect Default Permissions vulnerabilities in the Delta Electronics DIALink industrial automation server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 ∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 OPC UA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Recursion vulnerability in ICONICS GENESIS64, Mitsubishi Electric MC Works64 third-party OPC Foundation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-03 ∗∗∗ RCE in GridPro Request Management for Windows Azure Pack (CVE-2021-40371) ∗∗∗ --------------------------------------------- We recently discovered a vulnerability in GridPro Request Management versions <=2.0.7905 for Windows Azure Pack by GridPro Software. The vulnerability was assigned CVE-2021-40371 by GridPro and in the worst case scenario allows attackers to remotely execute code on the server. --------------------------------------------- https://certitude.consulting/blog/en/rce-in-gridpro-request-management-for-… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei FusionCube Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Advisory - CSV Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Advisory - Improper Signature Management Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2021
by Daily end-of-shift report 20 Oct '21

20 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-10-2021 18:00 − Mittwoch 20-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ How a simple Linux kernel memory corruption bug can lead to complete system compromise ∗∗∗ --------------------------------------------- This blog post describes a straightforward Linux kernel locking bug and how I exploited it against Debian Busters 4.19.0-13-amd64 kernel. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memo… ∗∗∗ SuDump: Exploiting suid binaries through the kernel ∗∗∗ --------------------------------------------- We will show bugs we found in the Linux kernel that allow unprivileged users to create root-owned core files, and how we were able to use them to get an LPE through the sudo program on machines that have been configured by administrators to allow running a single innocent command. --------------------------------------------- https://alephsecurity.com/2021/10/20/sudump/ ∗∗∗ q-logger skimmer keeps Magecart attacks going ∗∗∗ --------------------------------------------- This case reminds us that web skimming attacks are ongoing even if we dont always hear about them. The post q-logger skimmer keeps Magecart attacks going appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-… ∗∗∗ VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group ∗∗∗ --------------------------------------------- While monitoring Kimsuky-related malware, the ASEC analysis team has recently discovered that VNC malware was installed via AppleSeed remote control malware. --------------------------------------------- https://asec.ahnlab.com/en/27346/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2021 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 419 new security patches across the product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2021.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi, strongswan). --------------------------------------------- https://lwn.net/Articles/873462/ ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Bulletin: IBM QRadar Advisor With Watson is vulnerable to cross site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to several CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-us… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Oct. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-disclose-se… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Oct. 2021 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. (CVE-2021-29763) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-under-very-specif… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in Drupal core (CVE-2021-32610) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects the Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2021-20571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ VMSA-2021-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0024.html ∗∗∗ Apache HTTPD vulnerability CVE-2021-36160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13401920 ∗∗∗ AUVESY Versiondog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 ∗∗∗ Trane HVAC Systems Controls ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2021
by Daily end-of-shift report 19 Oct '21

19 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 18-10-2021 18:00 − Dienstag 19-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Umfrage: Komplexe IT und Firmenstrukturen gefährden die Cybersicherheit ∗∗∗ --------------------------------------------- Manager in Deutschland erachten unübersichtliche Technologien, Datenbestände, Betriebsumgebungen und Lieferketten als große Einfallstore für Cyberangreifer. --------------------------------------------- https://heise.de/-6222835 ∗∗∗ Sicherheitsforscher: Microsoft-Cloud verteilt zu leichtfertig Malware ∗∗∗ --------------------------------------------- IT-Spezialisten und Insider werfen Microsoft vor, auf ihren Cloud-Diensten gehostete Malware viel zu langsam zu entfernen. --------------------------------------------- https://heise.de/-6222542 ∗∗∗ SMS über eine ausständige Geldstrafe ist Fake ∗∗∗ --------------------------------------------- Viele ÖsterreicherInnen erhalten momentan ein SMS, das über ein angeblich ausstehendes Bußgeld informiert. In der Nachricht werden Sie aufgefordert, die Zahlung sofort vorzunehmen, ansonsten drohen rechtliche Schritte. Um die Zahlung zu tätigen, sollte ein Link angeklickt werden. Vorsicht: Diese Benachrichtigung ist nicht echt! Sie werden auf eine gefälschte oesterreich.gv.at-Seite geführt. Kriminelle versuchen dort an Ihre Bankdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/sms-ueber-eine-ausstaendige-geldstra… ∗∗∗ Free BlackByte decryptor released, after researchers say they found flaw in ransomware code ∗∗∗ --------------------------------------------- Security experts have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files. Thats right - you dont need to pay the ransom. Predictably, the ransomware gang isnt happy. --------------------------------------------- https://grahamcluley.com/free-blackbyte-decryptor-released-after-researcher… ∗∗∗ CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA): BlackMatter Ransomware. Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/18/cisa-fbi-and-nsa-… ∗∗∗ LightBasin hacking group breaches 13 global telecoms in two years ∗∗∗ --------------------------------------------- A group of hackers that security researchers call LightBasin has been compromising mobile telecommunication systems across the world for the past five years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-bre… ∗∗∗ Trickbot module descriptions ∗∗∗ --------------------------------------------- In this article we describe the functionality of the Trickbot (aka TrickLoader or Trickster) banking malware modules and provide a tip on how to download and analyze these modules. --------------------------------------------- https://securelist.com/trickbot-module-descriptions/104603/ ∗∗∗ A New Variant of FlawedGrace Spreading Through Mass Email Campaigns ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday took the wraps off a mass volume email attack staged by a prolific cybercriminal gang affecting a wide range of industries, with one of its region-specific operations notably targeting Germany and Austria. Enterprise security firm Proofpoint tied the malware campaign with high confidence to TA505, [...] --------------------------------------------- https://thehackernews.com/2021/10/a-new-variant-of-flawedgrace-spreading.ht… ∗∗∗ “Killware”: Is it just as bad as it sounds? ∗∗∗ --------------------------------------------- "Killware," as USA TODAY put it, is the latest cyberthreat thats even eclipsing ransomware. But is it all its hyped up to be? --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft fixes Surface Pro 3 TPM bypass with public exploit code ∗∗∗ --------------------------------------------- Microsoft has patched a security feature bypass vulnerability impacting Surface Pro 3 tablets that enables threat actors to introduce malicious devices within enterprise environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-surface-pro… ∗∗∗ Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services ∗∗∗ --------------------------------------------- Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine. Tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used [...] --------------------------------------------- https://thehackernews.com/2021/10/squirrel-engine-bug-could-let-attackers.h… ∗∗∗ Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- Trend Micro hat Security Advisories zu acht Schwachstellen veröffentlicht. Die Lücken sind zwischen "Low" und "High" eingestuft. --------------------------------------------- https://success.trendmicro.com/solution/000289229 ∗∗∗ Security Bulletin for Trend Micro Worry-Free Business Security and Worry-Free Business Security Services ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Worry-Free Business Security 10.0 SP1 and Worry-Free Services (SaaS) that resolve several vulnerabilities listed below. --------------------------------------------- https://success.trendmicro.com/solution/000289230 ∗∗∗ RHSA-2021:3759 - Security Advisory ∗∗∗ --------------------------------------------- Red Hat OpenShift Container Platform release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. --------------------------------------------- https://access.redhat.com/errata/RHSA-2021:3759 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could [...] --------------------------------------------- https://blog.talosintelligence.com/2021/10/vuln-spotlight-.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan). --------------------------------------------- https://lwn.net/Articles/873307/ ∗∗∗ Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-risk-manager… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Storwize V7000 Unified (CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities (CVE-2020-15168, CVE-2021-29912) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-risk-manager… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2021-2369 and CVE-2021-2432 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2021
by Daily end-of-shift report 18 Oct '21

18 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-10-2021 18:00 − Montag 18-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Unternehmensbetrug: Diese Gefahren sollten Unternehmen und ihre MitarbeiterInnen kennen! ∗∗∗ --------------------------------------------- Internetbetrug betrifft nicht nur Privatpersonen, auch Unternehmen sind eine beliebte Zielscheibe für Cyberkriminelle. Angegriffen wird allerdings nicht nur die technische Infrastruktur von Unternehmen, vielmehr zielen Attacken hauptsächlich auf die MitarbeiterInnen ab. Im Rahmen des Projekts „CyberSec“ will sich die Watchlist Internet daher verstärkt dem Thema Unternehmensbetrug widmen, um Betriebe im Bereich der Internetsicherheit zu stärken. --------------------------------------------- https://www.watchlist-internet.at/news/unternehmensbetrug-diese-gefahren-so… ∗∗∗ REvil ransomware shuts down again after Tor sites were hijacked ∗∗∗ --------------------------------------------- The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-… ∗∗∗ Microsoft asks admins to patch PowerShell to fix WDAC bypass ∗∗∗ --------------------------------------------- Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-admins-to-pa… ∗∗∗ Warranty Repairs and Non-Removable Storage Risks, (Fri, Oct 15th) ∗∗∗ --------------------------------------------- I have been asked several times in recent months about addressing risks of warranty repair service of laptops/tablets. With each of these situations, the question boiled down to the same underlying issue: non-removable storage --------------------------------------------- https://isc.sans.edu/diary/rss/27938 ∗∗∗ Malicious PowerShell Using Client Certificate Authentication, (Mon, Oct 18th) ∗∗∗ --------------------------------------------- Attackers have many ways to protect their C2 servers from unwanted connections. They can check some specific headers, the user-agent, the IP address location (GeoIP), etc. I spotted an interesting PowerShell sample that implements a client certificate authentication mechanism to access its C2 server. --------------------------------------------- https://isc.sans.edu/diary/rss/27944 ∗∗∗ Security Risks with Private 5G in Manufacturing Companies ∗∗∗ --------------------------------------------- Private 5G is said to bring about the "democratization of communications." This technology allows private companies and local governments to take the driving seat in operating the latest information communication systems. --------------------------------------------- https://www.trendmicro.com/en_us/research/21/j/security-risks-with-private-… ∗∗∗ Ransomware in a global context ∗∗∗ --------------------------------------------- This report is the first step in what we hope will become an ongoing community effort to discover and share actionable information on malware trends. Over the last 16 years, we have processed more than 2 million files per day across 232 countries. --------------------------------------------- https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf ∗∗∗ Case Study: From BazarLoader to Network Reconnaissance ∗∗∗ --------------------------------------------- BazarLoader Windows-based malware provides backdoor access that criminals can use to perform reconnaissance to map the victims network. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/ ∗∗∗ This particularly dangerous phishing attack features a weaponized Excel file ∗∗∗ --------------------------------------------- Security researchers warn about a sneaky phishing campaign from one of the most creative cybercrime groups on the internet. --------------------------------------------- https://www.zdnet.com/article/this-particularly-dangerous-phishing-attack-f… ∗∗∗ Virus Bulletin: Old malware never dies – it just gets more targeted ∗∗∗ --------------------------------------------- Putting a precision payload on top of more generic malware makes perfect sense for malware operators --------------------------------------------- https://www.welivesecurity.com/2021/10/15/virus-bulletin-old-malware-never-… ∗∗∗ IcedID to XingLocker Ransomware in 24 hours ∗∗∗ --------------------------------------------- Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early [...] --------------------------------------------- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-… ∗∗∗ ASEC Weekly Malware Statistics (October 4th, 2021 – October 10th, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 4th, 2021 (Monday) to October 10th, 2021 (Sunday). For the main category, info-stealer ranked top with 68.4%, followed by Downloader with 12.6%, RAT (Remote Administration Tool) malware with 8.6%, Backdoor Downloader with 6.3%, Ransomware with 3.7%, and Banking malware with 0.3%. --------------------------------------------- https://asec.ahnlab.com/en/27824/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Beliebtes Plugin "WP Fastest Cache" braucht dringend ein Update ∗∗∗ --------------------------------------------- Jetzt updaten: Das Cache-Plugin WP Fastest Cache wies Schwachstellen auf, die WordPress-Installationen unter bestimmten Voraussetzungen angreifbar machten. --------------------------------------------- https://heise.de/-6220994 ∗∗∗ 2021-10 Security Bulletin: CTPView: HSTS not being enforced on CTPView server. (CVE-2021-0296) ∗∗∗ --------------------------------------------- The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11210 ∗∗∗ 2021-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packet on MS-MPC/MS-MIC causes line card reset (CVE-2021-31351) ∗∗∗ --------------------------------------------- An Improper Check for Unusual or Exceptional Conditions in packet processing on the MS-MPC/MS-MIC utilized by Juniper Networks Junos OS allows a malicious attacker to send a specific packet, triggering the MS-MPC/MS-MIC to reset, causing a Denial of Service (DoS). --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11216 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx). --------------------------------------------- https://lwn.net/Articles/873210/ ∗∗∗ 128 Technology Session Smart Router vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85073657/ ∗∗∗ Eclipse Jetty vulnerability CVE-2021-28165 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15338344?utm_source=f5support&utm_mediu… ∗∗∗ Node.js vulnerabilities CVE-2021-3672 and CVE-2021-22931 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53225395?utm_source=f5support&utm_mediu… ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1077 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to jzsip (CVE-2021-23413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: Cross site scripting vulnerability affecting Case Builder in IBM Business Automation Workflow – CVE-2021-29878 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Have been addressed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2021
by Daily end-of-shift report 15 Oct '21

15 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-10-2021 18:00 − Freitag 15-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Accenture confirms data breach after August ransomware attack ∗∗∗ --------------------------------------------- Global IT consultancy giant Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit the companys systems in August 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/accenture-confirms-data-brea… ∗∗∗ BlackByte Ransomware – Pt. 1 In-depth Analysis ∗∗∗ --------------------------------------------- During a recent malware incident response case, we encountered an interesting piece of ransomware that goes by the name of BlackByte. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-r… ∗∗∗ BlackByte Ransomware – Pt 2. Code Obfuscation Analysis ∗∗∗ --------------------------------------------- We received the original launcher file from an Incident Response case. It was about 630 KB of JScript code which was seemingly full of garbage code – hiding the real intent. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-r… ∗∗∗ Employee offboarding: Why companies must close a crucial gap in their security strategy ∗∗∗ --------------------------------------------- There are various ways a departing employee could put your organization at risk of a data breach. How do you offboard employees the right way and ensure your data remains safe? --------------------------------------------- https://www.welivesecurity.com/2021/10/14/employee-offboarding-companies-cl… ∗∗∗ Ongoing Cyber Threats to U.S. Water and Wastewater Systems Sector Facilities ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to U.S. Water and Wastewater Systems (WWS) Sector. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/14/ongoing-cyber-thr… ∗∗∗ A malware botnet has made more than $24.7 million since 2019 ∗∗∗ --------------------------------------------- The operators of a malware botnet known as MyKings are believed to have made more than $24.7 million through what security researchers call a "clipboard hijacker." --------------------------------------------- https://therecord.media/a-malware-botnet-has-made-more-than-24-7-million-si… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 11 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4). --------------------------------------------- https://lwn.net/Articles/873056/ ∗∗∗ ZDI-21-1211: (0Day) Fuji Electric Alpha5 A5V File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1211/ ∗∗∗ ZDI-21-1210: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1210/ ∗∗∗ ZDI-21-1209: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1209/ ∗∗∗ ZDI-21-1208: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1208/ ∗∗∗ Schneider Electric CNM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-01 ∗∗∗ Uffizio GPS Tracker ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-02 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-03 ∗∗∗ Siemens RUGGEDCOM ROX (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-259-01 ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/15/apache-releases-s… ∗∗∗ SYSS-2019-018/SYSS-2019-019: Unsichere Dateisystemberechtigungen und Installationsmodi in Ivanti DSM ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2019-018/syss-2019-019-unsichere-date… ∗∗∗ Change in Magniber Ransomware Vulnerability (CVE-2021-40444) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/27264/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2021
by Daily end-of-shift report 14 Oct '21

14 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-10-2021 18:00 − Donnerstag 14-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Nach Datenleck: Hausdurchsuchung statt Dankeschön ∗∗∗ --------------------------------------------- Rund 700.000 Personen sind von einem Datenleck betroffen. Ein Programmierer hatte die Lücke entdeckt und gemeldet - und erhielt eine Anzeige. Von Moritz Tremmel (Datenleck, Server) --------------------------------------------- https://www.golem.de/news/nach-datenleck-hausdurchsuchung-statt-dankeschoen… ∗∗∗ Romance scams with a cryptocurrency twist – new research from SophosLabs ∗∗∗ --------------------------------------------- Romance scams and dating site treachery with a new twist - "theres an app for that!" --------------------------------------------- https://nakedsecurity.sophos.com/2021/10/13/romance-scams-with-a-cryptocurr… ∗∗∗ A Handshake with MySQL Bots ∗∗∗ --------------------------------------------- It’s well known that we just don’t put services or devices on the edge of the Internet without strong purpose justification. Services, whether maintained by end-users or administrators, have a ton of security challenges. Databases belong to a group that often needs direct access to the Internet - no doubt that security requirements are a priority here. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/handshake-w… ∗∗∗ We analyzed 80 million ransomware samples – here’s what we learned ∗∗∗ --------------------------------------------- [...] VirusTotal’s first Ransomware Activity Report provides a holistic view of ransomware attacks by combining more than 80 million potential ransomware-related samples submitted over the last year and a half. --------------------------------------------- https://blog.google/technology/safety-security/we-analyzed-80-million-ranso… ∗∗∗ “Free Steam game” scams on TikTok are Among Us ∗∗∗ --------------------------------------------- We look at a dubious free game offer via TikTok, and explore what the site owners expect you to do in order to snag a supposed freebie. --------------------------------------------- https://blog.malwarebytes.com/scams/2021/10/free-steam-game-scams-on-tiktok… ∗∗∗ Wege in Fake-Shops ∗∗∗ --------------------------------------------- Betrügerische und unseriöse Shops sind ein großes Problem im Online-Handel. Doch wie kommen Konsumentinnen und Konsumenten eigentlich zu Fake-Shops? Mit dieser Frage hat sich die Watchlist Internet in den Sommermonaten beschäftigt. Klar wurde: Google- und Facebook-Werbung sind die größten Zubringer zu Fake-Shops. Über diese Wege kommt der Großteil der Opfer auf betrügerische Online-Shops. --------------------------------------------- https://www.watchlist-internet.at/news/wege-in-fake-shops/ ∗∗∗ Don’t get phished! How to be the one that got away ∗∗∗ --------------------------------------------- If it looks like a duck, swims like a duck, and quacks like a duck, then its probably a duck. Now, how do you apply the duck test to defense against phishing? --------------------------------------------- https://www.welivesecurity.com/2021/10/13/phishing-how-be-one-got-away/ ∗∗∗ New Yanluowang ransomware used in targeted attacks ∗∗∗ --------------------------------------------- New arrival to the targeted ransomware scene appears to be still in development. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ya… ∗∗∗ Acer confirms second security breach this year ∗∗∗ --------------------------------------------- A spokesperson for Taiwanese computer maker Acer has confirmed today that the company suffered a second security breach this year after hackers advertised the sale of more than 60 GB of data on an underground cybercrime forum.The post Acer confirms second security breach this year appeared first on The Record by Recorded Future. --------------------------------------------- https://therecord.media/acer-confirms-second-security-breach-this-year/ ∗∗∗ Q&A: Secure PLC Programming Insights ∗∗∗ --------------------------------------------- Members of the Top 20 Secure PLC Coding Practices project recently joined Claroty’s Aperture podcast to discuss the group’s list of top 20 secure coding practices for programmable logic controllers (PLCs). What follows is an edited transcript of our discussion with Martin Scheu of SWITCH-CERT and Dirk Rotermund of gefeba Engineering GmbH. --------------------------------------------- https://claroty.com/2021/10/13/blog-qa-secure-plc-programming-insights/ ∗∗∗ Windows Oktober 2021-Updates: PrintNightmare-Stand und Netzwerk-Druckprobleme ∗∗∗ --------------------------------------------- Zum 12. Oktober 2021 hat Microsoft neue Schwachstellen im Umfeld der als PrintNightmare bekannten Sicherheitslücken per Update adressiert. Daher ein kurzer Blick auf das betreffende Thema, welches auch weiterhin nicht vom Tisch ist. --------------------------------------------- https://www.borncity.com/blog/2021/10/14/windows-oktober-2021-updates-print… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 16 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (golang, grilo, mediawiki, plib, python-flask-restx, python-mpmath, thunderbird, and xstream/xmlpull/mxparser), Oracle (389-ds-base, grafana, httpd:2.4, kernel, libxml2, and openssl), Red Hat (httpd), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/872945/ ∗∗∗ Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-043 ∗∗∗ Juniper JUNOS und Juniper JUNOS Evolved: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1070 ∗∗∗ Microsoft Exchange Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1069 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily