- Daily - CERT.at

Tageszusammenfassung - 18.12.2023
by Daily end-of-shift report 18 Dec '23

18 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-12-2023 18:00 − Montag 18-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zwei Monate nach Meldung: SQL-Injection-Schwachstelle in 3CX noch immer ungepatcht ∗∗∗ --------------------------------------------- Statt einen Patch bereitzustellen, fordert 3CX seine Kunden nun dazu auf, aus Sicherheitsgründen ihre SQL-Datenbank-Integrationen zu deaktivieren. --------------------------------------------- https://www.golem.de/news/zwei-monate-nach-meldung-sql-injection-schwachste… ∗∗∗ SMTP Smuggling - Spoofing E-Mails Worldwide ∗∗∗ --------------------------------------------- Introducing a novel technique for e-mail spoofing --------------------------------------------- https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwi… ∗∗∗ SLP Denial of Service Amplification - Attacks are ongoing and rising ∗∗∗ --------------------------------------------- We build on our previous work and look into how threat actors are abusing SLP to launch reflection/amplification DDoS attacks, their evolution, and what targets are they focused on at the moment. --------------------------------------------- https://www.bitsight.com/blog/slp-denial-service-amplification-attacks-are-… ∗∗∗ WordPress hosting service Kinsta targeted by Google phishing ads ∗∗∗ --------------------------------------------- WordPress hosting provider Kinsta is warning customers that Google ads have been observed promoting phishing sites to steal hosting credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-hosting-service-ki… ∗∗∗ Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds ∗∗∗ --------------------------------------------- Microsoft is warning of an uptick in malicious activity from an emerging threat cluster its tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. --------------------------------------------- https://thehackernews.com/2023/12/microsoft-warns-of-storm-0539-rising.html ∗∗∗ PikaBot distributed via malicious search ads ∗∗∗ --------------------------------------------- PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distr… ∗∗∗ QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry ∗∗∗ --------------------------------------------- A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry. --------------------------------------------- https://thehackernews.com/2023/12/qakbot-malware-resurfaces-with-new.html ∗∗∗ iOS 17.2: Flipper Zero kann keine iPhones mehr crashen ∗∗∗ --------------------------------------------- Apple verhindert mit iOS 17.2 offenbar, dass iPhones mit einem Flipper-Zero-Bluetooth-Exploit ge-DoSt werden können. --------------------------------------------- https://www.heise.de/-9576526 ∗∗∗ Ransomware-Gruppen buhlen zunehmend um Medien-Aufmerksamkeit ∗∗∗ --------------------------------------------- Um sich von der Konkurrenz abzusetzen und die eigenen Leistungen gewürdigt zu wissen, suchen Ransomware-Gruppen zunehmend den direkten Kontakt zu Journalisten. --------------------------------------------- https://www.heise.de/-9576774 ∗∗∗ E-Mail vom Entschädigungsamt ist Fake ∗∗∗ --------------------------------------------- Kriminelle geben sich als „Entschädigungsamt“ aus und behaupten in einem E-Mail, dass Betrugsopfer mit einer Gesamtsumme von 3.500.000 Euro entschädigt werden. Antworten Sie nicht und schicken Sie keinesfalls persönliche Daten und Ausweiskopien. Sie werden erneut betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-entschaedigungsamt-ist-fa… ∗∗∗ Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains ∗∗∗ --------------------------------------------- Using machine learning to target stockpiled malicious domains, the results of our detection pipeline tool highlight campaigns from phishing to scams. --------------------------------------------- https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/ ∗∗∗ An Example of RocketMQ Exploit Scanner, (Sat, Dec 16th) ∗∗∗ --------------------------------------------- A few months ago, RocketMQ, a real-time message queue platform, suffered of a nasty vulnerability referred as cve:2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score: 2/60 --------------------------------------------- https://isc.sans.edu/diary/rss/30492 ∗∗∗ CISA Urges Manufacturers to Eliminate Default Passwords After Recent ICS Attacks ∗∗∗ --------------------------------------------- CISA is advising device makers to stop relying on customers to change default passwords following attacks targeting water sector ICS. --------------------------------------------- https://www.securityweek.com/cisa-urges-manufacturers-to-eliminate-default-… ∗∗∗ CISA Releases Key Risk and Vulnerability Findings for Healthcare and Public Health Sector ∗∗∗ --------------------------------------------- Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-key-risk-and-vulnerabil… ∗∗∗ #StopRansomware: Play Ransomware ∗∗∗ --------------------------------------------- These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a ===================== = Vulnerabilities = ===================== ∗∗∗ Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server ∗∗∗ --------------------------------------------- Four new unauthenticated remotely exploitable security vulnerabilities discovered in the popular source code management platform Perforce Helix Core Server have been remediated after being responsibly disclosed by Microsoft. Perforce Server customers are strongly urged to update to version 2023.1/2513900. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/12/15/patching-perforce-… ∗∗∗ ZDI-23-1799: Ivanti Avalanche Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Ivanti Avalanche. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-41726. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1799/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeimage, ghostscript, intel-microcode, spip, and xorg-server), Fedora (chromium, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, PyDrive2, seamonkey, and vim), Gentoo (Leptonica), Mageia (audiofile, gimp, golang, and poppler), Oracle (buildah, containernetworking-plugins, gstreamer1-plugins-bad-free, kernel, kernel-container, libxml2, pixman, podman, postgresql, postgresql:15, runc, skopeo, tracker-miners, and webkit2gtk3), and SUSE (fish). --------------------------------------------- https://lwn.net/Articles/955566/ ∗∗∗ OpenSSH Security December 18, 2023 ∗∗∗ --------------------------------------------- penSSH 9.6 was released on 2023-12-18. It is available from the mirrors listed at https://www.openssh.com/. This release contains a number of security fixes, some small features and bugfixes. --------------------------------------------- https://www.openssh.com/security.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Nextcloud Security Advisories ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2023
by Daily end-of-shift report 15 Dec '23

15 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-12-2023 18:00 − Freitag 15-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ten new Android banking trojans targeted 985 bank apps in 2023 ∗∗∗ --------------------------------------------- This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ten-new-android-banking-troj… ∗∗∗ Fake-Werbeanzeige auf Facebook & Instagram: „Verlorenes Gepäck für nur 1,95 €!“ ∗∗∗ --------------------------------------------- Im Namen des „Vienna International Airport“ schalten Kriminelle aktuell betrügerische Anzeigen und behaupten, dass verloren gegangene Koffer für knapp 2 Euro verkauft werden. --------------------------------------------- https://www.watchlist-internet.at/news/fake-werbeanzeige-auf-facebook-insta… ∗∗∗ OilRig’s persistent attacks using cloud service-powered downloaders ∗∗∗ --------------------------------------------- ESET researchers document a series of new OilRig downloaders, all relying on legitimate cloud service providers for C&C communications. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-c… ∗∗∗ New Hacker Group GambleForce Hacks Targets with Open Source Tools ∗∗∗ --------------------------------------------- Yet another day, yet another threat actor posing a danger to the cybersecurity of companies globally. --------------------------------------------- https://www.hackread.com/gambleforce-hacks-targets-open-source-tools/ ∗∗∗ Mining The Undiscovered Country With GreyNoise EAP Sensors: F5 BIG-IP Edition ∗∗∗ --------------------------------------------- Discover the fascinating story of a GreyNoise researcher who found that attackers were using his demonstration code for a vulnerability instead of the real exploit. Explore the implications of this situation and learn about the importance of using accurate and up-to-date exploits in the cybersecurity community. --------------------------------------------- https://www.greynoise.io/blog/mining-the-undiscovered-country-with-greynois… ∗∗∗ Opening a new front against DNS-based threats ∗∗∗ --------------------------------------------- There are multiple ways in which threat actors can leverage DNS to carry out attacks. We will provide a an introduction to DNS threat landscape.The post Opening a new front against DNS-based threats appeared first on Avast Threat Labs. --------------------------------------------- https://decoded.avast.io/threatintel/opening-a-new-front-against-dns-based-… ===================== = Vulnerabilities = ===================== ∗∗∗ Ubiquiti: Nutzer konnten auf fremde Sicherheitskameras zugreifen ∗∗∗ --------------------------------------------- Teilweise erhielten Anwender sogar Benachrichtigungen auf ihre Smartphones, in denen Bilder der fremden Kameras enthalten waren. --------------------------------------------- https://www.golem.de/news/ubiquiti-nutzer-konnten-auf-fremde-sicherheitskam… ∗∗∗ New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. --------------------------------------------- https://thehackernews.com/2023/12/new-security-vulnerabilities-uncovered.ht… ∗∗∗ Squid-Proxy: Denial of Service durch Endlosschleife ∗∗∗ --------------------------------------------- Schickt ein Angreifer einen präparierten HTTP-Header an den Proxy-Server, kann er ihn durch eine unkontrollierte Rekursion zum Stillstand bringen. --------------------------------------------- https://www.heise.de/news/Squid-Proxy-Denial-of-Service-durch-Endlosschleif… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez and haproxy), Fedora (curl, dotnet6.0, dotnet7.0, tigervnc, and xorg-x11-server), Red Hat (avahi and gstreamer1-plugins-bad-free), Slackware (bluez), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, cosign, curl, gstreamer-plugins-bad, haproxy, ImageMagick, kernel, kernel-firmware, libreoffice, tiff, [...] --------------------------------------------- https://lwn.net/Articles/955336/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Unitronics Vision Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-15 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2023
by Daily end-of-shift report 14 Dec '23

14 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-12-2023 18:00 − Donnerstag 14-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Urteil des EuGH: Datenleck-Betroffene könnten doch Schadensersatz bekommen ∗∗∗ --------------------------------------------- Der Europäische Gerichtshof (EuGH) hat in einem neuen Urteil die Rechte der Betroffenen von Datenlecks gestärkt. Schon der Umstand, "dass eine betroffene Person infolge eines Verstoßes gegen die DSGVO befürchtet, dass ihre personenbezogenen Daten durch Dritte missbräuchlich verwendet werden könnten, kann einen 'immateriellen Schaden' darstellen", heißt es in dem Urteil, das am 14. Dezember 2023 veröffentlicht wurde. --------------------------------------------- https://www.golem.de/news/urteil-des-eugh-datenleck-betroffene-koennten-doc… ∗∗∗ Reverse, Reveal, Recover: Windows Defender Quarantine Forensics ∗∗∗ --------------------------------------------- Windows Defender (the antivirus shipped with standard installations of Windows) places malicious files into quarantine upon detection. Reverse engineering mpengine.dll resulted in finding previously undocumented metadata in the Windows Defender quarantine folder that can be used for digital forensics and incident response. Existing scripts that extract quarantined files do not process this metadata, even though it could be useful for analysis. Fox-IT’s open-source digital forensics and incident response framework Dissect can now recover this metadata, in addition to recovering quarantined files from the Windows Defender quarantine folder. --------------------------------------------- https://blog.fox-it.com/2023/12/14/reverse-reveal-recover-windows-defender-… ∗∗∗ Mobile Sicherheit. Handlungsempfehlungen und präventive Maßnahmen für die sichere Nutzung von mobilen Endgeräten, 2023 ∗∗∗ --------------------------------------------- Wie so oft stehen aber auch in diesem Bereich Komfort und Sicherheit in einem permanenten Spannungsverhältnis. Ein Mehr an Sicherheit für Ihr Gerät und Ihre Daten kann auf der anderen Seite bedeuten, dass einige durchaus praktische Funktionen nur mehr eingeschränkt oder gar nicht mehr zur Verfügung stehen. Letztlich liegt es an Ihnen, den für Sie bestmöglichen Kompromiss zwischen Funktion, Komfort, Sicherheit und Privatsphäre zu finden. Die vorliegende Broschüre möchte Ihnen dabei helfen. --------------------------------------------- https://www.nis.gv.at/dam/jcr:8165f553-2769-4553-91c8-4b117c752f56/mobile_s… ∗∗∗ Ransomware: AlphV meldet sich zurück, Aufruhr in der Szene ∗∗∗ --------------------------------------------- In der Ransomware-Szene rumort es: Gruppen versuchen, einander Mitglieder abspenstig zu machen, ein Geldwäscher geht ins Netz und Betrüger betrügen einander. --------------------------------------------- https://www.heise.de/-9574446 ∗∗∗ Amazon-Händler:innen wollen über Telegram-Gruppen Bewertungen kaufen? Machen Sie nicht mit! ∗∗∗ --------------------------------------------- Auf Telegram gibt es Kanäle, die gratis Amazon-Produkte versprechen. Die Idee dahinter: Sie suchen sich ein Produkt aus, bestellen es über Ihren privaten Amazon-Account, schreiben eine 5-Sterne-Bewertung und bekommen als Dankeschön das Geld über PayPal zurückerstattet. Mit dieser Masche kaufen sich Marketplace-Händler:innen Bewertungen, um besser gerankt zu werden – eine nicht legale Praktik. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-haendlerinnen-wollen-ueber-te… ∗∗∗ Protecting the enterprise from dark web password leaks ∗∗∗ --------------------------------------------- The trade in compromised passwords in dark web markets is particularly damaging. Cybercriminals often exploit password leaks to access sensitive data, commit fraud or launch further attacks. Let’s explore the various ways passwords are leaked to the dark web and discuss strategies for using dark web data to protect your organization. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/protecting-the-ente… ∗∗∗ Rhadamanthys v0.5.0 – a deep dive into the stealer’s components ∗∗∗ --------------------------------------------- In this article we do a deep dive into the functionality and cooperation between the modules. The first part of the article describes the loading chain that is used to retrieve the package with the stealer components. In the second part, we take a closer look at those components, their structure, abilities, and implementation. --------------------------------------------- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-t… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-1773: (0Day) Intel Driver & Support Assistant Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Intel Driver & Support Assistant. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1773/ ∗∗∗ Paloalto released 7 Security Advisories ∗∗∗ --------------------------------------------- PAN-OS: CVE-2023-6790, CVE-2023-6791, CVE-2023-6794, CVE-2023-6792, CVE-2023-6795, CVE-2023-6793, CVE-2023-6789 --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Zoom behebt Sicherheitslücken unter Windows, Android und iOS ∗∗∗ --------------------------------------------- Durch ungenügende Zugriffskontrolle, Verschlüsselungsprobleme und Pfadmanipulation konnten Angreifer sich zusätzliche Rechte verschaffen. --------------------------------------------- https://www.heise.de/-9574367 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and rabbitmq-server), Fedora (chromium, kernel, perl-CryptX, and python-jupyter-server), Mageia (curl), Oracle (curl and postgresql), Red Hat (gstreamer1-plugins-bad-free, linux-firmware, postgresql, postgresql:10, and postgresql:15), Slackware (xorg), SUSE (catatonit, containerd, runc, container-suseconnect, gimp, kernel, openvswitch, poppler, python-cryptography, python-Twisted, python3-cryptography, qemu, squid, tiff, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (xorg-server and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/955130/ ∗∗∗ Dell Urges Customers to Patch Vulnerabilities in PowerProtect Products ∗∗∗ --------------------------------------------- Dell is informing PowerProtect DD product customers about 8 vulnerabilities, including many rated ‘high severity’, and urging them to install patches. --------------------------------------------- https://www.securityweek.com/dell-urges-customers-to-patch-vulnerabilities-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpr… ∗∗∗ Cambium ePMP 5GHz Force 300-25 Radio ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-01 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.0.0, 6.1.0, 6.1.1, and 6.2.0: SC-202312.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-44 ∗∗∗ Johnson Controls Kantech Gen1 ioSmart ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2023
by Daily end-of-shift report 13 Dec '23

13 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-12-2023 18:00 − Mittwoch 13-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ FakeSG campaign, Akira ransomware and AMOS macOS stealer ∗∗∗ --------------------------------------------- In this report, we share our latest crimeware findings: FakeSG malware distribution campaign delivering NetSupport RAT, new Conti-like Akira ransomware and AMOS stealer for macOS. --------------------------------------------- https://securelist.com/crimeware-report-fakesg-akira-amos/111483/ ∗∗∗ Willhaben: Lassen Sie sich nicht auf WhatsApp und Co locken! ∗∗∗ --------------------------------------------- Wenn Sie auf willhaben über Kleinanzeigen Ware verkaufen oder kaufen wollen, dann sind Sie am besten vor Betrug geschützt, wenn Sie einige einfach Tipps beachten. Insbesondere sollten Sie sich aber nicht über den willhaben-Chat auf externe Kanäle leiten lassen. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-lassen-sie-sich-nicht-auf-… ∗∗∗ A pernicious potpourri of Python packages in PyPI ∗∗∗ --------------------------------------------- The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository --------------------------------------------- https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python… ∗∗∗ Web shell on a SonicWall SMA ∗∗∗ --------------------------------------------- Truesec Cybersecurity Incident Response Team (CSIRT) found a compromised SonicWall Secure Mobile Access (SonicWall SMA) device on which a threat actor (TA) had deployed a web shell, a hiding mechanism, and a way to ensure persistence across firmware upgrades. --------------------------------------------- https://www.truesec.com/hub/blog/web-shell-on-a-sonicwall-sma ∗∗∗ A Day In The Life Of A GreyNoise Researcher: The Path To Understanding The Remote Code Execution Vulnerability Apache (CVE-2023-50164) in Apache Struts2 ∗∗∗ --------------------------------------------- This weakness enables attackers to remotely drop and call a web shell through a public interface. --------------------------------------------- https://www.greynoise.io/blog/a-day-in-the-life-of-a-greynoise-researcher-t… ∗∗∗ Responding to CitrixBleed (CVE-2023-4966): Key Takeaways from Affected Companies ∗∗∗ --------------------------------------------- This critical security flaw has had a significant impact across various industries in the United States, including credit unions and healthcare services, marking it as one of the most critical vulnerabilities of 2023. Its relatively straightforward buffer overflow exploitability has raised major concerns. --------------------------------------------- https://blog.morphisec.com/responding-to-citrixbleed ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft: OAuth apps used to automate BEC and cryptomining attacks ∗∗∗ --------------------------------------------- Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-oauth-apps-used-to… ∗∗∗ Final Patch Tuesday of 2023 goes out with a bang ∗∗∗ --------------------------------------------- Microsoft fixed 36 flaws. Adobe addressed 212. Apple, Google, Cisco, VMware and Atlassian joined the party Its the last Patch Tuesday of 2023, which calls for celebration – just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/12/13/december_202… ∗∗∗ Patchday Microsoft: Outlook kann sich an Schadcode-E-Mail verschlucken ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für Azure, Defender & Co. veröffentlicht. Bislang soll es keine Attacken geben. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-Outlook-kann-sich-an-Schadcode… ∗∗∗ Patchday: Adobe schließt 185 Sicherheitslücken in Experience Manager ∗∗∗ --------------------------------------------- Angreifer können Systeme mit Anwendungen von Adobe ins Visier nehmen. Nun hat der Softwarehersteller Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Adobe-schliesst-185-Sicherheitslue… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support and xorg-server), Fedora (java-17-openjdk, libcmis, and libreoffice), Mageia (fish), Red Hat (buildah, containernetworking-plugins, curl, fence-agents, kernel, kpatch-patch, libxml2, pixman, podman, runc, skopeo, and tracker-miners), SUSE (kernel, SUSE Manager 4.3.10 Release Notes, and SUSE Manager Client Tools), and Ubuntu (gnome-control-center, linux-gcp, linux-kvm, linux-gkeop, linux-gkeop-5.15, linux-hwe-6.2, [...] --------------------------------------------- https://lwn.net/Articles/954921/ ∗∗∗ Mal wieder Apache Struts: CVE-2023-50164 ∗∗∗ --------------------------------------------- Wir haben in der Vergangenheit ernsthaft schlechte Erfahrungen mit Schwachstellen in der Apache Struts Library gemacht. Etwa mit CVE-2017-5638 oder CVE-2017-9805. Insbesondere komplexe Webseiten/Portal, oft von größeren Firmen, wurden öfters in Java entwickelt und waren für eine Massenexploitation anfällig. Daher haben wir die Veröffentlichung einer neuen Schwachstelle in Struts CVE-2023-50164 mit dem CVSS Score von 9.8 initial als besorgniserregend eingestuft. --------------------------------------------- https://cert.at/de/aktuelles/2023/12/mal-wieder-apache-struts-cve-2023-50164 ∗∗∗ Apache Struts Vulnerability Affecting Cisco Products: December 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Atos Unify Security Advisories ∗∗∗ --------------------------------------------- https://unify.com/en/support/security-advisories ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Nagios XI ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulner… ∗∗∗ VMSA-2023-0027 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0027.html ∗∗∗ Command injection vulnerability in Bosch IP Cameras ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-638184-bt.html ∗∗∗ Denial of Service vulnerability in Bosch BT software products ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-092656-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2023
by Daily end-of-shift report 12 Dec '23

12 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 11-12-2023 18:00 − Dienstag 12-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Counter-Strike 2 HTML injection bug exposes players’ IP addresses ∗∗∗ --------------------------------------------- Valve has reportedly fixed an HTML injection flaw in CS2 that was heavily abused today to inject images into games and obtain other players IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/counter-strike-2-html-inject… ∗∗∗ New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam ∗∗∗ --------------------------------------------- A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said. --------------------------------------------- https://thehackernews.com/2023/12/new-mranon-stealer-targeting-german-it.ht… ∗∗∗ Intercepting MFA. Phishing and Adversary in The Middle attacks ∗∗∗ --------------------------------------------- In this post I’ll show you at a high level how attackers carry out such an attack. The main focus here is to understand what artefacts we look for when investigating these types of attacks in a DFIR capacity. I’ll also cover the steps you can take to increase your security to try and stop your team falling foul of them. --------------------------------------------- https://www.pentestpartners.com/security-blog/intercepting-mfa-phishing-and… ∗∗∗ MySQL 5.7 reached EOL. Upgrade to MySQL 8.x today ∗∗∗ --------------------------------------------- In October 2023, MySQL 5.7 reached its end of life. As such, it will no longer be supported and won’t receive security patches or bug fixes anymore. --------------------------------------------- https://mattermost.com/blog/mysql-5-7-reached-eol-upgrade-to-mysql-8-x-toda… ∗∗∗ CISA Releases SCuBA Google Workspace Secure Configuration Baselines for Public Comment ∗∗∗ --------------------------------------------- Today, CISA released the draft Secure Cloud Business Applications (SCuBA) Google Workspace (GWS) Secure Configuration Baselines and the associated assessment tool ScubaGoggles for public comment. The draft baselines offer minimum viable security configurations for nine GWS services: Groups for Business, Google Calendar, Google Common Controls, Google Classroom, Google Meet, Gmail, Google Chat, Google Drive and Docs, and Google Sites. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/12/cisa-releases-scuba-goog… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: SAP behandelt mehr als 15 Schwachstellen ∗∗∗ --------------------------------------------- Am Dezember-Patchday hat SAP 15 neue Sicherheitsmitteilungen herausgegeben. Sie thematisieren teils kritische Lücken. --------------------------------------------- https://www.heise.de/-9571722 ∗∗∗ WordPress Elementor: Halbgarer Sicherheitspatch gefährdete Millionen Websites ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die WordPress-Plug-ins Backup Migration und Elementor. --------------------------------------------- https://www.heise.de/-9571957 ∗∗∗ Sicherheitslücken: Apple-Patches auch für ältere Betriebssysteme – außer iOS 15 ∗∗∗ --------------------------------------------- Parallel zu iOS 17.2 und macOS 14.2 beseitigt der Hersteller auch manche Schwachstellen in früheren Versionen. Für ältere iPhones gibt es kein Update. --------------------------------------------- https://www.heise.de/news/-9572049 ∗∗∗ Xen Security Advisory CVE-2023-46837 / XSA-447 ∗∗∗ --------------------------------------------- A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-447.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and webkit2gtk), Fedora (java-1.8.0-openjdk and seamonkey), Oracle (apr, edk2, kernel, and squid:4), Red Hat (postgresql:12, tracker-miners, and webkit2gtk3), SUSE (curl, go1.20, go1.21, hplip, openvswitch, opera, squid, and xerces-c), and Ubuntu (binutils, ghostscript, libreoffice, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-xilinx-zynqmp, postfixadmin, python3.11, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/954706/ ∗∗∗ Beckhoff Security Advisory 2023-001: Open redirect in TwinCAT/BSD package “authelia-bhf” ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-732 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-051/ ∗∗∗ Phoenix Contact: ProConOS prone to Download of Code Without Integrity Check ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-054/ ∗∗∗ Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-055/ ∗∗∗ Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-056/ ∗∗∗ Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-057/ ∗∗∗ Phoenix Contact: PLCnext Control prone to download of code without integrity check ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-058/ ∗∗∗ Schneider Electric Easy UPS Online Monitoring Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icaa-23-346-01 ∗∗∗ F5: K000137871 : Linux kernel vulnerability CVE-2023-35001 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137871 ∗∗∗ SSA-999588 V1.0: Multiple Vulnerabilities in User Management Component (UMC) before V2.11.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-999588.html ∗∗∗ SSA-892915 V1.0: Multiple Denial of Service Vulnerabilities in the Webserver of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-892915.html ∗∗∗ SSA-887801 V1.0: Information Disclosure Vulnerability in SIMATIC STEP 7 (TIA Portal) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-887801.html ∗∗∗ SSA-844582 V1.0: Electromagnetic Fault Injection in LOGO! V8.3 BM Devices Results in Broken LOGO! V8.3 Product CA ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-844582.html ∗∗∗ SSA-693975 V1.0: Denial-of-Service Vulnerability in the Web Server of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-693975.html ∗∗∗ SSA-592380 V1.0: Denial of Service Vulnerability in SIMATIC S7-1500 CPUs and related products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-592380.html ∗∗∗ SSA-480095 V1.0: Vulnerabilities in the Web Interface of SICAM Q100 Devices before V2.60 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-480095.html ∗∗∗ SSA-398330 V1.0: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-398330.html ∗∗∗ SSA-280603 V1.0: Denial of Service Vulnerability in SINUMERIK ONE and SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-280603.html ∗∗∗ SSA-180704 V1.0: Multiple Vulnerabilities in SCALANCE M-800/S615 Family before V8.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-180704.html ∗∗∗ SSA-118850 V1.0: Denial of Service Vulnerability in the OPC UA Implementation in SINUMERIK ONE and SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-118850.html ∗∗∗ SSA-077170 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-077170.html ∗∗∗ SSA-068047 V1.0: Multiple Vulnerabilities in SCALANCE M-800/S615 Family before V7.2.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-068047.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2023
by Daily end-of-shift report 11 Dec '23

11 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-12-2023 18:00 − Montag 11-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ AutoSpill attack steals credentials from Android password managers ∗∗∗ --------------------------------------------- Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/autospill-attack-steals-cred… ∗∗∗ Over 30% of Log4J apps use a vulnerable version of the library ∗∗∗ --------------------------------------------- Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-app… ∗∗∗ Sicherheitsupdate: WordPress unter bestimmten Bedingungen angreifbar ∗∗∗ --------------------------------------------- In der aktuellen WordPress-Version haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://www.heise.de/-9567923 ∗∗∗ DoS-Schwachstellen: Angreifer können 714 Smartphone-Modelle vom 5G-Netz trennen ∗∗∗ --------------------------------------------- Forscher haben mehrere Schwachstellen in gängigen 5G-Modems offengelegt. Damit können Angreifer vielen Smartphone-Nutzern 5G-Verbindungen verwehren. --------------------------------------------- https://www.golem.de/news/dos-schwachstellen-angreifer-koennen-714-smartpho… ∗∗∗ 40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager ∗∗∗ --------------------------------------------- In today’s post, we’ll take a look at some recent Google Tag Manager containers used in ecommerce malware, examine some newer forms of obfuscation techniques used in the malicious code, and track the evolution of the ATMZOW skimmer linked to widespread Magento website infections since 2015. --------------------------------------------- https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-f… ∗∗∗ Bluetooth-Lücke erlaubt Einschleusen von Tastenanschlägen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Bluetooth-Stacks erlaubt Angreifern, Tastenanschläge einzuschmuggeln. Unter Android, iOS, Linux und macOS. --------------------------------------------- https://www.heise.de/-9570583 ∗∗∗ Achtung Fake-Shop: fressnapfs.shop ∗∗∗ --------------------------------------------- Kriminelle schalten auf Facebook und Instagram Werbung für einen betrügerischen Fressnapf-Online-Shop. Der gefälschte Online-Shop sieht dem echten Shop zum Verwechseln ähnlich. Auch die Internetadresse „fressnapfs.shop“ scheint plausibel. Wenn Sie beim Fake-Shop bestellen, verlieren Sie Ihr Geld und erhalten keine Lieferung! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-fressnapfsshop/ ∗∗∗ To tap or not to tap: Are NFC payments safer? ∗∗∗ --------------------------------------------- Contactless payments are quickly becoming ubiquitous – but are they more secure than traditional payment methods? --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/to-tap-or-not-to-tap-are-nf… ∗∗∗ Kaspersky entdeckt „hochkomplexen“ Proxy-Trojaner für macOS ∗∗∗ --------------------------------------------- Die Malware wird über raubkopierte Software verbreitet. Varianten für Android und Windows sind offenbar auch im Umlauf. --------------------------------------------- https://www.zdnet.de/88413363/kaspersky-entdeckt-hochkomplexen-proxy-trojan… ∗∗∗ Risiko Active Directory-Fehlkonfigurationen; Forest Druid zur Analyse ∗∗∗ --------------------------------------------- Fehlkonfigurationen und Standardeinstellungen des Active Directory können die IT-Sicherheit von Unternehmen gefährden. Bastien Bossiroy von den NVISO Labs hat sich Gedanken um dieses Thema gemacht und bereits Ende Oktober 2023 einen Beitrag zu den häufigsten Fehlkonfigurationen/Standardkonfigurationen des Active Directory, die Unternehmen gefährden, veröffentlicht. Zudem ist mir kürzlich ein Hinweis auf "Forest Druid" untergekommen, ein kostenloses Attack-Path-Management-Tool von Semperis. --------------------------------------------- https://www.borncity.com/blog/2023/12/09/risiko-active-directory-die-hufigs… ∗∗∗ Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang ∗∗∗ --------------------------------------------- Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family “NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity. --------------------------------------------- https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/ ∗∗∗ 2023 Review: Reflecting on Cybersecurity Trends ∗∗∗ --------------------------------------------- With the season of ubiquitous year-ahead predictions around the corner, Trend Micro’s Greg Young and William Malik decided to look back at 2023 and see which forecasted cybersecurity trends came to pass and which, um, didn’t. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/23/l/2023-review-reflecting-on-cybers… ∗∗∗ Analyzing AsyncRATs Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases ∗∗∗ --------------------------------------------- This blog entry delves into MxDRs unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-inje… ===================== = Vulnerabilities = ===================== ∗∗∗ Resolved RCE in Sophos Firewall (CVE-2022-3236) ∗∗∗ --------------------------------------------- The vulnerability was originally fixed in September 2022. In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall. No action is required if organizations have upgraded their firewalls to a supported firmware version after September 2022. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce ∗∗∗ Sicherheitslücken: Angreifer können Schadcode auf Qnap NAS schieben ∗∗∗ --------------------------------------------- Netzwerkspeicher von Qnap sind verwundbar. In aktuellen Versionen haben die Entwickler Sicherheitsprobleme gelöst. --------------------------------------------- https://www.heise.de/-9570375 ∗∗∗ New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164) ∗∗∗ --------------------------------------------- The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution (CVE-2023-50164). --------------------------------------------- https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), Mageia (firefox, thunderbird, and vim), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container), and Ubuntu (freerdp2, glibc, and tinyxml). --------------------------------------------- https://lwn.net/Articles/954092/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, and curl), Red Hat (apr), Slackware (libxml2), and Ubuntu (squid3 and tar). --------------------------------------------- https://lwn.net/Articles/954449/ ∗∗∗ Edge 120.0.2210.61 mit Sicherheitsfixes und neuer Telemetriefunktion ∗∗∗ --------------------------------------------- Microsoft hat zum 7. Dezember 2023 den Edge 120.0.2210.61 im Stable-Channel veröffentlicht. Diese Version schließt gleich drei Schwachstellen (und zudem Chromium-Sicherheitslücken). Der neue Edge kommt zudem mit neuen Richtlinien. --------------------------------------------- https://www.borncity.com/blog/2023/12/08/edge-120-0-2210-61-mit-sicherheits… ∗∗∗ GarageBand 10.4.9 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT214042 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Frauscher: FDS102 for FAdC/FAdCi remote code execution vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-049/ ∗∗∗ Local Privilege Escalation durch MSI installer in PDF24 Creator (geek Software GmbH) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2023
by Daily end-of-shift report 07 Dec '23

07 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-12-2023 18:00 − Donnerstag 07-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA and International Partners Release Advisory on [..] Star Blizzard ∗∗∗ --------------------------------------------- The joint CSA aims to raise awareness of the specific tactics, techniques, and delivery methods [..] Known Star Blizzard techniques include: Impersonating known contacts' email accounts, Creating fake social media profiles, Using webmail addresses from providers such as Outlook, Gmail and others, and Creating malicious domains that resemble legitimate organizations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-p… ∗∗∗ CISA, NSA, FBI and International Cybersecurity Authorities Publish Guide on The Case for Memory Safe Roadmaps ∗∗∗ --------------------------------------------- The guide strongly encourages executives of software manufacturers to prioritize using memory safe programing languages, write and publish memory safe roadmaps and implement changes to eliminate this class of vulnerability and protect their customers. Software developers and support staff should develop the roadmap, which should detail how the manufacturer will modify their software development life cycle (SDLC) to dramatically reduce and eventually eliminate memory unsafe code in their products. This guidance also provides a clear outline of elements that a memory safe roadmap should include. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-fbi-and-international-cybers… ===================== = Vulnerabilities = ===================== ∗∗∗ PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2 ∗∗∗ --------------------------------------------- WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site. We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present. --------------------------------------------- https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Fedora (gmailctl), Oracle (kernel), Red Hat (linux-firmware, postgresql:12, postgresql:13, and squid:4), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, libtorrent-rasterbar, qbittorrent, openssl-3, openvswitch, openvswitch3, and suse-build-key), and Ubuntu (bluez, curl, linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-gcp, open-vm-tools, postgresql-12, postgresql-14, postgresql-15, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/953977/ ∗∗∗ Kritische Sicherheitslücken in mehreren Produkten von Atlassian - Patches verfügbar ∗∗∗ --------------------------------------------- Mehrere Versionen von Produkten des Unternehmens Atlassian enthalten kritische Sicherheitslücken. Die Ausnutzung der Sicherheitslücken ermöglicht Angreifer:innen die vollständige Übernahme von verwundbaren Systemen, sowie den Zugriff auf alle darauf gespeicherten Daten. CVE-Nummer(n): CVE-2023-22522, CVE-2022-1471 CVSS Base Score: 9.0 bzw. 9.8 --------------------------------------------- https://cert.at/de/warnungen/2023/12/kritische-sicherheitslucken-in-mehrere… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-341-01 Mitsubishi Electric FA Engineering Software Products, ICSA-23-341-02 Schweitzer Engineering Laboratories SEL-411L, ICSA-23-341-03 Johnson Controls Metasys and Facility Explorer, ICSA-23-341-05 ControlbyWeb Relay, ICSA-23-341-06 Sierra Wireless AirLink with ALEOS firmware --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-releases-five-indus… ∗∗∗ BIOS Image Parsing Function Vulnerabilities (LogoFAIL) ∗∗∗ --------------------------------------------- Vulnerabilities were reported in the image parsing libraries in AMI, Insyde and Phoenix BIOS which are used to parse personalized boot logos that are loaded from the EFI System Partition that could allow a local attacker with elevated privileges to trigger a denial of service or arbitrary code execution. [..] Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500590-BIOS-IMAGE-PARSING-FUNC… ∗∗∗ Drupal: Group - Less critical - Access bypass - SA-CONTRIB-2023-054 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-054 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2023
by Daily end-of-shift report 06 Dec '23

06 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-12-2023 18:00 − Mittwoch 06-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Trügerische Sicherheit: Angreifer können Lockdown-Modus von iOS fälschen ∗∗∗ --------------------------------------------- Der Lockdown-Modus von iOS soll iPhone-Besitzer vor Cyberangriffen schützen. Forscher haben gezeigt, wie sich die Funktion fälschen lässt. --------------------------------------------- https://www.golem.de/news/truegerische-sicherheit-angreifer-koennen-lockdow… ∗∗∗ Whose packet is it anyway: a new RFC for attribution of internet probes, (Wed, Dec 6th) ∗∗∗ --------------------------------------------- So far, security analysts and administrators have had to rely mostly on WHOIS, RDAP, reverse DNS lookups and third-party data (e.g., data from ISC/DShield) in order to gain some idea of who might be behind a specific scan and whether it was malicious or not. However, authors of the aforementioned RFC came up with several ideas of how originators of “internet probes” might simplify their own identification. --------------------------------------------- https://isc.sans.edu/diary/rss/30456 ∗∗∗ Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks ∗∗∗ --------------------------------------------- Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. --------------------------------------------- https://thehackernews.com/2023/12/qualcomm-releases-details-on-chip.html ∗∗∗ Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts ∗∗∗ --------------------------------------------- Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks. The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis. --------------------------------------------- https://thehackernews.com/2023/12/alert-threat-actors-can-leverage-aws.html ∗∗∗ Blind CSS Exfiltration: exfiltrate unknown web pages ∗∗∗ --------------------------------------------- Why would we want to do blind CSS exfiltration? Imagine youve got a blind HTML injection vulnerability but you cant get XSS because of the sites CSP or perhaps the site has a server-side or DOM-based filter such as DOMPurify. JavaScript is off the table but they allow styles because theyre just styles right? What possible damage can you do with just CSS? --------------------------------------------- https://portswigger.net/research/blind-css-exfiltration ∗∗∗ SLAM: Neue Spectre-Variante gefährdet zukünftige CPU-Generationen ∗∗∗ --------------------------------------------- Forscher tricksen das Speichermanagement kommender CPU-Generationen aus, um vermeintlich geschützte Daten aus dem RAM zu lesen. --------------------------------------------- https://www.heise.de/-9549625 ∗∗∗ Windows 10: Security-Updates nach Support-Ende ∗∗∗ --------------------------------------------- Wer Windows 10 länger als bis 2025 betreiben will, muss entweder in die Microsoft-365-Cloud oder für Patches zahlen. --------------------------------------------- https://www.heise.de/-9566262 ∗∗∗ Achtung Betrug: Rechnung vom "Registergericht" ∗∗∗ --------------------------------------------- Aktuell läuft wohl wieder eine Betrugskampagne, in der Brief mit falschen Rechnungen von einem angeblichen "Registergericht" an Firmen geschickt werden. --------------------------------------------- https://www.borncity.com/blog/2023/12/06/achtung-betrug-rechnung-vom-regist… ∗∗∗ CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud ∗∗∗ --------------------------------------------- While the 10/10 CVE-2023-49103 got all the attention last week, organizations should not quickly overlook CVE-2023-49105! CVE-2023-49105 is an authentication bypass issue affecting ownCloud from version 10.6.0 to version 10.13.0. It allows an attacker to access, modify, or delete any file without authentication if the username is known. Even if the user has no signing key configured, ownCloud accepts pre-signed URLs, enabling the attacker to generate URLs for arbitrary file operations. --------------------------------------------- https://www.greynoise.io/blog/cve-2023-49105-webdav-api-authentication-bypa… ===================== = Vulnerabilities = ===================== ∗∗∗ "Sierra:21" vulnerabilities impact critical infrastructure routers ∗∗∗ --------------------------------------------- A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks. [..] AirLink routers are highly regarded in the field of industrial and mission-critical applications due to high-performance 3G/4G/5G and WiFi and multi-network connectivity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sierra-21-vulnerabilities-im… ∗∗∗ Codeschmuggel in Atlassian-Produkten: Vier kritische Lücken aufgetaucht ∗∗∗ --------------------------------------------- Admins von Confluence, Jira und Bitbucket kommen aus dem Patchen nicht heraus: Erneut hat Atlassian dringende Updates für seine wichtigsten Produkte vorgelegt. --------------------------------------------- https://www.heise.de/-9565780 ∗∗∗ Kiosk Escape Privilege Escalation in One Identity Password Manager Secure Password Extension ∗∗∗ --------------------------------------------- The Password Manager Extension from One Identity can be used to perform two different kiosk escapes on the lock screen of a Windows client. These two escapes allow an attacker to execute commands with the highest permissions of a user with the SYSTEM role. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/kiosk-escape-privilege-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, clevis-pin-tpm2, firefox, keyring-ima-signer, libkrun, perl, perl-PAR-Packer, polymake, poppler, rust-bodhi-cli, rust-coreos-installer, rust-fedora-update-feedback, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sequoia-wot, rust-sevctl, rust-snphost, and rust-tealdeer), Mageia (samba), Red Hat (postgresql:12), SUSE (haproxy and kernel-firmware), and Ubuntu (haproxy, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.1, and redis). --------------------------------------------- https://lwn.net/Articles/953861/ ∗∗∗ Command Injection via CLI des DrayTek Vigor167 (SYSS-2023-023) ∗∗∗ --------------------------------------------- Die Kommandozeile (Command-Line Interface, CLI) des DrayTek Vigor167 mit der Modemfirmware 5.2.2 erlaubt es angemeldeten Angreifenden, beliebigen Code auf dem Modem auszuführen. Nutzende mit Zugang zur Weboberfläche, aber ohne jegliche Berechtigungen, haben ebenfalls Zugriff auf die CLI und können hierüber das Modem übernehmen. --------------------------------------------- https://www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigo… ∗∗∗ Security Advisory - Identity Bypass Vulnerability in Some Huawei Smart Screen Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ibvishssp… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2023
by Daily end-of-shift report 05 Dec '23

05 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 04-12-2023 18:00 − Dienstag 05-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatched Loytec Building Automation Flaws Disclosed 2 Years After Discovery ∗∗∗ --------------------------------------------- Industrial cybersecurity firm TXOne Networks has disclosed the details of 10 unpatched vulnerabilities discovered by its researchers in building automation products made by Austrian company Loytec more than two years ago. --------------------------------------------- https://www.securityweek.com/unpatched-loytec-building-automation-flaws-dis… ∗∗∗ BlueNoroff: new Trojan attacking macOS users ∗∗∗ --------------------------------------------- BlueNoroff has been attacking macOS users with a new loader that delivers unknown malware to the system. --------------------------------------------- https://securelist.com/bluenoroff-new-macos-malware/111290/ ∗∗∗ Zarya Hacktivists: More than just Sharepoint., (Mon, Dec 4th) ∗∗∗ --------------------------------------------- Zarya isn't exactly the type of threat you should be afraid of, but it is sad how these groups can still be effective due to organizations exposing unpatched or badly configured systems to the internet. Most of the attacks sent by Zarya will not succeed even if they hit a vulnerable system. For some added protection, you may consider blocking some of the Aeza network's traffic after ensuring that this network hosts no critical resources you need. Aeza uses ASN 210644. --------------------------------------------- https://isc.sans.edu/diary/rss/30450 ∗∗∗ Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack ∗∗∗ --------------------------------------------- A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when its actually not and carry out covert attacks. --------------------------------------------- https://thehackernews.com/2023/12/warning-for-iphone-users-experts-warn.html ∗∗∗ Sicherheitslücke in iOS 16 soll angeblich leichteres Auslesen ermöglichen ∗∗∗ --------------------------------------------- In Moskau streiten sich zwei Forensikfirmen wegen gestohlenem Programmcode. Dieser aber offenbart eine mögliche neue Sicherheitslücke im iPhone-Betriebssystem. --------------------------------------------- https://www.heise.de/-9548725 ∗∗∗ OSINT. What can you find from a domain or company name ∗∗∗ --------------------------------------------- To help OPSEC people I thought it might be useful to go over some of the key things that can be found using domain and company names. --------------------------------------------- https://www.pentestpartners.com/security-blog/osint-what-can-you-find-from-… ∗∗∗ Viele Beschwerden zu luckyluna.de ∗∗∗ --------------------------------------------- luckyluna.de bietet handgezeichnete Tierportraits. Sie laden ein Foto Ihres Tieres hoch, es wird gezeichnet und Sie erhalten das Bild entweder digital oder auf einer Leinwand – so zumindest das Versprechen. Verärgerte Kund:innen beschweren sich aber, dass die Bilder nicht handgezeichnet sind, sondern die „handgefertigten Portraits“ nur mit Hilfe eines Bildbearbeitungsprogramms erstellt werden. --------------------------------------------- https://www.watchlist-internet.at/news/viele-beschwerden-zu-luckylunade/ ∗∗∗ Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers ∗∗∗ --------------------------------------------- This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Android 11, 12, 13 und 14 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können Android-Smartphones und -Tablets verschiedener Hersteller ins Visier nehmen. Für einige Geräte gibt es Sicherheitsupdates. --------------------------------------------- https://www.heise.de/-9548839 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4). --------------------------------------------- https://lwn.net/Articles/953783/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0011 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-42916, CVE-2023-42917. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0011.html ∗∗∗ Security updates for Ivanti Connect Secure and Ivanti Policy Secure ∗∗∗ --------------------------------------------- We are reporting the Ivanti Connect Secure issues as CVE-2023-39340, CVE-2023-41719 and CVE-2023-41720, and Ivanti Policy Secure issue as CVE-2023-39339. We encourage customers to download the latest releases of ICS and IPS to remediate the issues. --------------------------------------------- https://www.ivanti.com/blog/security-updates-for-ivanti-connect-secure-and-… ∗∗∗ SonicWall SSL-VPN SMA100 Version 10.x Is Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018 ∗∗∗ Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Packet Validation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Wago: Vulnerabilities in IEC61850 Server / Telecontrol ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-044/ ∗∗∗ Wago: Vulnerability in Smart Designer Web-Application ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-045/ ∗∗∗ CODESYS: Multiple products affected by WIBU Codemeter vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-035/ ∗∗∗ CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-066/ ∗∗∗ Pilz : WIBU Vulnerabilitiy in multiple Products (Update A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-033/ ∗∗∗ Pilz: Electron Vulnerabilities in PASvisu and PMI v8xx ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-059/ ∗∗∗ Pilz: Multiple products prone to libwebp vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-048/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-339-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2023
by Daily end-of-shift report 04 Dec '23

04 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-12-2023 18:00 − Montag 04-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks ∗∗∗ --------------------------------------------- The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware. --------------------------------------------- https://thehackernews.com/2023/12/logofail-uefi-vulnerabilities-expose.html ∗∗∗ New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect thats capable of targeting routers and IoT devices. --------------------------------------------- https://thehackernews.com/2023/12/new-p2pinfect-botnet-mips-variant.html ∗∗∗ Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs ∗∗∗ --------------------------------------------- Today, CISA, (FBI), (NSA), (EPA), and (INCD) released a joint Cybersecurity Advisory (CSA) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/01/cisa-and-partners-releas… ∗∗∗ Phishing-Angriffe: Betrüger missbrauchen Hotelbuchungsplattform booking.com ∗∗∗ --------------------------------------------- Mit auf Datendiebstahl spezialisierte Malware griffen Cyberkriminelle zunächst Hotelmitarbeiter an und verschickten dann über Booking betrügerische Mails. --------------------------------------------- https://www.heise.de/-9547507 ∗∗∗ Update your iPhones! Apple fixes two zero-days in iOS ∗∗∗ --------------------------------------------- Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/12/update-your-iphones-apple-fi… ∗∗∗ PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. --------------------------------------------- https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-sca… ∗∗∗ Vorsicht vor gefälschter Microsoft-Sicherheitswarnung ∗∗∗ --------------------------------------------- Beim Surfen im Internet poppt plötzlich eine Sicherheitswarnung auf: „Aus Sicherheitsgründen wurde das Gerät blockiert. Windows-Support Anrufen“. Zusätzlich wird eine Computerstimme abgespielt, die Ihnen erklärt, dass Ihre Kreditkarten- und Facebookdaten sowie persönliche Daten an Hacker weitergegeben werden. Für technische Unterstützung sollen Sie eine Nummer anrufen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschter-microsoft-… ∗∗∗ Zyxel warnt vor kritischen Sicherheitslücken in NAS-Geräten ∗∗∗ --------------------------------------------- Betreibt jemand ein Zyxel NAS in seiner Umgebung? Der taiwanesische Hersteller hat gerade vor mehreren Schwachstellen in der Firmware dieser Geräte gewarnt. Drei kritische Schwachstellen ermöglichen es einem nicht authentifizierten Angreifer Betriebssystembefehle auf anfälligen NAS-Geräten (Network-Attached Storage) auszuführen. --------------------------------------------- https://www.borncity.com/blog/2023/12/02/zyxel-warnt-vor-kritischen-sicherh… ===================== = Vulnerabilities = ===================== ∗∗∗ SQUID-2023:7 Denial of Service in HTTP Message Processing ∗∗∗ --------------------------------------------- Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing[..] This problem allows a remote attacker to perform Denial of Service when sending easily crafted HTTP Messages. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9 ∗∗∗ SQUID-2023:8 Denial of Service in Helper Process management ∗∗∗ --------------------------------------------- Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. [..] This problem allows a trusted client or remote server to perform a Denial of Service attack when the Squid proxy is under load. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27 ∗∗∗ SQUID-2023:9 Denial of Service in HTTP Collapsed Forwarding ∗∗∗ --------------------------------------------- Due to a Use-After-Free bug Squid is vulnerable to a Denial of Service attack against collapsed forwarding [..] This problem allows a remote client to perform Denial of Service attack on demand when Squid is configured with collapsed forwarding. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5 ∗∗∗ GitLab Security Release: 16.6.1, 16.5.3, 16.4.3 ∗∗∗ --------------------------------------------- These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. CVE IDs: CVE-2023-6033, CVE-2023-6396, CVE-2023-3949, CVE-2023-5226, CVE-2023-5995, CVE-2023-4912, CVE-2023-4317, CVE-2023-3964, CVE-2023-4658, CVE-2023-3443 --------------------------------------------- https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1… ∗∗∗ Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call ∗∗∗ --------------------------------------------- Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. This vulnerability could be exploited either by an attacker with physical access to the device, or by obtaining write access to the flash memory through a separate runtime vulnerability. [..] Sonos state an update was released on 2023-11-15 which remediated the issue. --------------------------------------------- https://research.nccgroup.com/2023/12/04/technical-advisory-sonos-era-100-s… ∗∗∗ Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution ∗∗∗ --------------------------------------------- In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin. [..] CVE ID: CVE-2023-6316 / CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/953702/ ∗∗∗ Ruckus Access Point vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN45891816/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2023
by Daily end-of-shift report 01 Dec '23

01 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-11-2023 18:00 − Freitag 01-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ IT threat evolution Q3 2023 ∗∗∗ --------------------------------------------- Non-mobile statistics & Mobile statistics --------------------------------------------- https://securelist.com/it-threat-evolution-q3-2023/111171/ ∗∗∗ Skimming Credit Cards with WebSockets ∗∗∗ --------------------------------------------- In this post we’ll review what web sockets are, why they are beneficial to attackers to use in skimming attacks, and an analysis of several different web socket credit card skimmers that we’ve identified on compromised ecommerce websites. --------------------------------------------- https://blog.sucuri.net/2023/11/skimming-credit-cards-with-websockets.html ∗∗∗ Cyber Resilience Act: EU einigt sich auf Vorschriften für vernetzte Produkte ∗∗∗ --------------------------------------------- Anbieter müssen in der EU zukünftig für längere Zeit Sicherheitsupdates zur Verfügung stellen – in der Regel für fünf Jahre. --------------------------------------------- https://www.heise.de/-9545873 ∗∗∗ Opening Critical Infrastructure: The Current State of Open RAN Security ∗∗∗ --------------------------------------------- The Open Radio Access Network (ORAN) architecture provides standardized interfaces and protocols to previously closed systems. However, our research on ORAN demonstrates the potential threat posed by malicious xApps that are capable of compromising the entire Ran Intelligent Controller (RIC) subsystem. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple security updates and Rapid Security Responses ∗∗∗ --------------------------------------------- WebKit: CVE-2023-42916, CVE-2023-42917 * Safari 17.1.2 * iOS 17.1.2 and iPadOS 17.1.2 * macOS Sonoma 14.1.2 --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ Multiple Vulnerabilities in Autodesk Desktop Licensing Service ∗∗∗ --------------------------------------------- Autodesk Desktop Licensing Service has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities could lead to code execution due to weak permissions. Autodesk Desktop Licensing Installer, libcurl: CVE-2023-38039, CVE-2023-28321, CVE-2023-38545 --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0023 ∗∗∗ VMware Cloud Director 10.5 GA Workaround for CVE-2023-34060 ∗∗∗ --------------------------------------------- VMware released VMware Cloud Director 10.5.1 on November 30th 2023. This version includes a fix for the authentication bypass vulnerability documented in VMSA-2023-0026. --------------------------------------------- https://kb.vmware.com/s/article/95534 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gimp-dds, horizon, libde265, thunderbird, vlc, and zbar), Fedora (java-17-openjdk and xen), Mageia (optipng, roundcubemail, and xrdp), Red Hat (postgresql), Slackware (samba), SUSE (chromium, containerd, docker, runc, libqt4, opera, python-django-grappelli, sqlite3, and traceroute), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, and linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2). --------------------------------------------- https://lwn.net/Articles/953512/ ∗∗∗ Mattermost security updates 9.2.3 / 9.1.4 / 9.0.5 / 8.1.7 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.3, 9.1.4, 9.0.5, and 8.1.7 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-2-3-9-1-4-9-0-5-8… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2023
by Daily end-of-shift report 30 Nov '23

30 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-11-2023 18:00 − Donnerstag 30-11-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FjordPhantom Android malware uses virtualization to evade detection ∗∗∗ --------------------------------------------- A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fjordphantom-android-malware… ∗∗∗ TRAP; RESET; POISON; - Übernahme eines Landes nach Kaminsky Art ∗∗∗ --------------------------------------------- Ein technischer Einblick in die Manipulation der DNS-Namensauflösung eines ganzen Landes. --------------------------------------------- https://sec-consult.com/de/blog/detail/uebernahme-eines-landes-nach-kaminsk… ∗∗∗ CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks ∗∗∗ --------------------------------------------- A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. --------------------------------------------- https://thehackernews.com/2023/11/cactus-ransomware-exploits-qlik-sense.html ∗∗∗ Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data ∗∗∗ --------------------------------------------- Zoom Rooms, the cloud-based video conferencing platform by Zoom, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant. --------------------------------------------- https://www.hackread.com/zoom-vulnerability-hackers-hijack-meetings-data/ ∗∗∗ BLUFFS: Neue Angriffe gefährden Bluetooth-Datensicherheit auf Milliarden Geräten ∗∗∗ --------------------------------------------- Durch eine Lücke im Bluetooth-Protokoll können Angreifer einfach zu knackende Schlüssel erzwingen und so vergangene wie zukünftige Datenübertragung knacken. --------------------------------------------- https://www.heise.de/-9544862 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053 ∗∗∗ --------------------------------------------- The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-053 ∗∗∗ Apache ActiveMQ: Mehrere Codeschmuggel-Lücken von Botnetbetreibern ausgenutzt ∗∗∗ --------------------------------------------- Derweil meldet das ActiveMQ-Projekt eine neue Sicherheitslücke, die ebenfalls zur Ausführung von Schadcode genutzt werden kann. Der Fehler verbirgt sich in der Deserialisierungsroutine der Jolokia-Komponente, setzt aber eine Authentisierung voraus. Während die ActiveMQ-Entwickler von einem mittleren Schweregrad ausgehen, vergeben der Warn- und Informationsdienst des BSI einen CVSS-Wert von 8.8 und stuft den Schweregrad somit als "hoch" ein. CVE ID: CVE-2022-41678 --------------------------------------------- https://www.heise.de/-9544281 ∗∗∗ MOVEit Transfer Service Pack (November 2023) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the MOVEit Transfer November 2023 Service Pack. The Service Pack contains fixes for (2) newly disclosed CVEs described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. CVE IDs: CVE-2023-6217, CVE-2023-6218 --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-Novem… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023) ∗∗∗ --------------------------------------------- Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, gnutls, gst-devtools, gstreamer1, gstreamer1-doc, libcap, mingw-poppler, python-gstreamer1, qbittorrent, webkitgtk, and xen), Mageia (docker, kernel-linus, and python-django), Oracle (dotnet6.0, dotnet7.0, dotnet8.0, firefox, samba, squid, and thunderbird), Red Hat (firefox, postgresql:13, squid, and thunderbird), SUSE (cilium, freerdp, java-1_8_0-ibm, and java-1_8_0-openj9), and Ubuntu (ec2-hibinit-agent, freerdp2, gimp, gst-plugins-bad1.0, openjdk-17, openjdk-21, openjdk-lts, openjdk-8, pypy3, pysha3, and u-boot-nezha). --------------------------------------------- https://lwn.net/Articles/953379/ ∗∗∗ [R1] Nessus Network Monitor 6.3.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Risk Factor: Critical, CVE ID: CVE-2023-5363, CVE-2021-23369, CVE-2021-23383, CVE-2018-9206 --------------------------------------------- https://www.tenable.com/security/tns-2023-43 ∗∗∗ Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products ∗∗∗ --------------------------------------------- Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection. CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/30/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ PTC KEPServerEx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-01 ∗∗∗ Mitsubishi Electric FA Engineering Software Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-04 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2023
by Daily end-of-shift report 29 Nov '23

29 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-11-2023 18:00 − Mittwoch 29-11-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability ∗∗∗ --------------------------------------------- The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat thats capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) [...] --------------------------------------------- https://thehackernews.com/2023/11/gotitan-botnet-spotted-exploiting.html ∗∗∗ DJVU Ransomwares Latest Variant Xaro Disguised as Cracked Software ∗∗∗ --------------------------------------------- A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software. "While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," [...] --------------------------------------------- https://thehackernews.com/2023/11/djvu-ransomwares-latest-variant-xaro.html ∗∗∗ Okta Breach Impacted All Customer Support Users—Not 1 Percent ∗∗∗ --------------------------------------------- Okta upped its original estimate of customer support users affected by a recent breach from 1 percent to 100 percent, citing a “discrepancy.” --------------------------------------------- https://www.wired.com/story/okta-breach-disclosure-all-customer-support-use… ∗∗∗ Scans zu kritischer Sicherheitslücke in ownCloud-Plugin ∗∗∗ --------------------------------------------- Die Schwachstelle im GraphAPI-Plugin kann zur unfreiwilligen Preisgabe der Admin-Zugangsdaten führen. ownCloud-Admins sollten schnell reagieren. --------------------------------------------- https://www.heise.de/-9542895.html ∗∗∗ Sicherheitslücke: Schadcode-Attacken auf Solarwinds Platform möglich ∗∗∗ --------------------------------------------- Die Solarwinds-Entwickler haben zwei Schwachstellen in ihrer Monitoringsoftware geschlossen. --------------------------------------------- https://www.heise.de/-9543391.html ∗∗∗ New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher ∗∗∗ --------------------------------------------- An academic researcher demonstrates BLUFFS, six novel attacks targeting Bluetooth sessions’ forward and future secrecy. --------------------------------------------- https://www.securityweek.com/new-bluffs-bluetooth-attacks-have-large-scale-… ∗∗∗ Deepfake-Videos mit Armin Assinger führen zu Investitionsbetrug! ∗∗∗ --------------------------------------------- Aktuell kursieren auf Facebook, Instagram, TikTok und YouTube Werbevideos mit betrügerischen Inhalten. Dabei wird insbesondere das Gesicht Armin Assingers für Deepfakes eingesetzt. Armin Assinger werden mithilfe von Künstlicher Intelligenz (KI) Worte in den Mund gelegt, sodass dadurch betrügerische Investitionsplattformen beworben werden. Vorsicht: Folgen Sie diesen Links nicht, denn hier sind sämtliche Investments verloren! --------------------------------------------- https://www.watchlist-internet.at/news/deepfake-videos-mit-armin-assinger-f… ∗∗∗ Spyware Employs Various Obfuscation Techniques to Bypass Static Analysis ∗∗∗ --------------------------------------------- A look at some deceptive tactics used by malware authors in an effort to evade analysis. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/spyware-… ∗∗∗ Exploitation of Unitronics PLCs used in Water and Wastewater Systems ∗∗∗ --------------------------------------------- CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-… ∗∗∗ CISA Releases First Secure by Design Alert ∗∗∗ --------------------------------------------- Today, CISA published guidance on How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity as a part of a new Secure by Design (SbD) Alert series. This SbD Alert urges software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles: [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/29/cisa-releases-first-secu… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability ∗∗∗ --------------------------------------------- Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild. Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library. --------------------------------------------- https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-331-01 Delta Electronics InfraSuite Device Master * ICSA-23-331-02 Franklin Electric Fueling Systems Colibri * ICSA-23-331-03 Mitsubishi Electric GX Works2 * ICSMA-23-331-01 BD FACSChorus --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/28/cisa-releases-four-indus… ∗∗∗ SolarWinds Platform 2023.4.2 Release Notes ∗∗∗ --------------------------------------------- SolarWinds Platform 2023.4.2 is a service release providing bug and security fixes for release 2023.4. CVE-2023-40056: SQL Injection Remote Code Execution Vulnerability Severity: 8.0 (high) --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ Arcserve Unified Data Protection Multiple Vulnerabilities ∗∗∗ --------------------------------------------- * CVE-2023-41998 - UDP Unauthenticated RCE * CVE-2023-41999 - UDP Management Authentication Bypass * CVE-2023-42000 - UDP Agent Unauthenticated Path Traversal File Upload Solution: Upgrade to Arcserve UDP version 9.2 or later. --------------------------------------------- https://www.tenable.com/security/research/tra-2023-37 ∗∗∗ Sicherheitslücke in Hikvision-Kameras und NVR ermöglicht unbefugten Zugriff ∗∗∗ --------------------------------------------- Verschiedene Modelle des chinesischen Herstellers gestatteten Angreifern den unbefugten Zugriff. Auch andere Marken sind betroffen, Patches stehen bereit. --------------------------------------------- https://www.heise.de/-9543336.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0 and postgresql-multicorn), Fedora (golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, libcap, nats-server, openvpn, and python-geopandas), Mageia (kernel), Red Hat (c-ares, curl, fence-agents, firefox, kernel, kernel-rt, kpatch-patch, libxml2, pixman, postgresql, and tigervnc), SUSE (python-azure-storage-queue, python-Twisted, and python3-Twisted), and Ubuntu (afflib, ec2-hibinit-agent, linux-nvidia-6.2, linux-starfive-6.2, and poppler). --------------------------------------------- https://lwn.net/Articles/953226/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2023
by Daily end-of-shift report 28 Nov '23

28 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-11-2023 18:00 − Dienstag 28-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a "severe design flaw" in Google Workspaces domain-wide delegation (DWD) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges. --------------------------------------------- https://thehackernews.com/2023/11/design-flaw-in-google-workspace-could.html ∗∗∗ LostTrust Ransomware ∗∗∗ --------------------------------------------- The LostTrust ransomware family has a fairly small victim pool and has compromised victims earlier this year. The encryptor has similar characteristcs to the MetaEncryptor ransomware family including code flow and strings which indicates that the encryptor is a variant from the original MetaEncryptor source. --------------------------------------------- https://www.shadowstackre.com/analysis/losttrust ∗∗∗ Slovenian power company hit by ransomware ∗∗∗ --------------------------------------------- Slovenian power generation company Holding Slovenske Elektrarne (HSE) has been hit by ransomware and has had some of its data encrypted. The attack HSE is a state-owned company that controls numerous hydroelectric, thermal and coal-fired power plants. The company has declined to share any details about the cyber intrusion, but has confirmed that operation of its power plants has not been affected. --------------------------------------------- https://www.helpnetsecurity.com/2023/11/28/slovenian-power-company-ransomwa… ∗∗∗ Exploitation of Critical ownCloud Vulnerability Begins ∗∗∗ --------------------------------------------- Threat actors have started exploiting a critical ownCloud vulnerability leading to sensitive information disclosure. --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-owncloud-vulnerabilit… ∗∗∗ Webinar: Sicheres Online-Shopping ∗∗∗ --------------------------------------------- Darf ich Artikel immer zurücksenden und wie lange habe ich dafür Zeit? Was ist das Rücktrittsrecht und welche Zahlungsmethoden gelten als sicher? Dieses Webinar gibt rechtliche Tipps und Infos zum sicheren Online-Einkauf. Nehmen Sie kostenlos teil: Montag, 11. Dezember 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicheres-online-shopping-2/ ∗∗∗ Betrügerische Plattform für Sportwetten: xxwin.bet ∗∗∗ --------------------------------------------- xxwin.bet ist eine betrügerische Online-Plattform für Sportwetten. Die Plattform wird meist in fragwürdigen Telegram-Kanälen empfohlen. Wenn Sie dort einzahlen, verlieren Sie Ihr Geld, denn die Plattform zahlt keine Gewinne aus. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-plattform-fuer-sportw… ===================== = Vulnerabilities = ===================== ∗∗∗ Missing Certificate Validation & User Enumeration in Anveo Mobile App and Server ∗∗∗ --------------------------------------------- The Anveo Mobile App (Windows version) does not validate server certificates and therefore enables man-in-the-middle attacks. The Anveo Server is also vulnerable against user enumeration because of different error messages for existing vs. non-existing users. The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section further below. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/missing-certificate-vali… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptojs, fastdds, mediawiki, and minizip), Fedora (chromium, kubernetes, and thunderbird), Mageia (lilypond, mariadb, and packages), Red Hat (firefox, linux-firmware, and thunderbird), SUSE (compat-openssl098, gstreamer-plugins-bad, squashfs, squid, thunderbird, vim, and xerces-c), and Ubuntu (libtommath, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, perl, and python3.8, python3.10, python3.11). --------------------------------------------- https://lwn.net/Articles/953099/ ∗∗∗ Critical Vulnerability Found in Ray AI Framework ∗∗∗ --------------------------------------------- Tracked as CVE-2023-48023, the bug exists because Ray does not properly enforce authentication on at least two of its components, namely the dashboard and client. A remote attacker can abuse this issue to submit or delete jobs without authentication. Furthermore, the attacker could retrieve sensitive information and execute arbitrary code, Bishop Fox says. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-ray-ai-framewo… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and APs ∗∗∗ --------------------------------------------- CVEs: CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, CVE-2023-5960 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Joomla: [20231101] - Core - Exposure of environment variables ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/919-20231101-core-exposure… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ FESTO: Multiple products affected by WIBU Codemeter vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-036/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2023
by Daily end-of-shift report 27 Nov '23

27 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-11-2023 18:00 − Montag 27-11-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Atomic Stealer malware strikes macOS via fake browser updates ∗∗∗ --------------------------------------------- The ClearFake fake browser update campaign has expanded to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atomic-stealer-malware-strik… ∗∗∗ EvilSlackbot: A Slack Attack Framework ∗∗∗ --------------------------------------------- To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb or xoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. Now EvilSlackbot is here to automate and streamline that process. You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack. [..] In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind. --------------------------------------------- https://github.com/Drew-Sec/EvilSlackbot ∗∗∗ Scans for ownCloud Vulnerability (CVE-2023-49103), (Mon, Nov 27th) ∗∗∗ --------------------------------------------- Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys. --------------------------------------------- https://isc.sans.edu/diary/rss/30432 ∗∗∗ WordPress Vulnerability & Patch Roundup November 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/11/wordpress-vulnerability-patch-roundup-novem… ∗∗∗ Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections ∗∗∗ --------------------------------------------- A new study has demonstrated that its possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established. [..] The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel. --------------------------------------------- https://thehackernews.com/2023/11/experts-uncover-passive-method-to.html ∗∗∗ Eine Milliarde unsichere Webseiten … Vergessen Sie die Duschmatte nicht! ∗∗∗ --------------------------------------------- In der Werbung aufgebauschte Risiken dienen eher dem Verkauf von Sicherheitsprodukten als der Sicherheit selbst. Im Gegenteil, für diese sind sie oft schädlich. --------------------------------------------- https://www.heise.de/meinung/Eine-Milliarde-unsichere-Webseiten-Vergessen-S… ∗∗∗ BSI und weitere Cybersicherheitsbehörden veröffentlichen KI-Richtlinien ∗∗∗ --------------------------------------------- Das BSI veröffentlicht Richtlinien für sichere KI-Systeme in Zusammenarbeit mit Partnerbehörden aus Großbritannien und den USA. --------------------------------------------- https://www.heise.de/news/BSI-und-weitere-Cybersicherheitsbehoerden-veroeff… ∗∗∗ Free Micropatches For Microsoft Access Forced Authentication Through Firewall (0day) ∗∗∗ --------------------------------------------- On November 9, 2023, Check Point Research published an article about an "information disclosure" / "forced authentication" vulnerability in Microsoft Access that allows an attacker to obtain the victim's NTLM hash by having them open a Microsoft Office document (docx, rtf, accdb, etc.) with an embedded Access database. --------------------------------------------- https://blog.0patch.com/2023/11/free-micropatches-for-microsoft-access.html ∗∗∗ Vorsicht vor Fake-Shops für Skins ∗∗∗ --------------------------------------------- Beim Online-Shop fngalaxy.de finden Sie Skins und Accounts für Fortnite. „Renegade Raider“, „OG Ghoul Trooper“ oder „Black Knight“ werden dort vergünstigt angeboten. Wir raten aber von einer Bestellung ab, da Sie nur mit einem Paysafecard- oder Amazon-Code bezahlen können und Ihre Bestellung nicht erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-fuer-skins/ ∗∗∗ Warnung vor betrügerischen Mails im Namen von Finanz Online ∗∗∗ --------------------------------------------- Die täuschend echt wirkenden E-Mails verlinken auf eine gefälschte Website, auf der die Opfer wiederum ihre Bankdaten eingeben sollen --------------------------------------------- https://www.derstandard.at/story/3000000197015/warnung-betrugs-mails-finanz… ∗∗∗ LKA-Warnung vor gefälschten Temu-Benachrichtigungen ∗∗∗ --------------------------------------------- Das Landeskriminalamt Niedersachsen hat die Tage eine Warnung herausgegeben, die Kunden des chinesischen Billig-Versandhändlers Temu betrifft. Betrüger versuchen Empfänger mit der Vorspiegelung falscher Tatsachen in Form einer vorgeblichen Temu-Benachrichtigung zur Preisgabe persönlicher Informationen zu bringen. Hier ein kurzer Überblick [..] --------------------------------------------- https://www.borncity.com/blog/2023/11/26/lka-warnung-vor-geflschten-temu-be… ∗∗∗ Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) ∗∗∗ --------------------------------------------- While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware. --------------------------------------------- https://asec.ahnlab.com/en/59318/ ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities ∗∗∗ --------------------------------------------- The Spring Framework 6.0.14 release shipped on November 16th includes a fix for CVE-2023-34053. The Spring Boot 2.7.18 release shipped on November 23th includes fixes for CVE-2023-34055. Users are encouraged to update as soon as possible. --------------------------------------------- https://spring.io/blog/2023/11/27/cve-2023-34053-cve-2023-34055-spring-fram… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeimage, gimp, gst-plugins-bad1.0, node-json5, opensc, python-requestbuilder, reportbug, strongswan, symfony, thunderbird, and tiff), Fedora (chromium, galera, golang, kubernetes, mariadb, python-asyncssh, thunderbird, vim, and webkitgtk), Gentoo (AIDE, Apptainer, GLib, GNU Libmicrohttpd, Go, GRUB, LibreOffice, MiniDLNA, multipath-tools, Open vSwitch, phpMyAdmin, QtWebEngine, and RenderDoc), Slackware (vim), SUSE (gstreamer-plugins-bad, java-1_8_0-ibm, openvswitch, poppler, slurm, slurm_22_05, slurm_23_02, sqlite3, vim, webkit2gtk3, and xrdp), and Ubuntu (openvswitch and thunderbird). --------------------------------------------- https://lwn.net/Articles/952923/ ∗∗∗ MISP 2.4.179 released with a host of improvements a security fix and some new tooling. ∗∗∗ --------------------------------------------- MISP 2.4.179 released with a host of improvements a security fix and some new tooling.First baby steps taken towards LLM integration. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2023
by Daily end-of-shift report 24 Nov '23

24 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-11-2023 18:00 − Freitag 24-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Building your first metasploit exploit ∗∗∗ --------------------------------------------- This post outlines the process I followed to transform the authenticated Remote Code Execution (RCE) vulnerability in PRTG, identified as CVE-2023-32781, into a Metasploit exploit. The focus here is on the development of the exploit itself, rather than the steps for exploiting the RCE. For specific details on the vulnerability, please refer to the corresponding post titled PRTG Remote Code Execution. --------------------------------------------- https://baldur.dk/blog/writing-metasploit-exploit.html ∗∗∗ OpenSSL 3.2 implementiert TCP-Nachfolger QUIC ∗∗∗ --------------------------------------------- Das Transportprotokoll QUIC nimmt mit OpenSSL Fahrt auf: Die Open-Source-Kryptobibliothek implementiert es in der neuen Version 3.2 – zumindest teilweise. --------------------------------------------- https://www.heise.de/-9538866.html ∗∗∗ Synology schließt Pwn2Own-Lücke in Router-Manager-Firmware ∗∗∗ --------------------------------------------- Im Betriebssystem für Synology-Router haben IT-Forscher beim Pwn2Own-Wettbewerb Sicherheitslücken aufgedeckt. Ein Update schließt sie. --------------------------------------------- https://www.heise.de/-9538922.html ∗∗∗ Telekopye: Chamber of Neanderthals’ secrets ∗∗∗ --------------------------------------------- Insight into groups operating Telekopye bots that scam people in online marketplaces --------------------------------------------- https://www.welivesecurity.com/en/eset-research/telekopye-chamber-neanderth… ∗∗∗ Atomic Stealer: Mac-Malware täuscht Nutzer mit angeblichen Browser-Updates ∗∗∗ --------------------------------------------- Die Updates bieten die Cyberkriminellen über kompromittierte Websites an. Atomic Stealer hat es unter anderem auf Passwörter in Apple iCloud Keychain abgesehen. --------------------------------------------- https://www.zdnet.de/88413104/atomic-stealer-mac-malware-taeuscht-nutzer-mi… ∗∗∗ Trend Micro Apex One Service Pack 1 Critical Patch (build 12534) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer von Trend Micro Apex One für Windows. Der Hersteller hat zum Service Pack 1 den Critical Patch (build 12534) veröffentlicht (danke an den Leser für den Hinweis). Dieser Patch enthält eine Reihe von Korrekturen und Erweiterungen [...] --------------------------------------------- https://www.borncity.com/blog/2023/11/23/trend-micro-apex-one-service-pack-… ∗∗∗ Intel Arc und Iris Xe Grafiktreiber 31.0.101.4972 fixt Office-Probleme (Nov. 2023) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag von dieser Woche, den ich mal separat herausziehe. Intel hat ein Update seiner Intel Arc und Iris Xe Grafiktreiber auf die Version 31.0.101.4972 veröffentlich. Dieses Update soll eine Reihe von Problemen (z.B bei Starfield (DX12) beheben. --------------------------------------------- https://www.borncity.com/blog/2023/11/24/intel-arc-und-iris-xe-grafiktreibe… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: TunnelCrack Vulnerabilities in VPN Clients ∗∗∗ --------------------------------------------- CVE(s): CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, CVE-2023-36671 Product(s): Sophos Connect Client 2.0 Workaround: Yes --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20231124-tunnelc… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023) ∗∗∗ --------------------------------------------- Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 [...] --------------------------------------------- https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, gnutls28, intel-microcode, and tor), Fedora (chromium, microcode_ctl, openvpn, and vim), Gentoo (LinuxCIFS utils, SQLite, and Zeppelin), Oracle (c-ares, container-tools:4.0, dotnet7.0, kernel, kernel-container, nodejs:20, open-vm-tools, squid:4, and tigervnc), Red Hat (samba and squid), Slackware (mozilla), SUSE (fdo-client, firefox, libxml2, maven, maven-resolver, sbt, xmvn, poppler, python-Pillow, squid, strongswan, and xerces-c), and Ubuntu (apache2, firefox, glusterfs, nghttp2, poppler, python2.7, python3.5, python3.6, tiff, and zfs-linux). --------------------------------------------- https://lwn.net/Articles/952602/ ∗∗∗ ActiveMQ-5.18.2 RCE-shell-reverse-Metasploit ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023110026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2023
by Daily end-of-shift report 23 Nov '23

23 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-11-2023 18:00 − Donnerstag 23-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Proof of Concept Exploit Publicly Available for Critical Windows SmartScreen Flaw ∗∗∗ --------------------------------------------- Threat actors were actively exploiting CVE-2023-36025 before Microsoft patched it in November. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/proof-of-concept-exploi… ∗∗∗ Consumer cyberthreats: predictions for 2024 ∗∗∗ --------------------------------------------- Kaspersky experts review last years predictions on consumer cyberthreats and try to anticipate the trends for 2024. --------------------------------------------- https://securelist.com/kaspersky-security-bulletin-consumer-threats-2024/11… ∗∗∗ Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks ∗∗∗ --------------------------------------------- An active malware campaign is leveraging two zero-day vulnerabilities with remote code execution (RCE) functionality to rope routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet. “The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful,” Akamai said in an advisory. --------------------------------------------- https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.ht… ∗∗∗ The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks ∗∗∗ --------------------------------------------- During the last few months, we conducted a study of some of the top ransomware families (12 in total) that either directly developed ransomware for Linux systems or were developed in languages with a strong cross-platform component, such as Golang or Rust, thereby allowing them to be compiled for both Windows and Linux indiscriminately. Our main objectives were to increase our understanding of the main motivations for developing ransomware targeting Linux instead of Windows systems, which historically have been the main target until now. --------------------------------------------- https://research.checkpoint.com/2023/the-platform-matters-a-comparative-stu… ∗∗∗ Your voice is my password ∗∗∗ --------------------------------------------- AI-driven voice cloning can make things far too easy for scammers – I know because I’ve tested it so that you don’t have to learn about the risks the hard way. --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/your-voice-is-my-password/ ∗∗∗ Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker ∗∗∗ --------------------------------------------- SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar. --------------------------------------------- https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Uninstall Key Caching in Fortra Digital Guardian Agent Uninstaller (CVE-2023-6253) ∗∗∗ --------------------------------------------- The Digital Guardian Management Console is vulnerable to a Stored Cross-Site Scripting attack in the PDF Template functionality. The vendor replied that this is an intended feature. The Digital Guardian Agent Uninstaller File also caches the Uninstall Key which can be extracted by an attacker and be used to terminate and uninstall the agent. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/uninstall-key-caching-in… ∗∗∗ Sicherheitsschwachstellen in easySoft und easyE4 (SYSS-2023-007/-008/-009/-010) ∗∗∗ --------------------------------------------- In der Software „easySoft“ sowie dem Steuerrelais „easyE4“ der Eaton Industries GmbH wurden Schwachstellen gefunden. Diese ermöglichen sowohl das Extrahieren des Projektpassworts aus einer easySoft-Projektdatei als auch das Berechnen von Passwortkandidaten für easyE4-Programme, welche auf einer SD-Karte gespeichert sind. Darüber hinaus können auch Passwortkandidaten aus einem Netzwerkstream extrahiert werden, der z. B. während der Administration eines easyE4 aufgezeichnet wurde. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstellen-in-easysoft-und-… ∗∗∗ ownCloud Security Advisories 2023-11-21 ∗∗∗ --------------------------------------------- ownCloud released 3 security advisories: 2x critical, 1x high --------------------------------------------- https://owncloud.com/security/https://owncloud.com/security/ ∗∗∗ Atlassian rüstet Jira Data Center and Server & Co. gegen mögliche Attacken ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Softwarelösungen von Atlassian. Es kann Schadcode auf Systeme gelangen. --------------------------------------------- https://www.heise.de/-9537138 ∗∗∗ Sicherheitsupdates in Foxit PDF Reader 2023.3 und Foxit PDF Editor 2023.3 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2023
by Daily end-of-shift report 22 Nov '23

22 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-11-2023 18:00 − Mittwoch 22-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ HrServ – Previously unknown web shell used in APT attack ∗∗∗ --------------------------------------------- In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021. --------------------------------------------- https://securelist.com/hrserv-apt-web-shell/111119/ ∗∗∗ ClearFake Campaign Expands to Deliver Atomic Stealer on Macs Systems ∗∗∗ --------------------------------------------- The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake."This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes Jérôme Segura said in a Tuesday analysis. --------------------------------------------- https://thehackernews.com/2023/11/clearfake-campaign-expands-to-deliver.html ∗∗∗ Lumma malware can allegedly restore expired Google auth cookies ∗∗∗ --------------------------------------------- The Lumma information-stealer malware (aka LummaC2) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. [..] This new feature allegedly introduced in recent Lumma releases is yet to be verified by security researchers or Google, so whether or not it works as advertised remains uncertain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lumma-malware-can-allegedly-… ∗∗∗ Windows Hello Fingerprint Authentication Bypassed on Popular Laptops ∗∗∗ --------------------------------------------- Researchers have tested the fingerprint sensors used for Windows Hello on three popular laptops and managed to bypass them. --------------------------------------------- https://www.securityweek.com/windows-hello-fingerprint-authentication-bypas… ∗∗∗ „Ich möchte meine Bankdaten ändern“: Dieses Mail an die Personalabteilung könnte Betrug sein ∗∗∗ --------------------------------------------- Kriminelle geben sich als Mitarbeiter:innen Ihres Unternehmens aus und bitten um Änderung Ihrer Bankdaten für die Gehaltsüberweisung. Wird das E-Mail nicht als Fake erkannt, wird das Gehalt der jeweiligen Mitarbeiter:innen auf das Bankkonto von Kriminellen überwiesen. Wir zeigen Ihnen, woher Kriminelle die Daten kennen und wie Sie sich schützen. --------------------------------------------- https://www.watchlist-internet.at/news/ich-moechte-meine-bankdaten-aendern-… ∗∗∗ The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets ∗∗∗ --------------------------------------------- Exposed Kubernetes secrets pose a critical threat of supply chain attack. Aqua Nautilus researchers found that the exposed Kubernetes secrets of hundreds of organizations and open-source projects allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat. Among the companies were SAP’s Artifacts management system with over 95 million, two top blockchain companies, and various other fortune-500 companies. --------------------------------------------- https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-ku… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in m-privacy TightGate-Pro ∗∗∗ --------------------------------------------- There are several vulnerabilities in the server which enables attackers to view the VNC sessions of other users, infect the VNC session with keyloggers and start internal phishing attacks. Additionally, a TightGate-Pro administrator can push malicious PDFs to the endpoint of the user. Furthermore, the update servers which are only reachable via an SSH-tunnel are severely outdated (2003). CVEs: CVE-2023-47250, CVE-2023-47251 --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Several Critical Vulnerabilities including Privilege Escalation, Authentication Bypass, and More Patched in UserPro WordPress Plugin ∗∗∗ --------------------------------------------- On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities we discovered in Kirotech’s UserPro plugin, which is actively installed on more than 20,000 WordPress websites [..] We made an initial attempt to contact Kirotech, the vendor of UserPro, on May 1, 2023, but we did not receive a response until May 10, 2023, after many additional attempts. After providing full disclosure details, the developer released the first patch on July 27, 2023, and the final patch on October 31, 2023. --------------------------------------------- https://www.wordfence.com/blog/2023/11/several-critical-vulnerabilities-inc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gimp), Fedora (audiofile and firefox), Mageia (postgresql), Red Hat (binutils, c-ares, fence-agents, glibc, kernel, kernel-rt, kpatch-patch, libcap, libqb, linux-firmware, ncurses, pixman, python-setuptools, samba, and tigervnc), Slackware (kernel and mozilla), SUSE (apache2-mod_jk, avahi, container-suseconnect, java-1_8_0-openjdk, libxml2, openssl-1_0_0, openssl-1_1, openvswitch, python3-setuptools, strongswan, ucode-intel, and util-linux), and Ubuntu (frr, gnutls28, hibagent, linux, linux-aws, linux-aws-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-oem-6.1, mosquitto, rabbitmq-server, squid, and tracker-miners). --------------------------------------------- https://lwn.net/Articles/952312/ ∗∗∗ Mozilla Releases Security Updates for Firefox and Thunderbird ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/22/mozilla-releases-securit… ∗∗∗ Fix for BIRT Report Engine that is vulnerable due to nested jtidy.jar r938 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081112 ∗∗∗ Vulnerability in Apache HTTP Server affects IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081354 ∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081403 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2023
by Daily end-of-shift report 21 Nov '23

21 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-11-2023 18:00 − Dienstag 21-11-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits ∗∗∗ --------------------------------------------- The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits."Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the hosts resources to mine cryptocurrencies like Bitcoin, [..] --------------------------------------------- https://thehackernews.com/2023/11/kinsing-hackers-exploit-apache-activemq.h… ∗∗∗ How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography ∗∗∗ --------------------------------------------- Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them. --------------------------------------------- https://thehackernews.com/2023/11/how-multi-stage-phishing-attacks.html ∗∗∗ Gefälschte Zeitungsartikel bewerben betrügerische Investment-Angebote ∗∗∗ --------------------------------------------- Kriminelle fälschen Webseiten von Medien wie oe24 und ORF und füllen diese mit Fake-News. In den gefälschten Artikeln wird eine Möglichkeit beworben, wie man schnell reich wird. Angeblich geben Christoph Grissemann, Miriam Weichselbraun oder Armin Assinger Investitionstipps und erklären, dass jeder Mensch mit nur 250 Euro in wenigen Monaten eine Million machen kann. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-zeitungsartikel-bewerben… ∗∗∗ CISA, FBI, MS-ISAC, and ASD’s ACSC Release Advisory on LockBit Affiliates Exploiting Citrix Bleed ∗∗∗ --------------------------------------------- Today, the (CISA), (FBI), (MS-ISAC), and Australian (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: LockBit Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (along with an accompanying analysis report MAR-10478915-1.v1 Citrix Bleed), in response to LockBit 3.0 ransomware affiliates and multiple threat actor groups exploiting CVE-2023-4966. Labeled Citrix Bleed, the vulnerability affects Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asd… ===================== = Vulnerabilities = ===================== ∗∗∗ Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets ∗∗∗ --------------------------------------------- Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings. CVE Identifiers: CVE-2023-44353, CVE-2023-29300, CVE-2023-38203, CVE-2023-38204 --------------------------------------------- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusio… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, strongswan, and wordpress), Mageia (u-boot), SUSE (avahi, frr, libreoffice, nghttp2, openssl, openssl1, postgresql, postgresql15, postgresql16, python-Twisted, ucode-intel, and xen), and Ubuntu (avahi, hibagent, nodejs, strongswan, tang, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/952088/ ∗∗∗ Synology-SA-23:16 SRM (PWN2OWN 2023) ∗∗∗ --------------------------------------------- The vulnerabilities allow man-in-the-middle attackers to execute arbitrary code or access intranet resources via a susceptible version of Synology Router Manager (SRM).A vulnerability reported by PWN2OWN 2023 has been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_16 ∗∗∗ [nextcloud]: Server-Side Request Forgery (SSRF) in Mail app ∗∗∗ --------------------------------------------- An attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4… ∗∗∗ [nextcloud]: DNS pin middleware can be tricked into DNS rebinding allowing SSRF ∗∗∗ --------------------------------------------- The DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ [nextcloud]: user_ldap app logs user passwords in the log file on level debug ∗∗∗ --------------------------------------------- When the log level was set to debug the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3… ∗∗∗ [nextcloud]: Can enable/disable birthday calendar for any user ∗∗∗ --------------------------------------------- An attacker could enable and disable the birthday calendar for any user on the same server. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ [nextcloud]: Admins can change authentication details of user configured external storage ∗∗∗ --------------------------------------------- It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ [nextcloud]: Self XSS when pasting HTML into Text app with Ctrl+Shift+V ∗∗∗ --------------------------------------------- When a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p… ∗∗∗ [nextcloud]: HTML injection in search UI when selecting a circle with HTML in the display name ∗∗∗ --------------------------------------------- An attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w… ∗∗∗ [nextcloud]: Users can make external storage mount points inaccessible for other users ∗∗∗ --------------------------------------------- A malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f… ∗∗∗ Zyxel security advisory for out-of-bounds write vulnerability in SecuExtender SSL VPN Client software ∗∗∗ --------------------------------------------- The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software could allow a local authenticated user to gain a privilege escalation by sending a crafted CREATE message. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ WAGO: Remote Code execution vulnerability in managed Switches ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-037/ ∗∗∗ PHOENIX CONTACT: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-062/ ∗∗∗ Multiple vulnerabilities on [Bosch Rexroth] ctrlX HMI / WR21 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-175607.html ∗∗∗ IBM Sterling B2B Integrator is affected by vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080105 ∗∗∗ IBM Sterling B2B Integrator dashboard is vulnerable to cross-site request forgery (CVE-2022-35638) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080104 ∗∗∗ IBM Sterling B2B Integrator affected by FasterXML Jackson-data vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080107 ∗∗∗ IBM Sterling B2B Integrator affected by XStream security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080106 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080117 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080118 ∗∗∗ Multiple security vulnerabilities have been identified in DB2 JDBC driver shipped with IBM Tivoli Business Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080122 ∗∗∗ There is an Apache vulnerability in Liberty used by the IBM Maximo Manage application in the IBM Maximo Application Suite (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080157 ∗∗∗ There is a vulnerability in jetty-http-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080156 ∗∗∗ There is a vulnerability in jetty-server-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080155 ∗∗∗ Multiple security vulnerabilities in Snake YAML affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080177 ∗∗∗ IBM Sterling B2B Integrator affected by remote code execution due to Snake Yaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080174 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-25682) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080172 ∗∗∗ IBM Sterling B2B Integrator is affected by sensitive information exposure due to Apache James MIME4J (CVE-2022-45787) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080175 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2023
by Daily end-of-shift report 20 Nov '23

20 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-11-2023 18:00 − Montag 20-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit for CrushFTP RCE chain released, patch now ∗∗∗ --------------------------------------------- A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-cha… ∗∗∗ Lumma Stealer malware now uses trigonometry to evade detection ∗∗∗ --------------------------------------------- The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lumma-stealer-malware-now-us… ∗∗∗ Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits ∗∗∗ --------------------------------------------- The Kinsing malware operator is actively exploiting the CVE-2023-46604 critical vulnerability in the Apache ActiveMQ open-source message broker to compromise Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kinsing-malware-exploits-apa… ∗∗∗ New "Agent Tesla" Variant: Unusual "ZPAQ" Archive Format Delivers Malware ∗∗∗ --------------------------------------------- A new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. But what exactly is this file compression format? What advantage does it provide to threat actors? And why it is assumed that the version of Agent Tesla is “new”? --------------------------------------------- https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq ∗∗∗ DarkGate and PikaBot Malware Resurrect QakBots Tactics in New Phishing Attacks ∗∗∗ --------------------------------------------- Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. “These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery,” Cofense said in a report [...] --------------------------------------------- https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.ht… ∗∗∗ NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors ∗∗∗ --------------------------------------------- Threat actors are targeting the education, government and business services sectors with a remote access trojan called NetSupport RAT. "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report [...] --------------------------------------------- https://thehackernews.com/2023/11/netsupport-rat-infections-on-rise.html ∗∗∗ Visual Studio Code Security: Markdown Vulnerabilities in Third-Party Extensions ∗∗∗ --------------------------------------------- In this blog post, we present code vulnerabilities we found in GitLens (27 million installs) and GitHub Pull Requests and Issues (15 million installs). We will first give some background on VSCode internals, then explain the vulnerable portions of the code, and finally show how these issues can be prevented. --------------------------------------------- https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-i… ∗∗∗ Xen Project Releases Version 4.18 with New Security, Performance, and Architecture Enhancements for AI/ML Applications ∗∗∗ --------------------------------------------- The Xen Project, an open source hypervisor hosted at the Linux Foundation, today announced the release of Xen Project Hypervisor 4.18 with architecture enhancements for High Performance Computing (HPC) and Machine Learning (ML) applications, as well as higher security and performance features. --------------------------------------------- https://xenproject.org/2023/11/20/xen-project-releases-version-4-18-with-ne… ∗∗∗ How to perform basic digital forensics on a Windows computer ∗∗∗ --------------------------------------------- Digital forensics is a critical field in the investigation of cybercrimes, data breaches, and other digital incidents. As our reliance on computers continues to grow, the need for skilled digital forensics professionals is more crucial than ever. In this guide, we will explore the basics of performing digital [...] --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/how-to-perform-basi… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates für Trellix ePolicy Orchestrator schließen Sicherheitslücken ∗∗∗ --------------------------------------------- Trellix, Nachfolger von McAfee und FireEye, hat den ePolicy Orchestrator aktualisiert. Das Update schließt etwa eine hochriskant eingestufte Schwachstelle. --------------------------------------------- https://www.heise.de/-9533816.html ∗∗∗ Synology schließt kritische Firmware-Lücke in Überwachungskameras ∗∗∗ --------------------------------------------- Angreifer können eigenen Code auf Überwachungskameras von Synology ausführen. --------------------------------------------- https://www.heise.de/-9534072.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freerdp2, lwip, netty, and wireshark), Fedora (dotnet6.0, dotnet7.0, golang, gst-devtools, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, podman-tui, prometheus-podman-exporter, python-gstreamer1, syncthing, and tigervnc), Mageia (chromium-browser-stable, haproxy, and tigervnc), Oracle (curl, ghostscript, microcode_ctl, nghttp2, open-vm-tools, samba, and squid), SUSE (gcc13, postgresql14, and yt-dlp), and Ubuntu (iniparser). --------------------------------------------- https://lwn.net/Articles/951999/ ∗∗∗ Schwachstelle CVE-2023-46302 in Apache Submarine ∗∗∗ --------------------------------------------- In Apache Submarine gibt es eine kritische Remote Code Execution-Schwachstelle CVE-2023-46302. Die Schwachstelle rührt von einer Sicherheitslücke in snakeyaml (CVE-2022-1471) her und gefährdet Apache Submarine-Benutzer, da Angreifer beliebigen Code auf verwundbaren Systemen ausführen können. --------------------------------------------- https://www.borncity.com/blog/2023/11/20/schwachstelle-cve-2023-46302-in-ap… ∗∗∗ Multiple vulnerabilities in LuxCal Web Calendar ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN15005948/ ∗∗∗ WAGO: Improper privilege management in web-based management ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-015/ ∗∗∗ [R1] Security Center Version 6.2.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-42 ∗∗∗ CVE-2022-41713 An issue was discovered in deep-object-diff version 1.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079403 ∗∗∗ CVE-2022-24434 An issue was discovered in the npm package dicer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079460 ∗∗∗ Vulnerability in d3-color affects IBM UrbanCode Velocity . WS-2022-0322 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079484 ∗∗∗ IBM Storage Protect for Virtual Environments is vulnerable to arbitrary code execution, sensitive information disclosure, and denial of service due to CVEs in Apache Velocity, Apache Jena, and XStream (woodstox) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079947 ∗∗∗ QRadar Suite Software includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080058 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Go HTML injection vulnerabilitiy [CVE-2023-24539] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080057 ∗∗∗ IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to libcurl and cURL. (CVE-2023-38546, CVE-2023-38545) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7076344 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2023
by Daily end-of-shift report 17 Nov '23

17 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-11-2023 18:00 − Freitag 17-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ MySQL servers targeted by Ddostf DDoS-as-a-Service botnet ∗∗∗ --------------------------------------------- MySQL servers are being targeted by the Ddostf malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-dd… ∗∗∗ Beyond -n: Optimizing tcpdump performance, (Thu, Nov 16th) ∗∗∗ --------------------------------------------- If you ever had to acquire packets from a network, you probably used tcpdump. Other tools (Wireshark, dumpcap, snort...) can do the same thing, but none is as widely used as tcpdump. tcpdump is simple to use, fast, and universally available (and free!). --------------------------------------------- https://isc.sans.edu/diary/rss/30408 ∗∗∗ Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware ∗∗∗ --------------------------------------------- Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER. --------------------------------------------- https://thehackernews.com/2023/11/beware-malicious-google-ads-trick.html ∗∗∗ Understanding the Phobos affiliate structure and activity ∗∗∗ --------------------------------------------- Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants --------------------------------------------- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-struc… ∗∗∗ ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims ∗∗∗ --------------------------------------------- Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts. --------------------------------------------- https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/ ∗∗∗ CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector ∗∗∗ --------------------------------------------- Today, CISA released the Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/17/cisa-releases-mitigation… ===================== = Vulnerabilities = ===================== ∗∗∗ Bildbearbeitung: Angreifer können Gimp Schadcode unterjubeln ∗∗∗ --------------------------------------------- Die freie Open-Source-Bildbearbeitung Gimp ist in Version 2.10.36 erschienen. Sie schließt Sicherheitslücken, die Codeschmuggel erlauben. --------------------------------------------- https://www.heise.de/news/Bildbearbeitung-Angreifer-koennen-Gimp-Schadcode-… ∗∗∗ FortiNet flickt schwere Sicherheitslücken in FortiOS und anderen Produkten ∗∗∗ --------------------------------------------- Neben FortiOS und FortiClient sind auch FortiSIEM, FortiWLM und weitere von zum Teil kritischen Security-Fehlern betroffen. Admins sollten patchen. --------------------------------------------- https://www.heise.de/news/FortiNet-flickt-schwere-Sicherheitsluecken-in-For… ∗∗∗ Anonymisierendes Linux: Tails 5.19.1 behebt Tor-Lücke, Audit-Ergebnisse sind da ∗∗∗ --------------------------------------------- Ein offenbar aus der Ferne ausnutzbarer Bug in Tor führte zum neuerlichen Update. Die Ergebnisse der kürzlichen Sicherheitsprüfung hingegen sind positiv. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Tails-5-19-1-behebt-Tor-Lu… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (microcode_ctl, pack, and tigervnc), Slackware (gimp), SUSE (frr, gcc13, go1.20, go1.20-openssl, go1.21, go1.21-openssl, libnbd, libxml2, python-Pillow, python-urllib3, and xen), and Ubuntu (intel-microcode and openvpn). --------------------------------------------- https://lwn.net/Articles/951801/ ∗∗∗ Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools ∗∗∗ --------------------------------------------- Since August 2023, members of the Huntr bug bounty platform for artificial intelligence (AI) and machine learning (ML) have uncovered over a dozen vulnerabilities exposing AI/ML models to system takeover and sensitive information theft. Identified in tools with hundreds of thousands or millions of downloads per month, such as H2O-3, MLflow, and Ray, these issues potentially impact the entire AI/ML supply chain --------------------------------------------- https://www.securityweek.com/over-a-dozen-exploitable-vulnerabilities-found… ∗∗∗ [R1] Nessus Agent Version 10.4.4 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-41 ∗∗∗ [R1] Nessus Version 10.6.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-40 ∗∗∗ [R1] Nessus Version 10.5.7 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-39 ∗∗∗ Juniper Releases Security Advisory for Juniper Secure Analytics ∗∗∗ --------------------------------------------- Juniper released a security advisory to address multiple vulnerabilities affecting Juniper Secure Analytics. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the Juniper advisory JSA74298 and apply the necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/17/juniper-releases-securit… ∗∗∗ ZDI-23-1716: Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1716/ ∗∗∗ SVD-2023-1107: November 2023 Splunk Universal Forwarder Third-Party Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1107 ∗∗∗ SVD-2023-1106: November 2023 Third-Party Package Updates in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1106 ∗∗∗ SVD-2023-1105: November 2023 Third Party Package updates in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1105 ∗∗∗ SVD-2023-1104: Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1104 ∗∗∗ SVD-2023-1103: Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1103 ∗∗∗ SVD-2023-1102: Third Party Package Update in Splunk Add-on for Google Cloud Platform ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1102 ∗∗∗ SVD-2023-1101: Third Party Package Update in Splunk Add-on for Amazon Web Services ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1101 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077733 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache Ivy information disclosure vulnerabilitiy [CVE-2023-46751] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077734 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077736 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to snappy-java information disclosure vulnerabilitiy [CVE-2023-43642] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077735 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077739 ∗∗∗ IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070736 ∗∗∗ IBM Storage Fusion may be vulnerable to Unauthorized requests (SSRF), Improper path traversal, via k8s.io\/apimachinery, k8s.io\/apiserver (CVE-2022-3172, CVE-2022-3162) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077936 ∗∗∗ InfoSphere Information Server is vulnerable due to improper access control (CVE-2023-40363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070742 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070740 ∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of golang.org\/x\/net, x\/crypto, and x\/text (CVE-2022-30633, CVE-2022-27664, CVE-2022-28131, CVE-2022-41721, CVE-2021-43565, CVE-2022-27191, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077942 ∗∗∗ IBM Planning Analytics is affected by vulnerabilities in IBM Java, IBM Websphere Application Server Liberty and IBM GSKit ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070140 ∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of openshift\/machine-api-operator, openshift\/machine-config-operator (CVE-2020-28851, CVE-2020-28852, CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077938 ∗∗∗ IBM Storage Fusion may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077947 ∗∗∗ Java SE issues disclosed in the Oracle October 2023 Critical Patch Update plus CVE-2023-5676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078433 ∗∗∗ IBM Security SOAR is using a component with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7063706 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to libcurl vulnerabilities (CVE-2023-38546, CVE-2023-38545) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077530 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957156 ∗∗∗ Watson Machine Learning Accelerator on Cloud Pak for Data is affected by multiple vulnerabilities in Grafana ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078751 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078745 ∗∗∗ Red Lion Sixnet RTUs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2023
by Daily end-of-shift report 16 Nov '23

16 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-11-2023 18:00 − Donnerstag 16-11-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups ∗∗∗ --------------------------------------------- A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. --------------------------------------------- https://thehackernews.com/2023/11/zero-day-flaw-in-zimbra-email-software.ht… ∗∗∗ Deep Dive: Learning from Okta – the hidden risk of HAR files ∗∗∗ --------------------------------------------- HAR is short for HTTP Archive, and it’s a way of saving full details of the high-level network traffic in a web browsing session, usually for development, debugging, or testing purposes. --------------------------------------------- https://pducklin.com/2023/11/14/deep-dive-learning-from-okta-the-hidden-ris… ∗∗∗ Fake-Shops locken mit Black-Friday-Angeboten ∗∗∗ --------------------------------------------- Rund um den Blackfriday lässt sich das ein oder andere Schnäppchen ergattern. Wir raten aber dazu, Online-Shops vor einer Bestellung genau zu prüfen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-locken-mit-black-friday-a… ∗∗∗ Attacker – hidden in plain sight for nearly six months – targeting Python developers ∗∗∗ --------------------------------------------- For close to six months, a malicious actor has been stealthily uploading dozens of malicious Python packages, most of them mimicking the names of legitimate ones, to bait unsuspecting developers. --------------------------------------------- https://checkmarx.com/blog/attacker-hidden-in-plain-sight-for-nearly-six-mo… ∗∗∗ FBI and CISA Release Advisory on Scattered Spider Group ∗∗∗ --------------------------------------------- Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Scattered Spider—a cybercriminal group targeting commercial facilities sectors and subsectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/16/fbi-and-cisa-release-adv… ===================== = Vulnerabilities = ===================== ∗∗∗ New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. --------------------------------------------- https://thehackernews.com/2023/11/new-poc-exploit-for-apache-activemq.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvpn), Oracle (kernel, microcode_ctl, plexus-archiver, and python), Red Hat (.NET 6.0, dotnet6.0, dotnet7.0, dotnet8.0, kernel, linux-firmware, and open-vm-tools), SUSE (apache2, chromium, jhead, postgresql12, postgresql13, and qemu), and Ubuntu (dotnet6, dotnet7, dotnet8, frr, python-pip, quagga, and tidy-html5). --------------------------------------------- https://lwn.net/Articles/951681/ ∗∗∗ Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-052 ∗∗∗ FortiOS & FortiProxy VM - Bypass of root file system integrity checks at boot time on VM ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-396 ∗∗∗ FortiOS & FortiProxy - DOS in headers management ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-151 ∗∗∗ Cisco Secure Client Software Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Endpoint for Windows Scanning Evasion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco AppDynamics PHP Agent Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ FortiSIEM - OS command injection in Report Server ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-23-135 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2023-11 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2023-11-Security-Bulletin-JSA-S… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0010 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0010.html ∗∗∗ Released: November 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november… ∗∗∗ Citrix Releases Security Updates for Citrix Hypervisor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/16/citrix-releases-security… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2023
by Daily end-of-shift report 15 Nov '23

15 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-11-2023 18:00 − Mittwoch 15-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IPStorm botnet with 23,000 proxies for malicious traffic dismantled ∗∗∗ --------------------------------------------- The U.S. Department of Justive announced today that Federal Bureau of Investigation took down the network and infrastructure of a botnet proxy service called IPStorm. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ipstorm-botnet-with-23-000-p… ∗∗∗ The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses ∗∗∗ --------------------------------------------- At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. --------------------------------------------- https://blog.fox-it.com/2023/11/15/the-spelling-police-searching-for-malici… ∗∗∗ #StopRansomware: Rhysida Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a ===================== = Vulnerabilities = ===================== ∗∗∗ WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks ∗∗∗ --------------------------------------------- The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the sites database. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp-fastest-cache-plugin-bug-… ∗∗∗ Reptar: Intel-CPU-Schwachstelle ermöglicht Rechteausweitung und DoS ∗∗∗ --------------------------------------------- Entdeckt wurde die Schwachstelle von Google-Forschern. Sie basiert wohl auf der Art und Weise, wie Intel-CPUs redundante Präfixe verarbeiten. --------------------------------------------- https://www.golem.de/news/reptar-intel-cpu-schwachstelle-ermoeglicht-rechte… ∗∗∗ Kein Patch verfügbar: VMware warnt vor kritischer Schwachstelle in Cloud Director ∗∗∗ --------------------------------------------- Die Schwachstelle ermöglicht es Angreifern, die Authentifizierung anfälliger VMware-Systeme zu umgehen und Schadcode einzuschleusen. --------------------------------------------- https://www.golem.de/news/kein-patch-verfuegbar-vmware-warnt-vor-kritischer… ∗∗∗ Cloud-Schutzlösung: IBM Security Guardium vielfältig attackierbar ∗∗∗ --------------------------------------------- Die IBM-Entwickler haben viele Sicherheitslücken in verschiedenen Komponenten von Security Guardium geschlossen. --------------------------------------------- https://www.heise.de/news/Cloud-Schutzloesung-IBM-Security-Guardium-vielfae… ∗∗∗ CacheWarp: Loch in Hardware-Verschlüsselung von AMD-CPUs ∗∗∗ --------------------------------------------- Der jetzt vorgestellte CacheWarp-Angriff überwindet die RAM-Verschlüsselung, mit der AMD-Prozessoren Cloud-Instanzen voneinander abschotten wollen. --------------------------------------------- https://www.heise.de/news/CacheWarp-Loch-in-Hardware-Verschluesselung-von-A… ∗∗∗ Patchday Adobe: Schadcode-Lücken in Acrobat, Photoshop & Co. geschlossen ∗∗∗ --------------------------------------------- Adobe hat Sicherheitsupdates für 15 Anwendungen veröffentlicht. Im schlimmsten Fall können Angreifer eigenen Code auf Systemen ausführen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Schadcode-Luecken-in-Acrobat-Photo… ∗∗∗ Patchday: SAP schließt eine kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Der November-Patchday weicht vom gewohnten Umfang ab: Lediglich drei neue Sicherheitslücken behandelt SAP. --------------------------------------------- https://www.heise.de/news/Patchday-SAP-schliesst-eine-kritische-Sicherheits… ∗∗∗ Sicherheitsupdates: Access Points von Aruba sind verwundbar ∗∗∗ --------------------------------------------- Angreifer können Schadcode auf Acces Points von Aruba ausführen. Sicherheitspatches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Acces-Points-von-Aruba-sind-ve… ∗∗∗ Patchday: Intel patcht sich durch sein Produkportfolio ∗∗∗ --------------------------------------------- Angreifer können mehrere Komponenten von Intel attackieren. In vielen Fällen sind DoS-Attacken möglich. --------------------------------------------- https://www.heise.de/news/Patchday-Intel-patcht-sich-durch-sein-Produkportf… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libclamunrar and ruby-sanitize), Fedora (frr, roundcubemail, and webkitgtk), Mageia (freerdp and tomcat), Red Hat (avahi, bind, c-ares, cloud-init, container-tools:4.0, container-tools:rhel8, cups, dnsmasq, edk2, emacs, flatpak, fwupd, ghostscript, grafana, java-21-openjdk, kernel, kernel-rt, libfastjson, libmicrohttpd, libpq, librabbitmq, libreoffice, libreswan, libX11, linux-firmware, mod_auth_openidc:2.3, nodejs:20, opensc, perl-HTTP-Tiny, [...] --------------------------------------------- https://lwn.net/Articles/951480/ ∗∗∗ November-Patchday: Microsoft schließt 63 Sicherheitslücken ∗∗∗ --------------------------------------------- Fünf Anfälligkeiten sind als kritisch eingestuft. Davon betroffen sind alle unterstützten Versionen von Windows. --------------------------------------------- https://www.zdnet.de/88412929/november-patchday-microsoft-schliesst-63-sich… ∗∗∗ QNX-2023-001 Vulnerability in QNX Networking Stack Impacts BlackBerry QNX Software Development Platform ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ ZDI-23-1636: NETGEAR CAX30 SSO Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1636/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-23583 and CVE-2023-46835 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583037/citrix-hypervisor-security-bul… ∗∗∗ NVIDIA GPU Display Driver Advisory - October 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500588-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ NetApp SnapCenter Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500587-NETAPP-SNAPCENTER-PRIVI… ∗∗∗ AMD Radeon Graphics Kernel Driver Privilege Management Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500586-AMD-RADEON-GRAPHICS-KER… ∗∗∗ AMD Graphics Driver Vulnerabilities- November, 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500583-AMD-GRAPHICS-DRIVER-VUL… ∗∗∗ Intel Graphics Driver Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500584-INTEL-GRAPHICS-DRIVER-A… ∗∗∗ Intel Rapid Storage Technology Software Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500585 ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (November 2023) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500589-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ Fortinet Releases Security Updates for FortiClient and FortiGate ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/14/fortinet-releases-securi… ∗∗∗ K000137584 : Linux kernel vulnerability CVE-2023-1829 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137584 ∗∗∗ K000137582 : BIND vulnerability CVE-2023-3341 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137582 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2023
by Daily end-of-shift report 14 Nov '23

14 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-11-2023 18:00 − Dienstag 14-11-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA warns of actively exploited Juniper pre-auth RCE exploit chain ∗∗∗ --------------------------------------------- CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-explo… ∗∗∗ ChatGPT, Bard und andere: KI-Systeme ermöglichen Ausleiten von Daten ∗∗∗ --------------------------------------------- Durch gezielte Abfragen lassen sich private und geschützte Daten aus KI-Systemen ausleiten. Die Angriffe zeigen ein prinzipielles Problem. --------------------------------------------- https://www.golem.de/news/chatgpt-bard-und-andere-ki-systeme-ermoeglichen-a… ∗∗∗ Noticing command and control channels by reviewing DNS protocols, (Mon, Nov 13th) ∗∗∗ --------------------------------------------- Malicious software pieces installed in computers call home. Some of them can be noticed because they perform DNS lookup and some of them initiates connection without DNS lookup. For this last option, this is abnormal and can be noticed by any Network Detection and Response (NDR) tool that reviews the network traffic by at least two weeks. Most companies do not have money to afford a NDR, so I'm going to show you today an interesting tip that have worked for me to notice APT calling home when they perform DNS lookup. --------------------------------------------- https://isc.sans.edu/diary/rss/30396 ∗∗∗ Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain ∗∗∗ --------------------------------------------- The algorithms are used by TETRA – short for the Terrestrial Trunked Radio protocol – and they are operated by governments, law enforcement, military and emergency services organizations in Europe, the UK, and other countries. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/11/14/tetra_encryp… ∗∗∗ Novel backdoor persists even after critical Confluence vulnerability is patched ∗∗∗ --------------------------------------------- Got a Confluence server? Listen up. Malware said to have wide-ranging capabilities. A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/11/14/novel_backdo… ∗∗∗ Nothing new, still broken, insecure by default since then: Pythons e-mail libraries and certificate verification ∗∗∗ --------------------------------------------- Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication. --------------------------------------------- https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verifica… ∗∗∗ LockBit ransomware group assemble strike team to breach banks, law firms and governments. ∗∗∗ --------------------------------------------- [...] I thought it would be good to break down what is happening and how they’re doing it, since LockBit are breaching some of the world’s largest organisations - many of whom have incredibly large security budgets. Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Recently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed. --------------------------------------------- https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-b… ∗∗∗ CVE Half-Day Watcher ∗∗∗ --------------------------------------------- CVE Half-Day Watcher is a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain. It leverages the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released. By doing so, CVE Half-Day Watcher aims to underscore the window of opportunity for attackers to "harvest" this information and develop exploits. --------------------------------------------- https://github.com/Aqua-Nautilus/CVE-Half-Day-Watcher ∗∗∗ Vorsicht vor Jobangeboten per SMS oder WhatsApp ∗∗∗ --------------------------------------------- Unerwartet erhalten Sie eine Nachricht von einer Personalvermittlungsagentur: Ihnen wird ein Job angeboten. Die Bezahlung ist gut und die Arbeitszeiten sind flexibel. Es geht darum, Hotels und Touristenattraktionen zu bewerten. Bei Interesse sollten Sie dem Arbeitgeber eine WhatsApp-Nachricht schicken. Ignorieren Sie dieses Jobangebot, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-sms-od… ∗∗∗ Ddostf DDoS Bot Malware Attacking MySQL Servers ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that the Ddostf DDoS bot is being installed on vulnerable MySQL servers. Ddostf is a DDoS bot capable of conducting Distributed Denial of Service (DDoS) attacks on specific targets and was first identified around 2016. --------------------------------------------- https://asec.ahnlab.com/en/58878/ ∗∗∗ A Closer Look at ChatGPTs Role in Automated Malware Creation ∗∗∗ --------------------------------------------- This blog entry explores the effectiveness of ChatGPTs safety measures, the potential for AI technologies to be misused by criminal actors, and the limitations of current AI models. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/k/a-closer-look-at-chatgpt-s-r… ∗∗∗ Malicious Abrax666 AI Chatbot Exposed as Potential Scam ∗∗∗ --------------------------------------------- As of now, based on the information regarding the sale of the Abrax666 AI Chatbot, cybersecurity researchers are of the opinion that the chatbot is most likely a scam. --------------------------------------------- https://www.hackread.com/abrax666-ai-chatbot-exposed-as-potential-scam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens has released 14 new and 18 updated Security Advisories. --------------------------------------------- https://www.siemens.com/global/en/products/services/cert.html?d=2023-11#Sie… ∗∗∗ Xen Security Advisory CVE-2023-46835 / XSA-445 - x86/AMD: mismatch in IOMMU quarantine page table levels ∗∗∗ --------------------------------------------- A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-445.html ∗∗∗ Xen Security Advisory CVE-2023-46836 / XSA-446 - x86: BTC/SRSO fixes not fully effective ∗∗∗ --------------------------------------------- An attacker in a PV guest might be able to infer the contents of memory belonging to other guests. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-446.html ∗∗∗ SAP Security Patch Day –November2023 ∗∗∗ --------------------------------------------- On 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. Further, there were 3 updates to previously released Security Notes. --------------------------------------------- https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11, postgresql-13, and postgresql-15), Fedora (chromium, optipng, and radare2), Scientific Linux (plexus-archiver and python), Slackware (tigervnc), SUSE (apache2, containerized-data-importer, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql, postgresql15, postgresql16, postgresql12, postgresql13, python-Django1, squashfs, and xterm), and Ubuntu (firefox and memcached). --------------------------------------------- https://lwn.net/Articles/951311/ ∗∗∗ ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric ∗∗∗ --------------------------------------------- Siemens and Schneider Electric’s Patch Tuesday advisories for November 2023 address 90 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-90-vulnerabilities-addressed… ∗∗∗ Mattermost security updates 9.1.3 / 9.0.4 / 8.1.6 (ESR) / 7.8.15 (ESR) released ∗∗∗ --------------------------------------------- The security update is available for Mattermost dot releases 9.1.3, 9.0.4, 8.1.6 (Extended Support Release), and 7.8.15 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-1-3-9-0-4-8-1-6-e… ∗∗∗ TYPO3-CORE-SA-2023-007: By-passing Cross-Site Scripting Protection in HTML Sanitizer ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-007 ∗∗∗ TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-006 ∗∗∗ TYPO3-CORE-SA-2023-005: Information Disclosure in Install Tool ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-005 ∗∗∗ IBM Integration Bus is vulnerable to multiple CVEs due to Apache Tomcat. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7072626 ∗∗∗ IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities (CVE-2023-2828, CVE-2023-24329, CVE-2022-4839) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7073360 ∗∗∗ IBM Security Guardium is affected by multiple OS level vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7073592 ∗∗∗ AVEVA Operations Control Logger ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01 ∗∗∗ Rockwell Automation SIS Workstation and ISaGRAF Workbench ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2023
by Daily end-of-shift report 13 Nov '23

13 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-11-2023 18:00 − Montag 13-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ In a first, cryptographic keys protecting SSH connections stolen in new attack ∗∗∗ --------------------------------------------- An error as small as a single flipped memory bit is all it takes to expose a private key. --------------------------------------------- https://arstechnica.com/?p=1983026 ∗∗∗ Hackers breach healthcare orgs via ScreenConnect remote access ∗∗∗ --------------------------------------------- Security researchers are warning that hackers are targeting multiple healthcare organizations in the U.S. by abusing the ScreenConnect remote access tool. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-healthcare-or… ∗∗∗ New Ransomware Group Emerges with Hives Source Code and Infrastructure ∗∗∗ --------------------------------------------- The threat actors behind a new ransomware group called Hunters International have acquired the source code and infrastructure from the now-dismantled Hive operation to kick-start its own efforts in the threat landscape. "It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters [...] --------------------------------------------- https://thehackernews.com/2023/11/new-ransomware-group-emerges-with-hives.h… ∗∗∗ Abusing Microsoft Access “Linked Table” Feature to Perform NTLM Forced Authentication Attacks ∗∗∗ --------------------------------------------- 1. Microsoft Access (part of the Office suite) has a “linking to remote SQL Server tables” feature. 2. This feature can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80. 3. The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well 4. This technique allows the attacker to bypass existing Firewall rules designed to block NTLM information stealing initiated by external attacks. --------------------------------------------- https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-… ∗∗∗ Bericht: IT-Sicherheit in Gesundheitsämtern vernachlässigt ∗∗∗ --------------------------------------------- Fehlendes Know-How, knappes Budget und unsichere Software. Ein Bericht schildert gravierende Sicherheitslücken in Gesundheitsämtern. --------------------------------------------- https://www.heise.de/-9404608.html ∗∗∗ Don’t throw a hissy fit; defend against Medusa ∗∗∗ --------------------------------------------- Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. --------------------------------------------- https://research.nccgroup.com/2023/11/13/dont-throw-a-hissy-fit-defend-agai… ∗∗∗ Cyber Threat Intelligence: Den Gegnern auf der Spur ∗∗∗ --------------------------------------------- Durch das Sammeln, Analysieren und Kontextualisieren von Informationen über mögliche Cyber-Bedrohungen, einschließlich der fortschrittlichsten, bietet Threat Intelligence eine wichtige Methode zur Identifizierung, Bewertung und Minderung von Cyber-Risiken --------------------------------------------- https://www.welivesecurity.com/de/business-security/cyber-threat-intelligen… ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/13/cisa-adds-six-known-expl… ∗∗∗ Ransomware tracker: The latest figures [November 2023] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current Ransomware attacks across several key sectors dipped significantly in October, breaking a streak that has gone on for much of 2023. Ransomware gangs posted 243 victims to their extortion sites in October — a sharp decrease from the 455 [...] --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ∗∗∗ RCE-Exploit für Wyze Cam v3 veröffentlicht (Nov. 2023) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Besitzer von Indoor-Kameras des Anbieters Wyze. Deren Modell Wyze Com v3 enthält wohl Schwachstellen, über die Dritte auf die Kameradaten zugreifen können. Inzwischen ist ein RCE-Exploit für die Wyze Cam v3 veröffentlicht worden. --------------------------------------------- https://www.borncity.com/blog/2023/11/11/rce-exploit-fr-wyze-cam-v3-verffen… ∗∗∗ Facebook Fake-Benachrichtigungen "Seiten wegen Verletzung der Gemeinschaftsstandard gesperrt" ∗∗∗ --------------------------------------------- Auf Facebook scheint eine kriminelle Masche über den Messenger zu laufen, bei denen die Empfänger angeblich von Facebook-Meta-Mitarbeitern informiert werden, dass die Seiten wegen Verletzungen der Gemeinschaftsstandards o.ä. gesperrt worden seien. Es kommt ein Link mit Aufforderung zum Entsperren. Das ist aber Fake und ein Phishing-Versuch, um die Zugangsdaten abzufischen. --------------------------------------------- https://www.borncity.com/blog/2023/11/12/facebook-fake-benachrichtigungen-s… ∗∗∗ OracleIV DDoS Botnet Malware Targets Docker Engine API Instances ∗∗∗ --------------------------------------------- OracleIV is not a supply chain attack, it highlights the ongoing threat of misconfigured Docker Engine API deployments. --------------------------------------------- https://www.hackread.com/oracleiv-ddos-botnet-malware-docker-engine-api-ins… ∗∗∗ ACSC and CISA Release Business Continuity in a Box ∗∗∗ --------------------------------------------- Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASDs ACSC) and CISA released Business Continuity in a Box. Business Continuity in a Box, developed by ACSC with contributions from CISA, assists organizations with swiftly and securely standing up critical business functions during or following a cyber incident. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/13/acsc-and-cisa-release-bu… ===================== = Vulnerabilities = ===================== ∗∗∗ Local Privliege Escalation in Check Point Endpoint Security Remediation Service ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. --------------------------------------------- https://support.checkpoint.com/results/sk/sk181597 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (audiofile and ffmpeg), Fedora (keylime, python-pillow, and tigervnc), Mageia (quictls and vorbis-tools), Oracle (grub2), Red Hat (galera, mariadb, plexus-archiver, python, squid, and squid34), and SUSE (clamav, kernel, mupdf, postgresql14, tomcat, tor, and vlc). --------------------------------------------- https://lwn.net/Articles/951237/ ∗∗∗ CVE-2023-5950 Rapid7 Velociraptor Reflected XSS ∗∗∗ --------------------------------------------- This advisory covers a specific issue identified in Velociraptor and disclosed by a security code review. Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/10/cve-2023-5950-rapid7-velocirapt… ∗∗∗ Ivanti EPMM CVE-2023-39335/39337 ∗∗∗ --------------------------------------------- As part of our ongoing strengthening of the security of our products we have discovered two new vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. We are reporting these vulnerabilities as CVE-2023-39335 and CVE-2023-39337. --------------------------------------------- https://www.ivanti.com/blog/ivanti-epmm-cve-2023-39335-39337 ∗∗∗ Mutiple Vulnerabilties Affecting Watson Machine Learning Accelerator on Cloud Pak for Data version ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7071340 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2023
by Daily end-of-shift report 10 Nov '23

10 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-11-2023 18:00 − Freitag 10-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ducktail fashion week ∗∗∗ --------------------------------------------- The Ducktail malware, designed to hijack Facebook business and ads accounts, sends marketing professionals fake ads for jobs with major clothing manufacturers. --------------------------------------------- https://securelist.com/ducktail-fashion-week/111017/ ∗∗∗ Routers Targeted for Gafgyt Botnet [Guest Diary], (Thu, Nov 9th) ∗∗∗ --------------------------------------------- The threat actor attempts to add my honeypot into a botnet so the threat actor can carry out DDoS attacks. The vulnerabilities used for the attack were default credentials and CVE-2017-17215. To prevent these attacks, make sure systems are patched and using strong credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/30390 ∗∗∗ Malware: Mehr als 600 Millionen Downloads 2023 in Google Play ∗∗∗ --------------------------------------------- Kaspersky hat in diesem Jahr bereits mehr als 600 Millionen Malware-Downloads aus dem Google-Play-Store gezählt. Der bleibt aber sicherste Paketquelle. --------------------------------------------- https://www.heise.de/news/Malware-Mehr-als-600-Millionen-Downloads-2023-in-… ∗∗∗ Demystifying Cobalt Strike’s “make_token” Command ∗∗∗ --------------------------------------------- Cobalt Strike provides the make_token command to achieve a similar result to runas /netonly. --------------------------------------------- https://research.nccgroup.com/2023/11/10/demystifying-cobalt-strikes-make_t… ∗∗∗ High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites ∗∗∗ --------------------------------------------- Clickbait articles are highlighted in this article. A jump in compromised sites exploiting CVE-2023-3169 stresses the danger of web-based threats. --------------------------------------------- https://unit42.paloaltonetworks.com/dangers-of-clickbait-sites/ ∗∗∗ Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518 ∗∗∗ --------------------------------------------- We encountered the Cerber ransomware exploiting the Atlassian Confluence vulnerability CVE-2023-22518 in its operations. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/k/cerber-ransomware-exploits-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (community-mysql, matrix-synapse, and xorg-x11-server-Xwayland), Mageia (squid and vim), Oracle (dnsmasq, python3, squid, squid:4, and xorg-x11-server), Red Hat (fence-agents, insights-client, kernel, kpatch-patch, mariadb:10.5, python3, squid, squid:4, tigervnc, and xorg-x11-server), Scientific Linux (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, python-reportlab, python3, squid, thunderbird, and xorg-x11-server), [...] --------------------------------------------- https://lwn.net/Articles/951066/ ∗∗∗ Multiple Vulnerabilities in QuMagie ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-50 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-24 ∗∗∗ AIX is affected by a denial of service (CVE-2023-45167) and a security restrictions bypass (CVE-2023-40217) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7068084 ∗∗∗ Multiple vulnerabilities in Eclipse Jetty affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070298 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2023 - Includes Oracle April 2023 CPU plus CVE-2023-2597 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070548 ∗∗∗ Multiple security vulnerabilities have been identified in IBM DB2 which is shipped with IBM Intelligent Operations Center. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070539 ∗∗∗ IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070736 ∗∗∗ Ivanti Secure Access Client security notifications ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/ivanti-secure-access-client-security-notificati… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2023
by Daily end-of-shift report 09 Nov '23

09 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-11-2023 18:00 − Donnerstag 09-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Highly invasive backdoor snuck into open source packages targets developers ∗∗∗ --------------------------------------------- Packages downloaded thousands of times targeted people working on sensitive projects. --------------------------------------------- https://arstechnica.com/?p=1982281 ∗∗∗ Google ads push malicious CPU-Z app from fake Windows news site ∗∗∗ --------------------------------------------- A threat actor has been abusing Google Ads to distribute a trojanized version of the CPU-Z tool to deliver the Redline info-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ads-push-malicious-cp… ∗∗∗ Visual Examples of Code Injection, (Thu, Nov 9th) ∗∗∗ --------------------------------------------- I spotted an interesting sample that perform this technique and I was able to collect “visible” information. The malware was delivered through a phishing email with a ZIP archive. --------------------------------------------- https://isc.sans.edu/diary/rss/30388 ∗∗∗ Google Play: Extra-Sicherheitsprüfungen sollen Apps vertrauenswürdiger machen ∗∗∗ --------------------------------------------- Ab sofort sind bestimmte Apps in Google Play mit einem neuen Banner gekennzeichnet, der mehr Sicherheit garantieren soll. Den Anfang machen einige VPN-Apps. --------------------------------------------- https://www.heise.de/-9357280 ∗∗∗ Spammers abuse Google Forms’ quiz to deliver scams ∗∗∗ --------------------------------------------- Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. --------------------------------------------- https://blog.talosintelligence.com/google-forms-quiz-spam/ ∗∗∗ GhostLocker - A “Work In Progress” RaaS ∗∗∗ --------------------------------------------- GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/08/ghostlocker-a-work-in-progress-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti and chromium), Fedora (CuraEngine, podman, and rubygem-rmagick), Mageia (gnome-shell, openssl, and zlib), SUSE (salt), and Ubuntu (xrdp). --------------------------------------------- https://lwn.net/Articles/950850/ ∗∗∗ CVE-2023-3282 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine (Severity: MEDIUM) ∗∗∗ --------------------------------------------- This issue is applicable only to Cortex XSOAR engines installed through the shell method that are running on a Linux operating system. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-3282 ∗∗∗ CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest ∗∗∗ --------------------------------------------- A new zero-day vulnerability (CVE-2023-47246) in SysAid IT service management software is being exploited by the threat group responsible for the MOVEit Transfer attack in May 2023. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-… ∗∗∗ Drupal: GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-051 ∗∗∗ Drupal: GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-050 ∗∗∗ Weidmüller: WIBU Vulnerability in multiple Products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-032/ ∗∗∗ Johnson Controls Quantum HD Unity ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01 ∗∗∗ Hitachi Energy eSOMS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-02 ∗∗∗ IBM Security Guardium is affected by denial of service vulnerabilities (CVE-2023-3635, CVE-2023-28118) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069238 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in Apache Struts (CVE-2023-34149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069237 ∗∗∗ Vulnerabilities in Linux Kernel, Samba, Golang, Curl, and openssl can affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069319 ∗∗∗ A vulnerability in Samba affects IBM Storage Scale SMB protocol access method (CVE-2022-2127) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2023
by Daily end-of-shift report 08 Nov '23

08 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-11-2023 18:00 − Mittwoch 08-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Example of Phishing Campaign Project File, (Wed, Nov 8th) ∗∗∗ --------------------------------------------- We all have a love and hate relation with emails. When newcomers on the Internet starts to get emails, they are so happy but their feeling changes quickly. Then, they hope to reduce the flood of emails received daily... Good luck! Of course, tools have been developed to organize marketing campaigns. From marketing to spam or phishing, there is only one step. Bad guys started to use the same programs for malicious purpose. --------------------------------------------- https://isc.sans.edu/diary/rss/30384 ∗∗∗ Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation ∗∗∗ --------------------------------------------- Cybersecurity researchers have developed whats the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft Azure Automation service without racking up any charges. Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victims environment without attracting any attention. --------------------------------------------- https://thehackernews.com/2023/11/researchers-uncover-undetectable-crypto.h… ∗∗∗ Hunderte Experten warnen vor staatlichen Root-Zertifikaten ∗∗∗ --------------------------------------------- Bald sollen EU-Bürger sich auf grenzüberschreitende elektronische Dienste und Vertrauensstellen verlassen müssen. Experten schlagen Alarm. --------------------------------------------- https://www.heise.de/-9355165.html ∗∗∗ Angebliches LinkedIn-Datenleck: Daten von Tätern konstruiert ∗∗∗ --------------------------------------------- Im digitalen Untergrund haben Kriminelle Daten aus einem angeblichen LinkedIn-Leck angeboten. Diese entpuppen sich als künstlich aufgebläht. --------------------------------------------- https://www.heise.de/-9355976.html ∗∗∗ Tool Release: Magisk Module – Conscrypt Trust User Certs ∗∗∗ --------------------------------------------- Android 14 introduced a new feature which allows to remotely install CA certificates. This change implies that instead of using the /system/etc/security/cacerts directory to check the trusted CA’s, this new feature uses the com.android.conscrypt APEX module, and reads the certificates from the directory /apex/com.android.conscrypt/cacerts. Inspired by this blog post by Tim Perry, I decided to create a [...] --------------------------------------------- https://research.nccgroup.com/2023/11/08/tool-release-magisk-module-conscry… ∗∗∗ Sumo Logic Urges Users to Change Credentials Due to Security Breach ∗∗∗ --------------------------------------------- Cloud monitoring and SIEM firm Sumo Logic is urging users to rotate credentials following the discovery of a security breach. --------------------------------------------- https://www.securityweek.com/sumo-logic-urges-users-to-change-credentials-d… ∗∗∗ Vorsicht vor stark verbilligten Amazon-Schnäppchen ∗∗∗ --------------------------------------------- Man glaubt es kaum: Tablets, Smartphones oder Notebooks, die auf Amazon um die Hälfte billiger angeboten werden. Solche Schnäppchen entpuppen sich aber als Lockangebote, um Ihnen Geld zu stehlen. Wir zeigen Ihnen, wie diese Betrugsmasche funktioniert! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-stark-verbilligten-amaz… ∗∗∗ Vorsicht vor vermeintlichen Rechnungen der „Click Office World“ ∗∗∗ --------------------------------------------- Fake-Rechnungen sind nichts Neues in der Welt des Unternehmensbetrugs, aktuell scheinen Betrüger:innen jedoch wieder massenhaft solche Rechnungen zu versenden. So erhalten viele Unternehmen derzeit per Post englischsprachige Rechnungen von „CLICK OFFICE WORLD“, in denen eine 14-tägige Zahlungsfrist und ein Betrag von 955 Euro gefordert werden. Zahlen Sie nichts, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-vermeintlichen-rechnung… ∗∗∗ Warning Against Phobos Ransomware Distributed via Vulnerable RDP ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the active distribution of the Phobos ransomware. Phobos is a variant known for sharing technical and operational similarities with the Dharma and CrySis ransomware. These ransomware strains typically target externally exposed Remote Desktop Protocol (RDP) services with vulnerable securities as attack vectors. --------------------------------------------- https://asec.ahnlab.com/en/58753/ ∗∗∗ Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware ∗∗∗ --------------------------------------------- Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. --------------------------------------------- https://www.hackread.com/lazarus-bluenoroff-apt-macos-objcshellz-malware/ ∗∗∗ A Balanced Approach: New Security Headers Grading Criteria ∗∗∗ --------------------------------------------- The Security Headers grading criteria is something that doesnt change often, but when it does, theres a good reason behind the change. In this blog, I will outline the new grading criteria and the reasons why weve made the change. --------------------------------------------- https://scotthelme.co.uk/a-balanced-approach-new-security-headers-grading-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Kritische System-Lücke bedroht Android 11, 12 und 13 ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für verschiedene Android-Versionen veröffentlicht. --------------------------------------------- https://www.heise.de/-9355953.html ∗∗∗ Malware-Schutz: Rechteausweitung in Trend Micros Apex One möglich ∗∗∗ --------------------------------------------- In Trend Micros Schutzsoftware Apex One können Angreifer Schwachstellen missbrauchen, um ihre Privilegien auszuweiten. Updates korrigieren das. --------------------------------------------- https://www.heise.de/-9356484.html ∗∗∗ Webbrowser: Lücke mit hohem Risiko in Google Chrome geschlossen ∗∗∗ --------------------------------------------- Google schließt mit dem Update von Chrome eine hochriskante Sicherheitslücke, die Webseiten offenbar das Unterschieben von Schadcode ermöglicht. --------------------------------------------- https://www.heise.de/-9355888.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-urllib3 and tang), Fedora (chromium, mlpack, open-vm-tools, and salt), Red Hat (avahi, binutils, buildah, c-ares, cloud-init, containernetworking-plugins, cups, curl, dnsmasq, edk2, flatpak, frr, gdb, ghostscript, glib2, gmp, grafana, haproxy, httpd, mod_http2, java-21-openjdk, kernel, krb5, libfastjson, liblouis, libmicrohttpd, libpq, libqb, librabbitmq, LibRaw, libreoffice, libreswan, libssh, libtiff, libvirt, libX11, linux-firmware, mod_auth_openidc, ncurses, nghttp2, opensc, pcs, perl-CPAN, perl-HTTP-Tiny, podman, procps-ng, protobuf-c, python-cryptography, python-pip, python-tornado, python-wheel, python3.11, python3.11-pip, python3.9, qemu-kvm, qt5 stack, runc, samba, samba, evolution-mapi, openchange, shadow-utils, skopeo, squid, sysstat, tang, tomcat, toolbox, tpm2-tss, webkit2gtk3, wireshark, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), Slackware (sudo), SUSE (squid), and Ubuntu (python-urllib3). --------------------------------------------- https://lwn.net/Articles/950694/ ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29552 Service Location Protocol (SLP) Denial-of-Service Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/08/cisa-adds-one-known-expl… ∗∗∗ GE MiCOM S1 Agile ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to upload malicious files and achieve code execution. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2023
by Daily end-of-shift report 07 Nov '23

07 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-11-2023 18:00 − Dienstag 07-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft Authenticator now blocks suspicious MFA alerts by default ∗∗∗ --------------------------------------------- Microsoft has introduced a new protective feature in the Authenticator app to block notifications that appear suspicious based on specific checks performed during the account login stage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-authenticator-now-… ∗∗∗ MacBook Pro M3 läuft unter Umständen noch mit altem macOS – Update nicht möglich ∗∗∗ --------------------------------------------- Auf manchem neuen MacBook Pro M3 läuft eine Version von macOS 13, die gravierende Sicherheitslücken hat. Sie lässt sich offenbar nicht direkt updaten. --------------------------------------------- https://www.heise.de/-9355709 ∗∗∗ New GootLoader Malware Variant Evades Detection and Spreads Rapidly ∗∗∗ --------------------------------------------- A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. --------------------------------------------- https://thehackernews.com/2023/11/new-gootloader-malware-variant-evades.html ∗∗∗ Phishing With Dynamite ∗∗∗ --------------------------------------------- Token stealing is getting harder. Instead, stealing whole logged-in browser instances may be an easier and more generic approach. One attack, known as “browser-in-the-middle” (BitM), makes it possible to virtually place a user in front of our browser and request them to log in for us. One of my old work buddies referred to it as “phishing with dynamite” after using it on a few social engineering campaigns. --------------------------------------------- https://posts.specterops.io/phishing-with-dynamite-7d33d8fac038 ∗∗∗ D0nut encrypt me, I have a wife and no backups ∗∗∗ --------------------------------------------- Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. In case you missed it, last time we analysed an Incident Response engagement involving BlackCat Ransomware. In this instalment, we take a deeper dive into the D0nut extortion group. --------------------------------------------- https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and… ∗∗∗ Post-exploiting a compromised etcd – Full control over the cluster and its nodes ∗∗∗ --------------------------------------------- When considering the attack surface in Kubernetes, we consider certain unauthenticated components, such as the kube-apiserver and kubelet, as well as leaked tokens or credentials that grant access to certain cluster features, and non-hardened containers that may provide access to the underlying host. However, when discussing etcd, it is often perceived solely as an information storage element within the cluster from which secrets can be extracted. However, etcd is much more than that. --------------------------------------------- https://research.nccgroup.com/2023/11/07/post-exploiting-a-compromised-etcd… ∗∗∗ Generating IDA Type Information Libraries from Windows Type Libraries ∗∗∗ --------------------------------------------- In this quick-post, well explore how to convert Windows type libraries (TLB) into IDA type information libraries (TIL). --------------------------------------------- https://blog.nviso.eu/2023/11/07/generating-ida-type-information-libraries-… ∗∗∗ CISA Published When to Issue VEX Information ∗∗∗ --------------------------------------------- This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/06/cisa-published-when-issu… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Zwei kritische Lücken bedrohen Monitoringtool Veeam One ∗∗∗ --------------------------------------------- Die Entwickler haben in Veeam One unter anderem zwei kritische Schwachstellen geschlossen. Im schlimmsten Fall kann Schadcode auf Systeme gelangen. --------------------------------------------- https://www.heise.de/-9354987 ∗∗∗ WS_FTP Server Arbitrary File Upload CVE-2023-42659 - (CRITICAL) ∗∗∗ --------------------------------------------- In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application. --------------------------------------------- https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-Novembe… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (trapperkeeper-webserver-jetty9-clojure), Mageia (libsndfile, packages, thunderbird, and x11-server), Oracle (.NET 6.0), SUSE (kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, redis, and squid), and Ubuntu (gsl). --------------------------------------------- https://lwn.net/Articles/950523/ ∗∗∗ 37 Vulnerabilities Patched in Android With November 2023 Security Updates ∗∗∗ --------------------------------------------- The Android security updates released this week resolve 37 vulnerabilities, including a critical information disclosure bug. --------------------------------------------- https://www.securityweek.com/37-vulnerabilities-patched-in-android-with-nov… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ GE MiCOM S1 Agile ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-23 ∗∗∗ Zyxel security advisory for improper privilege management vulnerability in GS1900 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2023
by Daily end-of-shift report 06 Nov '23

06 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-11-2023 18:00 − Montag 06-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Exchange: Vier 0-day-Schwachstellen ermöglichen RCE-Angriffe und Datenklau ∗∗∗ --------------------------------------------- Die Zero Day Initiative (ZDI) von Trend Micro hat gerade vier ungepatchte Schwachstellen (sogenannte 0-Days) in Microsoft Exchange öffentlich gemacht. Diese wurden im September 2023 an Microsoft gemeldet und ZDI stuft die mit CVSS-Scores von 7.1 bis 7.5 ein. Microsofts Sicherheitsexperten sehen die Schwachstellen als nicht so schwerwiegend an, dass diese ein sofortiges Handeln erfordern (zur Ausnutzung sei eine Authentifizierung erforderlich). Die Microsoft-Entwickler haben Fixes "für später" angekündigt. Daher ist die Zero Day Initiative an die Öffentlichkeit gegangen, da man trotzdem die Möglichkeit für RCE-Angriffe und Datenklau sieht. --------------------------------------------- https://www.borncity.com/blog/2023/11/04/microsoft-exchange-vier-0-day-schw… ∗∗∗ Sicherheitsupdates QNAP: Angreifer können eigene Befehle auf NAS ausführen ∗∗∗ --------------------------------------------- Wichtige Sicherheitspatches sichern Netzwerkspeicher von QNAP ab. Unbefugte können Daten einsehen. --------------------------------------------- https://www.heise.de/-9354109.html ∗∗∗ E-Mail von A1 mit einer Rechnung über € 289,60 ist Fake ∗∗∗ --------------------------------------------- Aktuell werden A1-Kund:innen mit einer gefälschten Rechnung über € 289,60 verunsichert. Im E-Mail – angeblich von A1 – steht, dass der Rechnungsbetrag „heute“ von Ihrem Bankkonto bzw. Ihrer Kreditkarte abgebucht wird. Im Anhang finden Sie die Infos zu Ihrer Rechnung. Wenn Sie auf den Anhang klicken, werden Sie auf eine gefälschte Login-Seite geführt. Kriminelle stehlen damit Ihre Zugangs- und Bankdaten! --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-a1-mit-einer-rechnung-ueb… ∗∗∗ Socks5Systemz proxy service infects 10,000 systems worldwide ∗∗∗ --------------------------------------------- A proxy botnet called Socks5Systemz has been infecting computers worldwide via the PrivateLoader and Amadey malware loaders, currently counting 10,000 infected devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/socks5systemz-proxy-service-… ∗∗∗ Cybercrime service bypasses Android security to install malware ∗∗∗ --------------------------------------------- A new dropper-as-a-service (DaaS) named SecuriDropper has emerged, using a method that bypasses Android 13s Restricted Settings to install malware on devices and grant them access to the Accessibility Services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-… ∗∗∗ TellYouThePass ransomware joins Apache ActiveMQ RCE attacks ∗∗∗ --------------------------------------------- Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution (RCE) vulnerability previously exploited as a zero-day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-jo… ∗∗∗ Gaming-related cyberthreats in 2023: Minecrafters targeted the most ∗∗∗ --------------------------------------------- Gaming-related threat landscape in 2023: desktop and mobile malware disguised as Minecraft, Roblox and other popular games, and the most widespread phishing schemes. --------------------------------------------- https://securelist.com/game-related-threat-report-2023/110960/ ∗∗∗ Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel ∗∗∗ --------------------------------------------- Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure. The tool, called Google Calendar RAT (GCR), employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023. --------------------------------------------- https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.h… ∗∗∗ Persistence – Windows Telemetry ∗∗∗ --------------------------------------------- Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems [...] TrustedSec has identified that it is feasible to abuse the Windows telemetry mechanism for persistence during red team operations if elevated access has been achieved. --------------------------------------------- https://pentestlab.blog/2023/11/06/persistence-windows-telemetry/ ∗∗∗ What is Classiscam Scam-as-a-Service? ∗∗∗ --------------------------------------------- "The Classiscam scam-as-a-service operation has broadened its reach worldwide, targeting many more brands, countries, and industries, causing more significant financial damage than before,” touts Bleeping Computer. So just what is it? What is Classiscam? It’s a bird. It’s a plane. It’s - a pyramid? Classiscam is an enterprising criminal operation that uses a division of labor to organize low-level phishers into classified site scammers and takes a cut off the top. --------------------------------------------- https://www.tripwire.com/state-of-security/what-classiscam-scam-service ∗∗∗ Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518 ∗∗∗ --------------------------------------------- As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitatio… ∗∗∗ Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II ∗∗∗ --------------------------------------------- Based on our previous research, we also discovered Pre-auth RCE vulnerabilities((CVE-2023-0853、CVE-2023-0854) in other models of Canon printers. For the HP vulnerability, we had a collision with another team. In this section, we will detail the Canon and HP vulnerabilities we exploited during Pwn2own Toronto. --------------------------------------------- https://devco.re/blog/2023/11/06/your-printer-is-not-your-printer-hacking-p… ∗∗∗ Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware ∗∗∗ --------------------------------------------- Beware of Provocative Facebook Ads, Warn Researchers! --------------------------------------------- https://www.hackread.com/provocative-facebook-ads-nodestealer-malware/ ∗∗∗ Scanning KBOM for Vulnerabilities with Trivy ∗∗∗ --------------------------------------------- Early this summer we announced the release of Kubernetes Bills of Material (KBOM) as part of Trivy, our all in one, popular open source security scanner. In the blog we discussed how KBOM is the manifest of all the important components that make up your Kubernetes cluster: Control plane components, Node Components, and Addons, including their versions and images. --------------------------------------------- https://blog.aquasec.com/scanning-kbom-for-vulnerabilities-with-trivy ∗∗∗ Security updates 1.6.5 and 1.5.6 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They all contain a fix for recently reported security vulnerability. [...] We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. --------------------------------------------- https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, open-vm-tools, openjdk-17, pmix, and trafficserver), Fedora (netconsd, podman, suricata, and usd), Oracle (.NET 6.0, .NET 7.0, binutils, ghostscript, java-1.8.0-openjdk, kernel, and squid), SUSE (apache-ivy, gstreamer-plugins-bad, kernel, nodejs12, opera, poppler, rubygem-activesupport-5.2, tiff, util-linux, and virtualbox), and Ubuntu (krb5). --------------------------------------------- https://lwn.net/Articles/950413/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2023
by Daily end-of-shift report 03 Nov '23

03 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-11-2023 18:00 − Freitag 03-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New macOS KandyKorn malware targets cryptocurrency engineers ∗∗∗ --------------------------------------------- A new macOS malware dubbed KandyKorn has been spotted in a campaign attributed to the North Korean Lazarus hacking group, targeting blockchain engineers of a cryptocurrency exchange platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-macos-kandykorn-malware-… ∗∗∗ Atlassian warns of exploit for Confluence data wiping bug, get patching ∗∗∗ --------------------------------------------- Atlassian warned admins that a public exploit is now available for a critical Confluence security flaw that can be used in data destruction attacks targeting Internet-exposed and unpatched instances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atlassian-warns-of-exploit-f… ∗∗∗ Spyware Designed for Telegram Mods Also Targets WhatsApp Add-Ons ∗∗∗ --------------------------------------------- Researchers discovered spyware designed to steal from Android devices and from Telegram mods can also reach WhatsApp users. --------------------------------------------- https://www.darkreading.com/dr-global/spyware-designed-for-telegram-mods-al… ∗∗∗ Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments ∗∗∗ --------------------------------------------- The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments. --------------------------------------------- https://thehackernews.com/2023/11/kinsing-actors-exploit-linux-flaw-to.html ∗∗∗ 48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems ∗∗∗ --------------------------------------------- A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said. --------------------------------------------- https://thehackernews.com/2023/11/48-malicious-npm-packages-found.html ∗∗∗ Prioritising Vulnerabilities Remedial Actions at Scale with EPSS ∗∗∗ --------------------------------------------- In this article, I’m presenting the Exploit Prediction Scoring System and its practical use cases in tandem with Common Vulnerability Scoring System. --------------------------------------------- https://itnext.io/prioritising-vulnerabilities-remedial-actions-at-scale-wi… ∗∗∗ Einstufung von Sicherheitslücken: Der CVSS-4.0-Standard ist da ∗∗∗ --------------------------------------------- Von niedrig bis kritisch: Das Common Vulnerability Scoring System (CVSS) hat einen Versionssprung vollzogen. --------------------------------------------- https://www.heise.de/-9352555 ∗∗∗ Apples "Wo ist": Keylogger-Tastatur nutzt Ortungsnetz zum Passwortversand ∗∗∗ --------------------------------------------- Eigentlich soll es helfen, verlorene Dinge aufzuspüren. Unsere Keylogger-Tastatur nutzt Apples "Wo ist"-Ortungsnetz jedoch zum Ausschleusen von Daten. --------------------------------------------- https://www.heise.de/-9342791 ∗∗∗ Lücke in VMware ONE UEM ermöglicht Login-Klau ∗∗∗ --------------------------------------------- Durch eine unsichere Weiterleitung können Angreifer SAML-Tokens angemeldeter Nutzer klauen und deren Zugänge übernehmen. VMware stellt Updates bereit. --------------------------------------------- https://www.heise.de/-9352599 ∗∗∗ Should you allow your browser to remember your passwords? ∗∗∗ --------------------------------------------- It’s very convenient to store your passwords in your browser. But is it a good idea? --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/11/should-you-allow-your-browse… ∗∗∗ You’d be surprised to know what devices are still using Windows CE ∗∗∗ --------------------------------------------- Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-nov-2-2023/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP Security Advisories 2023-11-04 ∗∗∗ --------------------------------------------- QNAP released 4 new security advisories (2x Critical, 2x Medium). Music Station, QTS, QuTS hero, QuTScloud, Multimedia Console and Media Streaming add-on. --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (phppgadmin and vlc), Fedora (attract-mode, chromium, and netconsd), Red Hat (.NET 7.0, c-ares, curl, ghostscript, insights-client, python, squid, and squid:4), SUSE (kernel and roundcubemail), and Ubuntu (libsndfile). --------------------------------------------- https://lwn.net/Articles/950061/ ∗∗∗ Vulnerability in IBM SDK, Java Technology Edition may affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7066311 ∗∗∗ Multiple security vulnerabilities in Go may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7066400 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2023
by Daily end-of-shift report 02 Nov '23

02 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-10-2023 18:00 − Donnerstag 02-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New CVSS 4.0 vulnerability severity rating standard released ∗∗∗ --------------------------------------------- The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cvss-40-vulnerability-se… ∗∗∗ Nur zwei wurden gepatcht: Schwachstellen in 34 Treibern gefährden Windows-Systeme ∗∗∗ --------------------------------------------- Sicherheitsforscher der VMware Threat Analysis Unit (Tau) haben Schwachstellen in insgesamt 34 verschiedenen Windows-Gerätetreibern identifiziert. Böswillige Akteure können Firmwares gezielt manipulieren und sich auf Zielsystemen höhere Rechte verschaffen. "Alle Treiber geben Nicht-Admin-Benutzern volle Kontrolle über die Geräte", erklären die Forscher in ihrem Bericht. --------------------------------------------- https://www.golem.de/news/nur-zwei-wurden-gepatcht-schwachstellen-in-34-tre… ∗∗∗ Windows 11, version 23H2 security baseline ∗∗∗ --------------------------------------------- This release includes several changes to further assist in the security of enterprise customers. Changes have been made to provide additional protections to the local admin account, Microsoft Defender Antivirus updates, and a new setting in response to an MSRC bulletin. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows… ∗∗∗ Moderne Telefonbetrüger: Wie Betrüger Geld mit nur einem Telefonanruf stehlen ∗∗∗ --------------------------------------------- In diesem Blogbeitrag wird eine Schwachstelle in einer Bankanwendung beschrieben, die es Angreifern ermöglicht, unbemerkt Geldtransaktionen von bis zu 5.000 € im Namen anderer Benutzer durchzuführen. Darüber hinaus werden weitere mögliche Angriffsszenarien beschrieben, mit denen persönliche Informationen abgegriffen werden können. --------------------------------------------- https://sec-consult.com/de/blog/detail/moderne-telefonbetrueger-wie-betrueg… ∗∗∗ Jetzt patchen! Attacken auf BIG-IP-Appliances beobachtet ∗∗∗ --------------------------------------------- F5 warnt vor Angriffen auf BIG-IP-Appliances. Sicherheitspatches stehen bereit. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/-9350108 ∗∗∗ Sicherheitslücken: Angreifer können Cisco-Firewalls manipulieren ∗∗∗ --------------------------------------------- Mehrere Schwachstellen gefährden unter anderem Cisco Firepower und Identity Services Engine. Patches sind verfügbar. --------------------------------------------- https://www.heise.de/-9351087 ∗∗∗ MITRE ATT&CK v14 released ∗∗∗ --------------------------------------------- MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. MITRE ATT&CK v14 ATT&CK’s goal is to catalog and categorize behaviors of cyber adversaries in real-world attacks. --------------------------------------------- https://www.helpnetsecurity.com/2023/11/02/mitre-attck-v14/ ∗∗∗ Unveiling the Dark Side: A Deep Dive into Active Ransomware Families ∗∗∗ --------------------------------------------- This series will focus on TTP’s deployed by four ransomware families recently observed during NCC Group’s incident response engagements. --------------------------------------------- https://research.nccgroup.com/2023/10/31/unveiling-the-dark-side-a-deep-div… ∗∗∗ Wer hat Mozi getötet? IoT-Zombie-Botnetz wurde endlich zu Grabe tragen ∗∗∗ --------------------------------------------- Wie ESET Research einen Kill-Switch gefunden hat, der dazu benutzt wurde, eines der am weitesten verbreiteten Botnets auszuschalten. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/wer-hat-mozi-getotet-iot-zo… ∗∗∗ Kostenlose Webinar-Reihe „Schutz im Internet“ ∗∗∗ --------------------------------------------- In Kooperation mit der Arbeiterkammer Oberösterreich veranstaltet das ÖIAT (Österreichisches Institut für angewandte Telekommunikation) eine kostenlose Webinar-Reihe zu Themen wie Online-Shopping, Internet-Betrug und Identitätsdiebstahl! --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-schutz-im-i… ∗∗∗ Drupal 9 is end of life - PSA-2023-11-01 ∗∗∗ --------------------------------------------- Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9. --------------------------------------------- https://www.drupal.org/psa-2023-11-01 ∗∗∗ Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking) ∗∗∗ --------------------------------------------- Caution is advised as an Infostealer that prompts the execution of legitimate EXE files is actively being distributed. The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL. This technique is called DLL hijacking and is often used in the distribution of malware. --------------------------------------------- https://asec.ahnlab.com/en/58319/ ∗∗∗ Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox” ∗∗∗ --------------------------------------------- Where there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by scammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams. --------------------------------------------- https://blog.talosintelligence.com/roblox-scam-overview/ ∗∗∗ Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 ∗∗∗ --------------------------------------------- Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Powerful SSRF in Exchange OWA – Getting Response Through Attachments ∗∗∗ --------------------------------------------- As the attacker can abuse this SSRF to retrieve the content of the response, I thought it was a good finding. However, Microsoft did not agree [...] In short: this may get fixed or it may not. If they decide to fix it, the patch may appear in 1 year or in 3 years. In general, we know nothing. Accordingly, we informed Microsoft of our intention to publish this vulnerability as a 0-day advisory and a blog post. As we consider this issue potentially dangerous, we want organizations to be aware of the threat. For this reason, we are providing a PoC HTTP Request to be used for filtering and/or monitoring. --------------------------------------------- https://www.thezdi.com/blog/2023/11/1/unpatched-powerful-ssrf-in-exchange-o… ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco has released 24 new and 4 updated Security Advisories (2x Critical, 11x High, 15x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Critical PHPFox RCE Vulnerability Risked Social Networks ∗∗∗ --------------------------------------------- Heads up, phpFox users! A critical remote code execution vulnerability existed in the phpFox service that allowed community takeovers [...] The researcher urged all phpFox users to update to the latest phpFox release (version 4.8.14 or later) to receive the security fix. --------------------------------------------- https://latesthackingnews.com/2023/10/30/critical-phpfox-rce-vulnerability-… ∗∗∗ Webbrowser: Google Chrome bessert 15 Schwachstellen aus und kann HTTPS-Upgrades ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in Version 119 veröffentlicht. Sie schließt 15 Sicherheitslücken und etabliert den HTTPS-Upgrade-Mechanismus. --------------------------------------------- https://www.heise.de/-9349956 ∗∗∗ Sicherheitsupdates Nvidia: GeForce-Treiberlücken gefährden PCs ∗∗∗ --------------------------------------------- Nvidias Entwickler haben im Grafikkartentreiber und der VGPU-Software mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9351600 ∗∗∗ Solarwinds Platform 2023.4 schließt Codeschmuggel-Lücken ∗∗∗ --------------------------------------------- Solarwinds hat das Platform-Update auf Version 2023.4 veröffentlicht. Neben diversen Fehlerkorrekturen schließt es auch Sicherheitslücken. --------------------------------------------- https://www.heise.de/-9351584 ∗∗∗ VMSA-2023-0025 ∗∗∗ --------------------------------------------- An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products. (CVE-2023-20886) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0025.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (h2o, open-vm-tools, pmix, and zookeeper), Gentoo (GitPython), Oracle (firefox, java-11-openjdk, java-17-openjdk, libguestfs-winsupport, nginx:1.22, and thunderbird), Red Hat (samba), SUSE (container-suseconnect, libsndfile, and slurm), and Ubuntu (krb5, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-laptop, linux-nvidia-6.2, linux-oem-6.1, linux-raspi, open-vm-tools, and xorg-server). --------------------------------------------- https://lwn.net/Articles/949612/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (Netatalk), Oracle (firefox), Red Hat (.NET 6.0, .NET 6.0, .NET 7.0, binutils, and qemu-kvm), SUSE (gcc13, tomcat, and xorg-x11-server), and Ubuntu (axis, libvpx, linux-starfive, thunderbird, and xrdp). --------------------------------------------- https://lwn.net/Articles/949820/ ∗∗∗ [R1] Nessus Version 10.5.6 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-36 ∗∗∗ [R1] Nessus Agent Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-38 ∗∗∗ [R1] Nessus Version 10.6.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-37 ∗∗∗ Drupal: Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-049 ∗∗∗ Open Exchange: 2023-08-01: OXAS-ADV-2023-0004 ∗∗∗ --------------------------------------------- https://documentation.open-xchange.com/security/advisories/txt/oxas-adv-202… ∗∗∗ IBM Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Weintek EasyBuilder Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-05 ∗∗∗ Schneider Electric SpaceLogic C-Bus Toolkit ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-06 ∗∗∗ Franklin Fueling System TS-550 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-04 ∗∗∗ Red Lion Crimson ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02 ∗∗∗ Mitsubishi Electric MELSEC Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2023
by Daily end-of-shift report 31 Oct '23

31 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 30-10-2023 18:00 − Dienstag 31-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CVE-2023-4966 in Citrix NetScaler ADC und NetScaler Gateway wurde bereits als 0-day ausgenutzt ∗∗∗ --------------------------------------------- Uns wurde inzwischen von drei Organisationen in Österreich berichtet, dass Angreifer aufgrund der Sicherheitslücke im Citrix Server in ihren Systemen aktiv geworden sind, bevor Patches von Citrix verfügbar waren. Es wurden Befehle zur Erkundung des Systems und erste Schritte in Richtung lateral Movement beobachtet. Wir gehen inzwischen von einer weitläufigen Ausnutzung dieses 0-days aus. --------------------------------------------- https://cert.at/de/aktuelles/2023/10/cve-2023-4966-0day ∗∗∗ Exploit für Cisco IOS XE veröffentlicht, Infektionszahlen weiter hoch ∗∗∗ --------------------------------------------- Sicherheitsforscher haben den Exploit für Cisco IOS XE untersucht und seinen simplen Trick aufgedeckt. Hunderte Geräte mit Hintertür sind noch online. --------------------------------------------- https://www.heise.de/-9349296 ∗∗∗ Multiple Layers of Anti-Sandboxing Techniques, (Tue, Oct 31st) ∗∗∗ --------------------------------------------- It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing). --------------------------------------------- https://isc.sans.edu/diary/rss/30362 ∗∗∗ Malicious NuGet Packages Caught Distributing SeroXen RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. --------------------------------------------- https://thehackernews.com/2023/10/malicious-nuget-packages-caught.html ∗∗∗ LDAP authentication in Active Directory environments ∗∗∗ --------------------------------------------- Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post introduces them through the lens of Python libraries. --------------------------------------------- https://offsec.almond.consulting/ldap-authentication-in-active-directory-en… ∗∗∗ Programmiersprache: End of Life für PHP 8.0 und Neues für PHP 8.3 ∗∗∗ --------------------------------------------- Die kommende Version 8.3 der Programmiersprache PHP hält einige Neuerungen bereit, und PHP 8.0 nähert sich dem Supportende. --------------------------------------------- https://www.heise.de/-9348772 ∗∗∗ Verkaufen auf etsy: Vorsicht vor betrügerischen Anfragen ∗∗∗ --------------------------------------------- Auf allen gängigen Verkaufsplattformen tummeln sich Kriminelle. Sie nehmen vor allem neue Nutzer:innen ins Visier, die die Abläufe noch nicht kennen. Wir zeigen Ihnen, wie Sie betrügerische Anfragen erkennen und sicher verkaufen! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-etsy-vorsicht-vor-betr… ∗∗∗ Lateral Movement: Abuse the Power of DCOM Excel Application ∗∗∗ --------------------------------------------- In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application. This technique is built upon Matt Nelson’s initial research on “Lateral Movement using Excel.Application and DCOM”. --------------------------------------------- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-… ∗∗∗ Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla) ∗∗∗ --------------------------------------------- While tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of Kazuar. Not only is Kazuar another name for the enormous and dangerous cassowary bird, Kazuar is an advanced and stealthy .NET backdoor that Pensive Ursa usually uses as a second stage payload. --------------------------------------------- https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backd… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Confluence Data Center und Confluence Server ∗∗∗ --------------------------------------------- In allen Versionen von Confluence Data Center und Confluence Server existiert eine kritische Sicherheitslücke (CVE-2023-22518 CVSS: 9.1). Das Ausnutzen der Sicherheitslücke auf betroffenen Geräten ermöglicht nicht authentifizierten Angreifern den Zugriff auf interne Daten des Systems. Obwohl Atlassian bislang keine Informationen zur aktiven Ausnutzung der Lücke hat, wird das zeitnahe Einspielen der verfügbaren Patches empfohlen. --------------------------------------------- https://cert.at/de/warnungen/2023/10/confluence-cve-2023-22518 ∗∗∗ RCE exploit for Wyze Cam v3 publicly released, patch now ∗∗∗ --------------------------------------------- A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices [...] Wyze released firmware update version 4.36.11.7071, which addresses the identified issues, on October 22, 2023, so users are recommended to apply the security update as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rce-exploit-for-wyze-cam-v3-… ∗∗∗ Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets ∗∗∗ --------------------------------------------- Three unpatched high-severity bugs in the NGINX ingress controller can be abused by miscreants to steal credentials and other secrets from Kubernetes clusters. The vulnerabilities, tracked as CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed on October 27, and are listed as currently awaiting triage. It's unclear if any of the flaws have been exploited. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/30/unpatched_ng… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, node-browserify-sign, request-tracker4, and request-tracker5), Fedora (golang-github-altree-bigfloat, golang-github-seancfoley-bintree, golang-github-seancfoley-ipaddress, kitty, slurm, and thunderbird), Gentoo (ConnMan, libxslt, and Salt), Mageia (chromium-browser-stable), Red Hat (firefox, libguestfs-winsupport, and thunderbird), SUSE (clamav, gcc13, gstreamer-plugins-bad, icu73_2, java-17-openjdk, nodejs10, poppler, python-Werkzeug, redis, thunderbird, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (kernel, linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, linux-iot, linux-raspi, linux-raspi-5.4, and mysql-8.0). --------------------------------------------- https://lwn.net/Articles/949391/ ∗∗∗ FujiFilm printer credentials encryption issue fixed ∗∗∗ --------------------------------------------- Many multi-function printers made by FujiFilm Business Innovation Corporation (Fujifilm) which includes Apeos, ApeosPro, PrimeLink and RevoriaPress brands as well as Xerox Corporation (Xerox) which includes VersaLink, PrimeLink, and WorkCentre brands, allow administrators to store credentials on them to allow users to upload scans and other files to FTP and SMB file servers. With the default configuration of these printers, it’s possible to retrieve these credentials in an encrypted format without authenticating to the printer. A vulnerability in the encryption process of these credentials means that you can decrypt them with responses from the web interface. This has been given the ID CVE-2023-46327. --------------------------------------------- https://www.pentestpartners.com/security-blog/fujifilm-printer-credentials-… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.0.0, 6.1.0, 6.1.1, and 6.2.0: SC-202310.1 ∗∗∗ --------------------------------------------- TNS-2023-35 / Critical 9.8 / 8.8 (CVE-2023-38545), 3.7 / 3.4 (CVE-2023-38546) --------------------------------------------- https://www.tenable.com/security/tns-2023-35 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ INEA ME RTU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-02 ∗∗∗ Zavio IP Camera ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-03 ∗∗∗ Sonicwall: TunnelCrack Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2023
by Daily end-of-shift report 30 Oct '23

30 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-10-2023 18:00 − Montag 30-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Flying under the Radar: The Privacy Impact of multicast DNS, (Mon, Oct 30th) ∗∗∗ --------------------------------------------- The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages. --------------------------------------------- https://isc.sans.edu/diary/rss/30358 ∗∗∗ Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware ∗∗∗ --------------------------------------------- A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE. --------------------------------------------- https://thehackernews.com/2023/10/hackers-using-msix-app-packages-to.html ∗∗∗ Turning a boring file move into a privilege escalation on Mac ∗∗∗ --------------------------------------------- Hopefully other people find this trick useful, beyond just Parallels. You can find the code for this exploit on my GitHub [...] 2023-07-06 - fix released in version 18.3.2. --------------------------------------------- https://pwn.win/2023/10/28/file-move-privesc-mac.html ∗∗∗ citrix-logchecker - Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation ∗∗∗ --------------------------------------------- CERT.at stellt via Github ein Skript zur Verfügung, welches genutzt werden kann, um Citrix-Logs nach potenziell übernommenen Sessions zu durchsuchen. Sollten auffällige Sessions gefunden werden, wird eine tiefergehende Analyse empfohlen. --------------------------------------------- https://github.com/certat/citrix-logchecker ∗∗∗ NATO und Behörden von kritischer Lücke in Lernplattform ILIAS betroffen ∗∗∗ --------------------------------------------- Gleich drei Sicherheitslücken in der Open-Source-Lernplattform ILIAS erlauben Codeschmuggel. Der Hersteller stellt eine aktualisierte Version bereit. --------------------------------------------- https://www.heise.de/-9344057.html ∗∗∗ Forscher: Sicherheitslücken beim Roaming bleiben auch bei 5G eine große Gefahr ∗∗∗ --------------------------------------------- Mobilfunker und Regulierer unternehmen laut einem Bericht des Citizen Lab zu wenig, um Sicherheitsschwächen der Roaming- und Abrechnungsprotokolle auszumerzen. --------------------------------------------- https://www.heise.de/-9347577.html ∗∗∗ F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747) ∗∗∗ --------------------------------------------- F5 Networks has released hotfixes for three vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability (CVE-2023-46747) that could lead to unauthenticated remote code execution (RCE). About CVE-2023-46747 Discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security, CVE-2023-46747 is a request smuggling bug in the Apache JServ Protocol (AJP) used by the vulnerable devices. [...] Praetorian has updated their blog post to include all the technical details, since Project Discovery has created a Nuclei template with the full CVE-2023-46747 attack chain. --------------------------------------------- https://www.helpnetsecurity.com/2023/10/30/cve-2023-46747/ ∗∗∗ Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack ∗∗∗ --------------------------------------------- Researchers document the Wiki-Slack attack, a new technique that uses modified Wikipedia pages to target end users on Slack. --------------------------------------------- https://www.securityweek.com/attackers-can-use-modified-wikipedia-pages-to-… ∗∗∗ Vorsicht vor Fake-Shops mit günstigen Lebensmitteln ∗∗∗ --------------------------------------------- Mittlerweile können Sie auch Lebensmittel online bestellen. Bedenken Sie aber: Auch hier gibt es betrügerische Angebote. Kriminelle bieten stark vergünstigte Lebensmittel in Fake-Shops wie leckerwurzede.com an. Wenn Sie dort bestellen, verlieren Sie Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-mit-guenstig… ∗∗∗ CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys ∗∗∗ --------------------------------------------- We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances — which TAs used to perform cryptojacking. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-key… ∗∗∗ NetSupport Intrusion Results in Domain Compromise ∗∗∗ --------------------------------------------- NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrusion, but malicious use of this tool dates back to at least 2016. During this report, we will analyze a case from January 2023 where a NetSupport RAT was utilized to infiltrate a network. The RAT was then used for persistence and command & control, resulting in a full domain compromise. --------------------------------------------- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗ --------------------------------------------- Version 2.4: Updated summary to indicate additional fixed releases and updated fixed release table. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (distro-info, distro-info-data, gst-plugins-bad1.0, node-browserify-sign, nss, openjdk-11, and thunderbird), Fedora (chromium, curl, nghttp2, and xorg-x11-server-Xwayland), Gentoo (Dovecot, Rack, rxvt-unicode, and UnZip), Mageia (apache, bind, and vim), Red Hat (varnish:6), SUSE (nodejs12, opera, python-bugzilla, python-Django, and vorbis-tools), and Ubuntu (exim4, firefox, nodejs, and slurm-llnl, slurm-wlm). --------------------------------------------- https://lwn.net/Articles/949238/ ∗∗∗ Mattermost security updates 9.1.1 / 9.0.2 / 8.1.4 (ESR) / 7.8.13 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.1.1, 9.0.2, 8.1.4 (Extended Support Release), and 7.8.13 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-1-1-9-0-2-8-1-4-e… ∗∗∗ Inkdrop vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN48057522/ ∗∗∗ 2023-10-30: Cyber Security Advisory - ABB COM600 CODESYS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001822&Language… ∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061278 ∗∗∗ IBM i is vulnerable to a local privilege escalation due to flaws in Management Central (CVE-2023-40685, CVE-2023-40686). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7060686 ∗∗∗ Due to use of Java 8.0.7.11 version, InfoSphere Data Replication is vulnerable to crypto attacks. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061888 ∗∗∗ IBM Storage Ceph is vulnerable to a stack overflow attack in Golang (CVE-2022-24675) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061939 ∗∗∗ Multiple vulnerabilities exist in the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062331 ∗∗∗ A vulnerability exists in the IBM SDK, Java Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-22045, CVE-2023-22049). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062330 ∗∗∗ IBM Automation Decision Services October 2023 - Multiple CVEs addressed ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062348 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062415 ∗∗∗ Due to the use of OpenSSL IBM Tivoli Netcool System Service Monitors/Application Service Monitors is vulnerable to a denial of service and security bypass restrictions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062426 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2023
by Daily end-of-shift report 27 Oct '23

27 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-10-2023 18:00 − Freitag 27-10-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ StripedFly malware framework infects 1 million Windows, Linux hosts ∗∗∗ --------------------------------------------- A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework… ∗∗∗ How to catch a wild triangle ∗∗∗ --------------------------------------------- How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules. --------------------------------------------- https://securelist.com/operation-triangulation-catching-wild-triangle/11091… ∗∗∗ Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction ∗∗∗ --------------------------------------------- Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for organizations across multiple industries. Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from our perspective, is one of the most dangerous financial criminal groups. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-cross… ∗∗∗ iLeakage: Safari unzureichend vor Spectre-Seitenkanalangriff geschützt ∗∗∗ --------------------------------------------- Sicherheitsforscher sagen, dass Apples Browser nicht ausreichend vor CPU-Seitenkanalangriffen schützt. Angreifer können Daten lesen. Es gibt Schutzmaßnahmen. --------------------------------------------- https://www.heise.de/-9344659 ∗∗∗ CISA, HHS Release Cybersecurity Healthcare Toolkit ∗∗∗ --------------------------------------------- CISA and the HHS have released resources for healthcare and public health organizations to improve their security. --------------------------------------------- https://www.securityweek.com/cisa-hhs-release-cybersecurity-healthcare-tool… ∗∗∗ CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater ∗∗∗ --------------------------------------------- The Lenovo System Update application is designed to allow non-administrators to check for and apply updates to their workstation. During the process of checking for updates, the privileged Lenovo Update application attempts to utilize C:\SSClientCommon\HelloLevel_9_58_00.xml, which doesn’t exist on the filesystem [...] This vulnerability has been fixed in the latest version of the Lenovo System Updater application. --------------------------------------------- https://posts.specterops.io/cve-2023-4632-local-privilege-escalation-in-len… ∗∗∗ ESET APT Activity Report Q2–Q3 2023 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 and Q3 2023 --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2… ∗∗∗ Most common Active Directory misconfigurations and default settings that put your organization at risk ∗∗∗ --------------------------------------------- Introduction In this blog post, we will go over the most recurring (and critical) findings that we discovered when auditing the Active Directory environment of different companies, explain why these configurations can be dangerous, how they can be abused by attackers and how they can be mitigated or remediated. --------------------------------------------- https://blog.nviso.eu/2023/10/26/most-common-active-directory-misconfigurat… ∗∗∗ CVE-2023-4966 Helps Usher In A Baker’s Dozen Of Citrix Tags To Further Help Organizations Mitigate Harm ∗∗∗ --------------------------------------------- Citrixs NetScaler ADC and NetScaler Gateway have, once more, been found to have multiple vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967 [...] As of this post’s publish time, GreyNoise has observed just under seventy IP addresses attempting to exploit this vulnerability. --------------------------------------------- https://www.greynoise.io/blog/cve-2023-4966-helps-usher-in-a-bakers-dozen-o… ∗∗∗ CISA Announces Launch of Logging Made Easy ∗∗∗ --------------------------------------------- Today, CISA announces the launch of a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/27/cisa-announces-launch-lo… ∗∗∗ Rhysida Ransomware Technical Analysis ∗∗∗ --------------------------------------------- Technical analysis of Rhysida Ransomware family that emerged in the Q2 of 2023 --------------------------------------------- https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analys… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-299-01 Dingtian DT-R002 ICSA-23-299-02 Centralite Pearl Thermostat ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium ICSA-23-299-04 Rockwell Automation Arena ICSA-23-299-05 Rockwell Automation FactoryTalk View Site Edition ICSA-23-299-06 Rockwell Automation FactoryTalk Services Platform ICSA-23-299-07 Sielco PolyEco FM Transmitter ICSA-23-299-08 Sielco Radio Link and Analog FM Transmitters ICSMA-23-194-01 BD Alaris System with Guardrails Suite MX (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/26/cisa-releases-nine-indus… ∗∗∗ Cisco Update: HTTP/2 Rapid Reset Attack Affecting Cisco Products: October 2023 ∗∗∗ --------------------------------------------- Version 1.5: Updated the lists of vulnerable products and products confirmed not vulnerable. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Update: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗ --------------------------------------------- Version 2.3: Updated summary to indicate additional fixed releases. Updated fixed release table and SMU table. Updated recommendations to add link to technical FAQ. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Juniper Update: 2023-10 Security Bulletin: Junos OS: jkdsd crash due to multiple telemetry requests (CVE-2023-44188) ∗∗∗ --------------------------------------------- 2023-10-25: Added note that SRX Series devices are not vulnerable to this issue --------------------------------------------- https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos… ∗∗∗ HPE Aruba Networking Product Security Advisory ∗∗∗ --------------------------------------------- HPE Aruba Networking has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. --------------------------------------------- https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt ∗∗∗ Sicherheitsupdates: Jenkins-Plug-ins als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Jenkins kann bei der Softwareentwicklung helfen. Einige Plug-ins weisen Sicherheitslücken auf. Ein paar Updates stehen noch aus. --------------------------------------------- https://www.heise.de/-9344802 ∗∗∗ Sicherheitslücken im X.Org X-Server und Xwayland erlauben Rechteausweitung ∗∗∗ --------------------------------------------- Aktualisierte Fassung des X.Org X-Servers und von Xwayland schließen Sicherheitslücken. Die erlauben die Rechteausweitung oder einen Denial-of-Service. --------------------------------------------- https://www.heise.de/-9345096 ∗∗∗ Rechteausweitung durch Lücke in HP Print and Scan Doctor ∗∗∗ --------------------------------------------- Aktualisierte Software korrigiert einen Fehler im Support-Tool HP Print and Scan Doctor, der die Ausweitung der Rechte im System ermöglicht. --------------------------------------------- https://www.heise.de/-9345192 ∗∗∗ Konfigurationsprogramm von BIG-IP-Appliances als Sprungbrett für Angreifer ∗∗∗ --------------------------------------------- F5 hat wichtige Sicherheitsupdates für BIG-IP-Produkte veröffentlicht. Angreifer können Geräte kompromittieren. --------------------------------------------- https://www.heise.de/-9346460 ∗∗∗ Lücken in Nessus Network Monitor ermöglichen Rechteerhöhung ∗∗∗ --------------------------------------------- Eine neue Version vom Nessus Network Monitor schließt Sicherheitslücken, durch die Angreifer etwa ihre Rechte erhöhen können. --------------------------------------------- https://www.heise.de/news/-9346392 ∗∗∗ VMWare Tools: Schwachstellen erlauben Rechteausweitung ∗∗∗ --------------------------------------------- Die VMware Tools unter Linux, Windows und macOS erlauben Angreifern unter bestimmten Umständen, unbefugt Kommandos abzusetzen. Noch sind nicht alle Updates da. --------------------------------------------- https://www.heise.de/-9346863 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023) ∗∗∗ --------------------------------------------- Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and xorg-server), Fedora (firefox, mbedtls, nodejs18, nodejs20, and xen), Gentoo (libinput, unifi, and USBView), Mageia (python-nltk), Oracle (linux-firmware), Red Hat (nginx:1.22), SUSE (chromium, firefox, java-11-openjdk, jetty-minimal, nghttp2, nodejs18, webkit2gtk3, and zlib), and Ubuntu (linux, linux-lowlatency, linux-oracle-5.15, vim, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/948930/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and firefox-esr), Fedora (firefox, redis, samba, and xen), Oracle (python39:3.9, python39-devel:3.9), Slackware (mozilla and xorg), and SUSE (libnbd, open-vm-tools, python, sox, vorbis-tools, and zchunk). --------------------------------------------- https://lwn.net/Articles/949057/ ∗∗∗ Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data ∗∗∗ --------------------------------------------- Mirth Connect versions prior to 4.4.1 are vulnerable to CVE-2023-43208, a bypass for an RCE vulnerability. --------------------------------------------- https://www.securityweek.com/critical-mirth-connect-vulnerability-could-exp… ∗∗∗ Apple Releases Security Advisories for Multiple Products ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/26/apple-releases-security-… ∗∗∗ Schwachstelle CVE-2023-5363 in OpenSSL ∗∗∗ --------------------------------------------- In der Software OpenSSL wurde eine Schwachstelle CVE-2023-5363 gefunden. Die Initialisierung der Verschlüsselungsschlüssellänge und des Initialisierungsvektors in OpenSLL ist fehlerhaft. Für die Linux-Distributionen Debian und Ubuntu ist ein Fix aber bereits verfügbar. --------------------------------------------- https://www.borncity.com/blog/2023/10/27/schwachstelle-cve-2023-5363-in-ope… ∗∗∗ ServiceNow fixt stillschweigend Bug aus 2015 der Datenlecks ermöglichte ∗∗∗ --------------------------------------------- Das US-Unternehmen ServiceNow Inc. bietet eine Cloud-Plattform an, in deren Software wohl seit 2015 ein Bug klaffte, über den Dritte ohne Authentifizierung Informationen abziehen konnten. Nachdem ein Sicherheitsforscher auf die Schwachstelle gestoßen ist, wurde diese stillschweigend in der Cloud-Lösung beseitigt. --------------------------------------------- https://www.borncity.com/blog/2023/10/27/servicenow-fixt-stillschweigend-bu… ∗∗∗ 9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution ∗∗∗ --------------------------------------------- Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-oct-25-2023/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ VMSA-2023-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0024.html ∗∗∗ SonicWall SSO Agent - Directory Services Connector MSI Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0016 ∗∗∗ SonicWall NetExtender Windows Client DLL Search Order Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0017 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2023
by Daily end-of-shift report 25 Oct '23

25 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-10-2023 18:00 − Mittwoch 25-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Citrix Bleed exploit lets hackers hijack NetScaler accounts ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit is released for the Citrix Bleed vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/citrix-bleed-exploit-lets-ha… ∗∗∗ Phishing-Masche: Klarstellung wegen Viren-Versands gefordert ∗∗∗ --------------------------------------------- Die Verbraucherzentralen warnen vor Betrugsmails, die Empfänger zu einer Klarstellung auffordern. Es seien Beschwerden wegen Malware-Versands eingegangen. --------------------------------------------- https://www.heise.de/news/Phishing-Masche-Klarstellung-wegen-Viren-Versands… ∗∗∗ Exploitcode für Root-Lücke in VMware Aria Operations for Logs in Umlauf ∗∗∗ --------------------------------------------- In Umlauf befindlicher Exploitcode gefährdet VMwares Management-Plattform für Cloudumgebungen. Admins sollten jetzt Sicherheitsupdates installieren. --------------------------------------------- https://www.heise.de/news/Exploitcode-fuer-Root-Luecke-in-VMware-Aria-Opera… ∗∗∗ Webmailer Roundcube: Attacken auf Zero-Day-Lücke ∗∗∗ --------------------------------------------- Im Webmailer Roundcube missbrauchen Cyberkriminelle eine Sicherheitslücke, um verwundbare Einrichtungen anzugreifen. Ein Update schließt das Leck. --------------------------------------------- https://www.heise.de/news/Webmailer-Roundcube-Attacken-auf-Zero-Day-Luecke-… ∗∗∗ Teils kritische Lücken in VMware vCenter Server und Cloud Foundation geschlossen ∗∗∗ --------------------------------------------- VMware hat aktualisierte Softwarepakete veröffentlicht, die mehrere Lücken in vCenter Server und Cloud Foundation abdichten. Eine gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Update-stopft-kritische-Luecke-in-VMware-vCenter-… ∗∗∗ Nusuccess: Seriöse Marketingagentur oder unseriöses Schneeballsystem? ∗∗∗ --------------------------------------------- Die Nusuccess FZCO mit Sitz in Dubai – vormals mit Sitz in Kärnten – bezeichnet sich selbst als „weltweit renommierte Werbeagentur“. Welche Leistungen diese Firma tatsächlich erbringt, bleibt aber im besten Fall vage. Erfahrungsberichte deuten darauf hin, dass sie ihren Gewinn hauptsächlich durch den Verkauf von teuren „Franchise-Paketen“ erzielt. Was genau Inhalt dieser Franchise-Pakete sein soll, bleibt unklar. --------------------------------------------- https://www.watchlist-internet.at/news/nusuccess-serioese-marketingagentur-… ∗∗∗ Social engineering: Hacking minds over bytes ∗∗∗ --------------------------------------------- In this blog, lets focus on the intersection of psychology and technology, where cybercriminals manipulate human psychology through digital means to achieve their objectives. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/social-engineering-… ∗∗∗ How to Secure the WordPress Login Page ∗∗∗ --------------------------------------------- Given that WordPress powers millions of websites worldwide, it’s no surprise that it’s a prime target for malicious activities ranging from brute force attacks and hacking attempts to unauthorized access — all of which can wreak havoc on your site’s functionality, damage reputation, or even result in lost revenue and sales. A common entry point often exploited by hackers is the WordPress login page, [...] --------------------------------------------- https://blog.sucuri.net/2023/10/how-to-secure-the-wordpress-login-page.html ∗∗∗ The Rise of S3 Ransomware: How to Identify and Combat It ∗∗∗ --------------------------------------------- In todays digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations. Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. It remains susceptible to ransomware attacks which are often initiated using leaked access keys that have accidentally been exposed by human error and have access to the organization's buckets. --------------------------------------------- https://thehackernews.com/2023/10/the-rise-of-s3-ransomware-how-to.html ∗∗∗ RT 5.0.5 and 4.4.7 Now Available ∗∗∗ --------------------------------------------- RT versions 5.0.5 and 4.4.7 are now available. In addition to some new features and bug fixes, these releases contain important security updates and are recommended for all RT users. --------------------------------------------- https://bestpractical.com/blog/2023/10/rt-505-and-447-now-available ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in Cisco IOS XE: Auch Rockwell-Industrieswitches betroffen ∗∗∗ --------------------------------------------- Neben Cisco-eigenen Geräten sind auch Rockwell-Switches der Stratix-Serie für den Industrieeinsatz betroffen. Eine Fehlerbehebung steht noch aus. --------------------------------------------- https://www.heise.de/news/Luecke-in-Cisco-IOS-XE-Auch-Rockwell-Industrieswi… ∗∗∗ VMSA-2023-0023 ∗∗∗ --------------------------------------------- Synopsis: VMware vCenter Server updates address out-of-bounds write and information disclosure vulnerabilities (CVE-2023-34048, CVE-2023-34056) 1. Impacted Products * VMware vCenter Server * VMware Cloud Foundation --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0023.html ∗∗∗ Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress ∗∗∗ --------------------------------------------- On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations. After making our initial contact attempt on September 28th, 2023, we received a response on September 29, 2023 and sent over our full disclosure details. --------------------------------------------- https://www.wordfence.com/blog/2023/10/several-critical-vulnerabilities-pat… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0, openssl, roundcube, and xorg-server), Fedora (dotnet6.0, dotnet7.0, roundcubemail, and wordpress), Mageia (redis), Oracle (dnsmasq, python27:2.7, python3, tomcat, and varnish), Red Hat (python39:3.9, python39-devel:3.9), Slackware (mozilla and vim), SUSE (openssl-3, poppler, ruby2.5, and xen), and Ubuntu (.Net, linux-gcp-5.15, linux-gkeop-5.15, linux-intel-iotg-5.15, linux-starfive-6.2, mysql-5.7, ncurses, and openssl). --------------------------------------------- https://lwn.net/Articles/948814/ ∗∗∗ Movable Type vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN39139884/ ∗∗∗ TEM Opera Plus FM Family Transmitter 35.45 XSRF ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5800.php ∗∗∗ TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php ∗∗∗ VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) Remote Denial Of Service ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5798.php ∗∗∗ AIX is vulnerable to sensitive information exposure due to Perl (CVE-2023-31484 and CVE-2023-31486) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047272 ∗∗∗ IBM QRadar SIEM includes components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7049133 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to weaker than expected security (CVE-2023-46158) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7058540 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to weaker than expected security (CVE-2023-46158) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7058536 ∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Business Developer. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7059262 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2023
by Daily end-of-shift report 24 Oct '23

24 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 23-10-2023 18:00 − Dienstag 24-10-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Log in With... Feature Allows Full Online Account Takeover for Millions ∗∗∗ --------------------------------------------- Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems. --------------------------------------------- https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-take… ∗∗∗ Hostile Takeover: Malicious Ads via Facebook ∗∗∗ --------------------------------------------- Criminals hijack business accounts on Facebook and run their own advertising campaigns in someone elses name and at the expense of those affected. --------------------------------------------- https://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads ∗∗∗ Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware ∗∗∗ --------------------------------------------- In this report, we share our latest crimeware findings: GoPIX targeting PIX payment system; Lumar stealing files and passwords; Rhysida ransomware supporting old Windows. --------------------------------------------- https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/ ∗∗∗ Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar ∗∗∗ --------------------------------------------- The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts. --------------------------------------------- https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html ∗∗∗ Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 ∗∗∗ --------------------------------------------- We were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued our interest. --------------------------------------------- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-to… ∗∗∗ Best Practices for Writing Quality Vulnerability Reports ∗∗∗ --------------------------------------------- How to write great vulnerability reports? If you’re a security consultant, penetration tester or a bug bounty hunter, these tips are for you! --------------------------------------------- https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-… ∗∗∗ Kriminelle verbreiten falsche Ryanair-Telefonnummern ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie im Internet nach einer Telefonnummer von Ryanair suchen. Kriminelle stellen Webseiten mit falschen Nummern ins Netz. Wenn Sie bei der falschen Ryanair-Servicehotline anrufen, stehlen Kriminelle Ihnen sensible Daten und Geld. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-verbreiten-falsche-ryanai… ∗∗∗ LOLBin mit WorkFolders.exe unter Windows ∗∗∗ --------------------------------------------- Die legitime Windows-Anwendung WorkFolders.exe lässt sich verwenden, um andere .exe-Programme im Windows-Ordner System32 oder im aktuellen Ordner zu starten. Dies ermöglicht Malware sogenannte LOLBin-Angriffe, bei der legitime Betriebssystemdateien zur Ausführung von Schadprogrammen missbraucht werden. --------------------------------------------- https://www.borncity.com/blog/2023/10/24/lolbin-mit-workfolders-exe-unter-w… ∗∗∗ The Great CVSS Bake Off: Testing How CVSS v4 Performs Versus v3 ∗∗∗ --------------------------------------------- The highly anticipated Common Vulnerability Scoring System (CVSS) version 4 is planned to be released on October 31st by the Forum of Incident Response and Security Teams (FIRST). --------------------------------------------- https://orca.security/resources/blog/cvss-version-4-versus-version-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMware warns admins of public exploit for vRealize RCE flaw ∗∗∗ --------------------------------------------- VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs). --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-publi… ∗∗∗ Viele Systeme längst kompromittiert: Cisco stellt Patches für IOS XE bereit ∗∗∗ --------------------------------------------- Durch Schwachstellen in der Betriebssoftware IOS XE sind weltweit Zehntausende von Cisco-Geräten infiltriert worden. Jetzt gibt es erste Patches. --------------------------------------------- https://www.golem.de/news/viele-systeme-laengst-kompromittiert-cisco-stellt… ∗∗∗ CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files ∗∗∗ --------------------------------------------- Orthanc is an open source software to manage, exchange and visualize medical imaging data. In versions < 1.12.0, it is affected by an arbitrary file overwrite vulnerability (CVE-2023-33466) that might allow an authenticated attacker to obtain RCE on the system. --------------------------------------------- https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-… ∗∗∗ Proxy: Squid-Entwickler dichten teils kritische Lecks in Version 6.4 ab ∗∗∗ --------------------------------------------- Mit Squid 6.4 haben die Entwickler eine um vier Sicherheitslücken bereinigte Version des Proxy-Servers vorgelegt. Es klaffen jedoch weitere Lücken darin. --------------------------------------------- https://www.heise.de/news/Proxy-Squid-6-4-schliesst-teils-kritische-Sicherh… ∗∗∗ Lücke in LiteSpeed-Cache-Plug-in gefährdet 4 Millionen WordPress-Websites ∗∗∗ --------------------------------------------- Angreifer können WordPress-Websites mit Schadcode-Skripten verseuchen. Ein Sicherheitsupdate repariert das LiteSpeed-Cache-Plug-in. --------------------------------------------- https://www.heise.de/news/Luecke-in-LiteSpeed-Cache-Plug-in-gefaehrdet-4-Mi… ∗∗∗ Sicherheitsupdates: Firefox-Browser anfällig für Clickjacking-Attacken ∗∗∗ --------------------------------------------- Mozilla hat in aktuellen Versionen von Firefox und Firefox ESR mehrere Sicherheitsprobleme gelöst. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Firefox-Browser-anfaellig-fuer… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ceph and dbus), Fedora (cachelib, fb303, fbthrift, fizz, folly, matrix-synapse, mcrouter, mvfst, nats-server, nodejs18, proxygen, wangle, watchman, and wdt), Mageia (libcue), Oracle (18, grafana, kernel, nodejs, nodejs:16, nodejs:18, php, php:8.0, and tomcat), Red Hat (python27:2.7, python3, python39:3.9, python39-devel:3.9, toolbox, varnish, and varnish:6), SUSE (fwupdate, gcc13, icu73_2, netty, netty-tcnative, and xen), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/948688/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Vulnerability in SICK Flexi Soft Gateway ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-164691.html ∗∗∗ Rockwell Automation Stratix 5800 and Stratix 5200 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-297-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2023
by Daily end-of-shift report 23 Oct '23

23 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-10-2023 18:00 − Montag 23-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sessioncookies: Hacker erbeuten Zugangscodes bei Identitätsdienst Okta ∗∗∗ --------------------------------------------- Der Identitätsdienst Okta ist ein weiteres Mal das Einfallstor für Hacker gewesen. Dieses Mal betraf es Daten des Kundensupports. --------------------------------------------- https://www.golem.de/news/sessioncookies-hacker-erbeuten-zugangscodes-bei-i… ∗∗∗ Erst nach 3 Jahren gefixt: Zeiterfassungssystem ermöglichte OAuth-Token-Diebstahl ∗∗∗ --------------------------------------------- Harvest ermöglichte es Angreifern, OAuth-Token von Nutzern zu stehlen, die die Zeiterfassungssoftware mit Outlook verbinden wollten. --------------------------------------------- https://www.golem.de/news/erst-nach-3-jahren-gefixt-zeiterfassungssystem-er… ∗∗∗ Die MOVEit-Sicherheitslücke – eine Zwischenbilanz ∗∗∗ --------------------------------------------- Selbst wer die Software nicht verwendet, kann ein Opfer sein. Schätzungen gehen bisher von rund 68 Millionen Personen aus, deren Daten abgeflossen sind. --------------------------------------------- https://www.heise.de/-9318038.html ∗∗∗ Internationalen Ermittlungsbehörden gelingt Schlag gegen Ragnar Locker ∗∗∗ --------------------------------------------- Internationalen Ermittlern ist es gelungen, die Infrastruktur der bekannten Ransomware-Gruppierung Ragnar Locker zu zerschlagen. --------------------------------------------- https://www.heise.de/-9340480.html ∗∗∗ Cisco IOS XE und die verschwundenen Hintertüren ∗∗∗ --------------------------------------------- Die Anzahl der offensichtlich kompromittierten Geräte ist auch in Deutschland schlagartig gefallen, was wohl kaum an den gerade erschienenen Patches liegt. --------------------------------------------- https://www.heise.de/-9341205.html ∗∗∗ New TetrisPhantom hackers steal data from secure USB drives on govt systems ∗∗∗ --------------------------------------------- A new sophisticated threat tracked as TetrisPhantom has been using compromised secure USB drives to target government systems in the Asia-Pacific region. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tetrisphantom-hackers-st… ∗∗∗ The outstanding stealth of Operation Triangulation ∗∗∗ --------------------------------------------- In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules. --------------------------------------------- https://securelist.com/triangulation-validators-modules/110847/ ∗∗∗ base64dump.py Handles More Encodings Than Just BASE64, (Sun, Oct 22nd) ∗∗∗ --------------------------------------------- My tool base64dump.py takes any input and searches for encoded data. By default, it searches for base64 encoding, but I implemented several encodings (like vaious hexadecimal formats) --------------------------------------------- https://isc.sans.edu/diary/rss/30332 ∗∗∗ How an AppleTV may take down your (#IPv6) network, (Mon, Oct 23rd) ∗∗∗ --------------------------------------------- I recently ran into an odd issue with IPv6 connectivity in my home network. During a lengthy outage, I decided to redo some of my network configurations. As part of this change, I also reorganized my IPv6 setup, relying more on DHCPv6 and less on router advertisements to configure IPv6 addresses. Overall, this worked well. My Macs had no issues connecting to IPv6. However, the Linux host I use to alert me of network connectivity issues could not "ping" the test host via IPv6. --------------------------------------------- https://isc.sans.edu/diary/rss/30336 ∗∗∗ Tampered OpenCart Authentication Aids Credit Card Skimming Attack ∗∗∗ --------------------------------------------- Using out of date software is the leading cause of website compromise, so keeping your environment patched and up to date is one of the most important responsibilities of a website administrator. It’s not uncommon to employ the use of custom code on websites, and spend small fortunes on software developers to tailor their website just the way they want it. However, the usage of customised code can sometimes inadvertently lock a website administrator into using an out of date CMS installation long after its expiry date, particularly if they no longer have access to their old developer (or sufficient funds to hire a new one). --------------------------------------------- https://blog.sucuri.net/2023/10/tampered-opencart-authentication-aids-credi… ∗∗∗ Abusing gdb Features for Data Ingress & Egress ∗∗∗ --------------------------------------------- As of November 2019, elfutils supports debuginfod, a client/server protocol that enables debuggers (gdb) to fetch debugging symbols via HTTP/HTTPs from a user-specified remote server. This blog post will demonstrate how this feature of gdb can be abused to create data communication paths for data exfiltration and tool ingress. --------------------------------------------- https://www.archcloudlabs.com/projects/debuginfod/ ∗∗∗ Vorsicht vor Jobangeboten auf WhatsApp oder Telegram ∗∗∗ --------------------------------------------- Sie suchen gerade einen Job? Praktisch, wenn Sie gar nicht suchen müssen und Sie direkt auf WhatsApp oder Telegram einen Job angeboten bekommen. Dahinter stecken aber Kriminelle, die Ihnen z. B. einen „Datenoptimierungsjob mit möglichen Provisionen“ anbieten. Auf Plattformen wie privko.live oder depopnr.com verlieren Sie dann Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-auf-whatsa… ∗∗∗ Important security update ∗∗∗ --------------------------------------------- Autodesk recently determined that an unauthorized third-party obtained access to portions of internal systems. Our findings show that sensitive data about our customers and their projects or products have not been compromised. We immediately took steps to contain the incident. Forensic analysis conducted by an independent, third party indicates that no customer operations or Autodesk products were disrupted due to this incident. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0020 ∗∗∗ Kritische Sicherheitslücke in Cisco IOS XE - aktiv ausgenützt ∗∗∗ --------------------------------------------- Update: 23. Oktober 2023 Cisco hat für einige der von der Schwachstelle betroffenen Geräte Aktualisierungen veröffentlicht, und weitere Updates angekündigt. Das Unternehmen aktualisiert die Liste an verfügbaren Patches auf einer dedizierten Seite laufend. Wenn das Management-WebInterface eines Cisco XE Gerätes vor dem Einspielen des Updates offen im Netz erreichbar war, ist davon auszugehen, dass ein Angreifer dies ausgenutzt hat und zumindest neue Admin-Accounts angelegt hat. Damit ist die Installation von weiteren Hintertüren möglich, die - aus heutiger Sicht - nur mit einem Factory Reset / Neuinstallation von IOS XE umfassend entfernt werden können --------------------------------------------- https://cert.at/de/warnungen/2023/10/kritische-sicherheitslucke-in-cisco-io… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗ --------------------------------------------- Version 1.4: Updated the summary to indicate the first fixes are available. Added specific fixed release information. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (krb5, redis, roundcube, ruby-rack, ruby-rmagick, zabbix, and zookeeper), Fedora (ansible-core, chromium, libvpx, mingw-xerces-c, python-asgiref, python-django, and vim), Mageia (cadence, kernel, kernel-linus, libxml2, nodejs, and shadow-utils), Oracle (nghttp2), Slackware (LibRaw), and SUSE (chromium, java-11-openjdk, nodejs18, python-Django, python-urllib3, and suse-module-tools). --------------------------------------------- https://lwn.net/Articles/948522/ ∗∗∗ Vulnerability in QUSBCam2 ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute arbitrary commands via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-43 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2023
by Daily end-of-shift report 20 Oct '23

20 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-10-2023 18:00 − Freitag 20-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malvertising: Angreifer nutzen Punycode für gefälschte Webseiten ∗∗∗ --------------------------------------------- Cyberkriminelle werben über Google Ads etwa mit gefälschten KeePass-URLs mit Punycode-Zeichen. Die beworbene Seite liefert Malware aus. --------------------------------------------- https://www.heise.de/-9339448.html ∗∗∗ SolarWinds behebt Codeschmuggel in Access Rights Manager ∗∗∗ --------------------------------------------- Die Software zur Verwaltung von Zugriffsberechtigungen hat unter anderem Fehler, die eine Rechteausweitung ermöglichten. Admins sollten zügig handeln. --------------------------------------------- https://www.heise.de/-9339437.html ∗∗∗ VMware dichtet hochriskante Lecks in Aria, Fusion und Workstation ab ∗∗∗ --------------------------------------------- VMware hat Updates für VMNware Aria Operations for Logs, VMware Fusion sowie VMware Workstation veröffentlicht. Sie schließen teils hochriskante Lücken. --------------------------------------------- https://www.heise.de/-9339932.html ∗∗∗ IT-Sicherheitsbehörden geben Tipps für sichere Software und Phishing-Prävention ∗∗∗ --------------------------------------------- Die US-Sicherheitsbehörde CISA veröffentlicht mit internationalen Partnern je eine Handreichung zu sicherem Software-Entwurf und zur Phishing-Prävention. --------------------------------------------- https://www.heise.de/-9339899.html ∗∗∗ Cybersicherheit ermöglichen – BSI veröffentlicht Checklisten für Kommunen ∗∗∗ --------------------------------------------- Das BSI bietet Kommunen nun einen unkomplizierten und ressourcenschonenden Einstieg in den etablierten IT-Grundschutz des BSI. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Fake Corsair job offers on LinkedIn push DarkGate malware ∗∗∗ --------------------------------------------- A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-corsair-job-offers-on-l… ∗∗∗ ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges ∗∗∗ --------------------------------------------- A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems. "ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said [...] --------------------------------------------- https://thehackernews.com/2023/10/exelastealer-new-low-cost-cybercrime.html ∗∗∗ Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall ∗∗∗ --------------------------------------------- Here at watchTowr, we just love attacking high-privilege devices [...]. A good example of these is the device class of ‘next generation’ firewalls, which usually include VPN termination functionality (meaning they’re Internet-accessible by network design). These devices patrol the border between the untrusted Internet and an organisation’s softer internal network, and so are a great place for attackers to elevate their status from ‘outsiders’ to ‘trusted users’. --------------------------------------------- https://labs.watchtowr.com/ghost-in-the-wire-sonic-in-the-wall/ ∗∗∗ VMware Aria Operations for Logs CVE-2023-34051 Technical Deep Dive and IOCs ∗∗∗ --------------------------------------------- Earlier this year we reported the technical details for VMSA-2023-0001 affecting VMware Aria Operations for Logs (formerly VMware vRealize Log Insight). [...] During the course of that investigation, we noticed the fix provided by VMware was not sufficient to stop a motivated attacker. We reported this new issue to VMware and it was fixed in VMSA-2023-0021. This post will discuss the technical details of CVE-2023-34051, an authentication bypass that allows remote code execution as root. --------------------------------------------- https://www.horizon3.ai/vmware-aria-operations-for-logs-cve-2023-34051-tech… ∗∗∗ Concerns grow as LockBit knockoffs increasingly target popular vulnerabilities ∗∗∗ --------------------------------------------- Hackers are using a leaked toolkit used to create do-it-yourself versions of the popular LockBit ransomware, making it easy for even amateur cybercriminals to target common vulnerabilities. The LockBit ransomware gang, which has attacked thousands of organizations across the world, had the toolkit leaked in September 2022 by a disgruntled affiliate. --------------------------------------------- https://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit ∗∗∗ Attacks on 5G Infrastructure From User Devices: ASN.1 Vulnerabilities in 5G Cores ∗∗∗ --------------------------------------------- In the second part of this series, we will examine how attackers can trigger vulnerabilities by sending control messages masquerading as user traffic to cross over from user plane to control plane. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/j/asn1-vulnerabilities-in-5g-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE Software Web UI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Version 1.2: Added access list mitigation. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Command Injection Vulnerability ∗∗∗ --------------------------------------------- Version 1.1: Added information about active exploitation attempts. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ RT 5.0.5 Release Notes ∗∗∗ --------------------------------------------- RT 5.0.5 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details. --------------------------------------------- https://docs.bestpractical.com/release-notes/rt/5.0.5 ∗∗∗ RT 4.4.7 Release Notes ∗∗∗ --------------------------------------------- RT 4.4.7 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details. --------------------------------------------- https://docs.bestpractical.com/release-notes/rt/4.4.7 ∗∗∗ VMSA-2023-0022 ∗∗∗ --------------------------------------------- VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044, CVE-2023-34045, CVE-2023-34046) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0022.html ∗∗∗ VMSA-2023-0021 ∗∗∗ --------------------------------------------- VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0021.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10 and webkit2gtk), Fedora (matrix-synapse and trafficserver), Mageia (chromium-browser-stable, ghostscript, libxpm, and ruby-RedCloth), Oracle (.NET 7.0, curl, dotnet7.0, galera, mariadb, go-toolset, golang, java-1.8.0-openjdk, and python-reportlab), Red Hat (php, php:8.0, tomcat, and varnish), Slackware (httpd), SUSE (bluetuith, grub2, kernel, rxvt-unicode, and suse-module-tools), and Ubuntu (dotnet6, dotnet7, dotnet8, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15,linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-intel-iotg, linux-oem-6.1, linux-raspi, and mutt). --------------------------------------------- https://lwn.net/Articles/948368/ ∗∗∗ Kritische Sicherheitslücke in Citrix NetScaler ADC und NetScaler Gateway - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentifizierten Angreifer:innen, bestehende, authentifizierte Sessions zu übernehmen. Diese Schwachstelle wird zumindest seit Ende August 2023 bei Angriffen gegen Ziele in verschiedenen Sektoren aktiv ausgenutzt. --------------------------------------------- https://cert.at/de/warnungen/2023/10/kritische-sicherheitslucke-in-citrix-n… ∗∗∗ Multiple vulnerabilities in ctrlX WR21 HMI ∗∗∗ --------------------------------------------- BOSCH-SA-175607: The operating system of the ctrlX WR21 HMI has several vulnerabilities when the Kiosk mode is used in conjunction with Google Chrome. In worst case, an attacker with physical access to the device might gain full root access without prior authentication by combining the exploitation of those vulnerabilities. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-175607.html ∗∗∗ CVE-2023-38041 New client side release to address a privilege escalation on Windows user machines ∗∗∗ --------------------------------------------- A vulnerability exists on all versions of the Ivanti Secure Access Client Below 22.6R1 that would allow an unprivileged local user to gain unauthorized elevated privileges on the affected system. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-38041-New-client-side-release-… ∗∗∗ Decision Optimization in IBM Cloud Pak for Data is affected by a vulnerability in Node.js semver package (CVE-2022-25883) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056400 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect IBM ILOG CPLEX Optimization Studio (CVE-2023-21968, CVE-2023-21937, CVE-2023-21938) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056397 ∗∗∗ Improper input validation may lead to a Denial of Service attack in web services with IBM CICS TX Standard and IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056433 ∗∗∗ IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to electron ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056425 ∗∗∗ Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056429 ∗∗∗ IBM Integration Bus is vulnerable to a denial of service due to Eclipse Mosquitto ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056456 ∗∗∗ IBM App Connect Enterprise Toolkit and IBM Integration Bus Toolkit are vulnerable to a denial of service due to Okio GzipSource (CVE-2023-3635). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056518 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2023
by Daily end-of-shift report 19 Oct '23

19 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-10-2023 18:00 − Donnerstag 19-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Money-making scripts attack organizations ∗∗∗ --------------------------------------------- Cybercriminals attack government, law enforcement, non-profit organizations, agricultural and commercial companies by slipping a cryptominer, keylogger, and backdoor into their systems. --------------------------------------------- https://securelist.com/miner-keylogger-backdoor-attack-b2b/110761/ ∗∗∗ HasMySecretLeaked findet auf GitHub veröffentlichte Secrets ∗∗∗ --------------------------------------------- Wer prüfen möchte, ob seine Secrets auf GitHub geleakt sind, kann das kostenfreie Toolset von GitGuardian nutzen. Es soll dabei private Daten schützen. --------------------------------------------- https://www.heise.de/news/Security-Toolset-HasMySecretLeaked-sucht-auf-GitH… ∗∗∗ Public Report – Caliptra Security Assessment ∗∗∗ --------------------------------------------- During August and September of 2023, Microsoft engaged NCC Group to conduct a security assessment of Caliptra v0.9. Caliptra is an open-source silicon IP block for datacenter-focused server-class ASICs. --------------------------------------------- https://research.nccgroup.com/2023/10/18/public-report-caliptra-security-as… ∗∗∗ Number of Cisco Devices Hacked via Unpatched Vulnerability Increases to 40,000 ∗∗∗ --------------------------------------------- The number of Cisco devices hacked via the CVE-2023-20198 zero-day has reached 40,000, including many in the US. --------------------------------------------- https://www.securityweek.com/number-of-cisco-devices-hacked-via-unpatched-v… ∗∗∗ Ein PayPal-Tonband ruft an? Drücken Sie nicht die 1! ∗∗∗ --------------------------------------------- Eine unbekannte Nummer erscheint am Smartphone-Bildschirm. Sie heben ab und eine Roboterstimme meldet sich im Namen PayPals. Angeblich soll Geld von Ihrem PayPal-Konto behoben werden. Um das zu verhindern, sollen Sie die Taste „1“ drücken. Tun Sie dies nicht – Kriminelle versuchen, Ihnen dadurch Geld und Daten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/ein-paypal-tonband-ruft-an-druecken-… ∗∗∗ Es cyberwart wieder. Oder so. ∗∗∗ --------------------------------------------- Wie schon zu Beginn des Krieges in der Ukraine vor inzwischen eineinhalb Jahren kam es auch kurz nach den Ereignissen, die am 07.10.2023 Israel erschüttert haben, relativ schnell zu Berichten über die mögliche Rolle von Cyberangriffen in diesem Konflikt. --------------------------------------------- https://cert.at/de/blog/2023/10/es-cyberwart-wieder-oder-so ∗∗∗ Hackers Exploit QR Codes with QRLJacking for Malware Distribution ∗∗∗ --------------------------------------------- Researchers report a surge in QR code-related cyberattacks exploiting phishing and malware distribution, especially QRLJacking and Quishing attacks. --------------------------------------------- https://www.hackread.com/hackers-exploit-qr-codes-qrljacking-malware/ ∗∗∗ CISA, NSA, FBI, MS-ISAC Publish Guide on Preventing Phishing Intrusions ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) today published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-fbi-ms-isac-publish-guide-pr… ∗∗∗ Exploited SSH Servers Offered in the Dark web as Proxy Pools ∗∗∗ --------------------------------------------- Aqua Nautilus researchers have shed brighter light on a long-standing threat to SSH in the context of the cloud. More specifically, the threat actor harnessed our SSH server to be a slave proxy and pass traffic through it. --------------------------------------------- https://blog.aquasec.com/threat-alert-exploited-ssh-servers-offered-in-the-… ===================== = Vulnerabilities = ===================== ∗∗∗ Casio discloses data breach impacting customers in 149 countries ∗∗∗ --------------------------------------------- Japanese electronics manufacturer Casio disclosed a data breach impacting customers from 149 countries after hackers gained to the servers of its ClassPad education platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/casio-discloses-data-breach-… ∗∗∗ Sophos Firewall: PDF-Passwortschutz der SPX-Funktion umgehbar ∗∗∗ --------------------------------------------- Sophos verteilt aktualisierte Firmware für die Firewalls. Im Secure PDF eXchange können Angreifer den Schutz umgehen und unbefugt PDF-Dateien entschlüsseln. --------------------------------------------- https://www.heise.de/news/Sophos-Firewall-PDF-Passwortschutz-der-SPX-Funkti… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-babel), Fedora (moodle), Gentoo (mailutils), Oracle (go-toolset:ol8 and java-11-openjdk), Red Hat (ghostscript, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, nghttp2, nodejs:16, nodejs:18, and rhc-worker-script), SUSE (cni, cni-plugins, container-suseconnect, containerd, cups, exim, grub2, helm, libeconf, nodejs18, python3, runc, slurm, supportutils, and tomcat), and Ubuntu (glib2.0, openssl, and vips). --------------------------------------------- https://lwn.net/Articles/948246/ ∗∗∗ ZDI-23-1568: NI Measurement & Automation Explorer Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1568/ ∗∗∗ ZDI-23-1567: SolarWinds Access Rights Manager OpenClientUpdateFile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1567/ ∗∗∗ ZDI-23-1566: SolarWinds Access Rights Manager GetParameterFormTemplateWithSelectionState Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1566/ ∗∗∗ ZDI-23-1565: SolarWinds Access Rights Manager OpenFile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1565/ ∗∗∗ ZDI-23-1564: SolarWinds Access Rights Manager createGlobalServerChannelInternal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1564/ ∗∗∗ ZDI-23-1563: SolarWinds Access Rights Manager ExecuteAction Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1563/ ∗∗∗ ZDI-23-1562: SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1562/ ∗∗∗ ZDI-23-1561: SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1561/ ∗∗∗ ZDI-23-1560: SolarWinds Access Rights Manager IFormTemplate Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1560/ ∗∗∗ Cisco Catalyst SD-WAN Manager Local File Inclusion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE-2023-24052) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/10/19/technical-advisory-multiple-vulner… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2023
by Daily end-of-shift report 18 Oct '23

18 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-10-2023 18:00 − Mittwoch 18-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious Notepad++ Google ads evade detection for months ∗∗∗ --------------------------------------------- A new Google Search malvertizing campaign targets users looking to download the popular Notepad++ text editor, employing advanced techniques to evade detection and analysis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-notepad-plus-plus-… ∗∗∗ Over 40,000 admin portal accounts use admin as a password ∗∗∗ --------------------------------------------- Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-40-000-admin-portal-acc… ∗∗∗ Recently patched Citrix NetScaler bug exploited as zero-day since August ∗∗∗ --------------------------------------------- A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced. --------------------------------------------- https://www.bleepingcomputer.com/news/security/recently-patched-citrix-nets… ∗∗∗ Hiding in Hex, (Wed, Oct 18th) ∗∗∗ --------------------------------------------- There are a variety of attacks seen from DShield honeypots [1]. Most of the time these commands are human readable. but every now and again they are obfuscated using base64 or hex encoding. A quick look for commands containing the "/x" delimiter give a lot of results encoded in hexadecimal. --------------------------------------------- https://isc.sans.edu/diary/rss/30322 ∗∗∗ Qubitstrike Targets Jupyter Notebooks with Crypto Mining and Rootkit Campaign ∗∗∗ --------------------------------------------- Dubbed Qubitstrike by Cado, the intrusion set utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise. "The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as GitHub," security researchers Matt Muir and Nate Bill said in a Wednesday write-up. --------------------------------------------- https://thehackernews.com/2023/10/qubitstrike-targets-jupyter-notebooks.html ∗∗∗ BlackCat Climbs the Summit With a New Tactic ∗∗∗ --------------------------------------------- BlackCat ransomware gang has released a utility called Munchkin, allowing attackers to propagate their payload to remote machines. We analyze this new tool. --------------------------------------------- https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utilit… ∗∗∗ Updated MATA attacks industrial companies in Eastern Europe ∗∗∗ --------------------------------------------- Kaspersky experts discovered several detections of malware from the MATA cluster, previously attributed to the Lazarus group, compromising defense contractor companies in Eastern Europe. --------------------------------------------- https://ics-cert.kaspersky.com/publications/updated-mata-attacks-industrial… ∗∗∗ Where Has the MS Office Document Malware Gone? ∗∗∗ --------------------------------------------- Infostealers, which steal user account credentials saved in web browsers or email clients, constitute the majority of attacks targeting general or corporate users. Related information was shared through the ASEC Blog in December of last year. [1] While the distribution method for the named malware differs slightly depending on their main features, Infostealer-type malware typically uses malicious sites disguised as pages for downloading legitimate programs as their distribution route. --------------------------------------------- https://asec.ahnlab.com/en/57883/ ∗∗∗ CISA Updates Toolkit to Promote Public Safety Communications and Cyber Resiliency ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) collaborates with public safety, national security, and emergency preparedness communities to enhance seamless and secure communications to keep America safe, secure, and resilient. Any interruption in communications can have a cascading effect, impacting a public safety agency’s ability to deliver critical lifesaving services to the community. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-updates-toolkit-promote-public-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Oracle veröffentlicht 387 Sicherheits-Patches ∗∗∗ --------------------------------------------- Der vierteljährliche Patchday von Oracle hat stattgefunden. Er bringt im Oktober 387 Updates für mehr als 120 Produkte. --------------------------------------------- https://www.heise.de/-9337238 ∗∗∗ AMD-Grafiktreiber: Codeschmuggel durch Sicherheitslücke möglich ∗∗∗ --------------------------------------------- AMD warnt vor einer Sicherheitslücke in den eigenen Grafiktreibern. Angreifer könnten Code einschleusen und mit erhöhten Rechten ausführen. --------------------------------------------- https://www.heise.de/-9337480 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (slurm-wlm), Fedora (icecat and python-configobj), Oracle (dotnet6.0, kernel-container, nginx, nginx:1.20, nginx:1.22, and python3.9), Red Hat (bind9.16, curl, dotnet6.0, kernel-rt, kpatch-patch, nghttp2, nodejs, python-reportlab, and virt:rhel), Slackware (util), SUSE (buildah, conmon, erlang, glibc, kernel, nghttp2, opensc, python-urllib3, samba, slurm, and suse-module-tools), and Ubuntu (frr, linux-azure, and pmix). --------------------------------------------- https://lwn.net/Articles/948097/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2023
by Daily end-of-shift report 17 Oct '23

17 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 16-10-2023 18:00 − Dienstag 17-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Discord still a hotbed of malware activity — Now APTs join the fun ∗∗∗ --------------------------------------------- Discord continues to be a breeding ground for malicious activity by hackers and now APT groups, with it commonly used to distribute malware, exfiltrate data, and targeted by threat actors to steal authentication tokens. --------------------------------------------- https://www.bleepingcomputer.com/news/security/discord-still-a-hotbed-of-ma… ∗∗∗ A hack in hand is worth two in the bush ∗∗∗ --------------------------------------------- We analyzed the data published by Cyber Av3ngers and found it to be sourced from older leaks by another hacktivist group called Moses Staff. --------------------------------------------- https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/ ∗∗∗ Android Mobile Root Detection – Snake Oil or Silver Bullet? ∗∗∗ --------------------------------------------- Android is one of the most widely used mobile operating systems in the world. However, with its widespread use, it is also susceptible to security threats. --------------------------------------------- https://sec-consult.com/blog/detail/android-mobile-root-detection-snake-oil… ∗∗∗ NSA Publishes ICS/OT Intrusion Detection Signatures and Analytics ∗∗∗ --------------------------------------------- NSA has released Elitewolf, a repository of intrusion detection signatures and analytics for OT environments. --------------------------------------------- https://www.securityweek.com/nsa-publishes-ics-ot-intrusion-detection-signa… ∗∗∗ Betrügerische Spendenorganisationen sammeln Geld für Israel ∗∗∗ --------------------------------------------- Kriminelle wissen, dass die Spendenbereitschaft in Krisensituationen besonders hoch ist. Nur wenige Tage nach dem Anschlag in Israel tauchen im Netz betrügerische Spenden-Websiten für Israel auf. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-spendenorganisationen… ∗∗∗ Snapshot fuzzing direct composition with WTF ∗∗∗ --------------------------------------------- Although there is public research on Direct Composition, only a few discuss fuzzing this feature, and none, to our knowledge, that covers snapshot fuzzing. --------------------------------------------- https://blog.talosintelligence.com/snapshot-fuzzing-direct-composition-with… ∗∗∗ Principles for ransomware-resistant cloud backups ∗∗∗ --------------------------------------------- Helping to make cloud backups resistant to the effects of destructive ransomware. --------------------------------------------- https://www.ncsc.gov.uk/guidance/principles-for-ransomware-resistant-cloud-… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software ∗∗∗ --------------------------------------------- Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. --------------------------------------------- https://thehackernews.com/2023/10/critical-vulnerabilities-uncovered-in.html ∗∗∗ Cisco: Schwere Sicherheitslücke in IOS XE ermöglicht Netzwerk-Übernahme ∗∗∗ --------------------------------------------- Geräte mit IOS XE und Web-UI können von Angreifern ohne Weiteres aus der Ferne übernommen werden. Cisco hat keine Patches, aber Empfehlungen für Betroffene. --------------------------------------------- https://www.heise.de/news/Cisco-Schwere-Sicherheitsluecke-in-IOS-XE-erlaubt… ∗∗∗ SonicOS: Angreifer können Sonicwalls abstürzen lassen ∗∗∗ --------------------------------------------- Sonicwall hat Updates für SonicOS veröffentlicht, die Sicherheitslücken schließen. Die Lecks erlauben Angreifern, verwundbare Geräte lahmzulegen. --------------------------------------------- https://www.heise.de/news/SonicOS-Angreifer-koennen-Sonicwalls-abstuerzen-l… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (axis, nghttp2, node-babel7, and tomcat9), Fedora (curl and ghostscript), Oracle (bind, kernel-container, mariadb:10.5, and python3.11), Red Hat (.NET 7.0, go-toolset, golang, and go-toolset:rhel8), SUSE (kernel, libcue, libxml2, python-Django, and python-gevent), and Ubuntu (curl, ghostscript, iperf3, libcue, python2.7, quagga, and samba). --------------------------------------------- https://lwn.net/Articles/948010/ ∗∗∗ K000137211 : cURL vulnerabilities CVE-2023-38546 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137211 ∗∗∗ Festo: Vulnerable Siemens TIA-Portal in multiple Festo Didactic products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-047/ ∗∗∗ WAGO: Multiple products vulnerable to local file inclusion ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-046/ ∗∗∗ Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-290-01 ∗∗∗ Rockwell Automation FactoryTalk Linx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-290-02 ∗∗∗ Vulnerability CVE-2023-35116 affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052938 ∗∗∗ IBM Personal Communications could allow a remote user to obtain sensitive information including user passwords, allowing unauthorized access. (CVE-2016-0321) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/276845 ∗∗∗ IBM Db2 is vulnerable to denial of service via a specially crafted query on certain databases. (CVE-2023-30987) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047560 ∗∗∗ Vulnerability in pycrypto-2.6.1.tar.gz affects IBM Integrated Analytics System [CVE-2013-7459, CVE-2018-6594] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053417 ∗∗∗ Multiple vulnerabilities in OpenSSL affect IBM Observability with Instana (Agent container image) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053623 ∗∗∗ Remote code execution/denial of service attack is possible in IBM Observability with Instana (Self-hosted on Docker) due to use of Apache Kafka ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053643 ∗∗∗ Due to use of Apache Commons FileUpload and Tomcat, IBM UrbanCode Release is vulnerable to a denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053627 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2023
by Daily end-of-shift report 16 Oct '23

16 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-10-2023 18:00 − Montag 16-10-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DarkGate malware spreads through compromised Skype accounts ∗∗∗ --------------------------------------------- Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-thr… ∗∗∗ Scanning evasion issue in Cisco Secure Email Gateway ∗∗∗ --------------------------------------------- Cisco Secure Email Gateway provided by Cisco Systems may fail to detect specially crafted files. --------------------------------------------- https://jvn.jp/en/jp/JVN58574030/ ∗∗∗ Security review for Microsoft Edge version 118 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 118! We have reviewed the new settings in Microsoft Edge version 118 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 117 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls ∗∗∗ --------------------------------------------- The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure. --------------------------------------------- https://thehackernews.com/2023/10/spynote-beware-of-this-android-trojan.html ∗∗∗ Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign ∗∗∗ --------------------------------------------- Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems."The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 [..] --------------------------------------------- https://thehackernews.com/2023/10/pro-russian-hackers-exploiting-recent.html ∗∗∗ Signal says there is no evidence rumored zero-day bug is real ∗∗∗ --------------------------------------------- As this is an ongoing investigation, and the mitigation is to simply disable the Link Previews feature, users may want to turn this setting off for the time being until its fully confirmed not to be real. --------------------------------------------- https://www.bleepingcomputer.com/news/security/signal-says-there-is-no-evid… ∗∗∗ “EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts ∗∗∗ --------------------------------------------- Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake “browser updates”. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down. --------------------------------------------- https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-… ∗∗∗ Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign ∗∗∗ --------------------------------------------- We provide a comprehensive analysis of the XorDDoS Trojans attacking behaviors. Subsequently, we unveil the intricate network infrastructure orchestrating the campaigns botnet. Lastly, we introduce the advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. These signatures effectively identified over 1,000 XorDDoS C2 traffic sessions in August 2023 alone. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-deliv… ∗∗∗ WS_FTP: Ransomware-Attacken auf ungepatchte Server ∗∗∗ --------------------------------------------- In WS_FTP hat Hersteller Progress kürzlich teils kritische Sicherheitslücken geschlossen. Inzwischen sieht Sophos Ransomware-Angriffe darauf. --------------------------------------------- https://www.heise.de/news/WS-FTP-Ransomware-Attacken-auf-ungepatchte-Server… ∗∗∗ Milesight Industrial Router Vulnerability Possibly Exploited in Attacks ∗∗∗ --------------------------------------------- A vulnerability affecting Milesight industrial routers, tracked as CVE-2023-4326, may have been exploited in attacks. --------------------------------------------- https://www.securityweek.com/milesight-industrial-router-vulnerability-poss… ∗∗∗ Sie verkaufen auf Willhaben? Diese Betrugsmasche sollten Sie kennen! ∗∗∗ --------------------------------------------- Auf Willhaben und anderen Verkaufsplattformen begegnen Ihnen sicherlich auch mal Betrüger:innen. Besonders vorsichtig sollten Sie sein, wenn Sie zum ersten Mal verkaufen und Sie den Ablauf eines Verkaufs noch nicht so gut kennen. Wir zeigen Ihnen eine gängige Betrugsmasche und wie Sie sich davor schützen! --------------------------------------------- https://www.watchlist-internet.at/news/sie-verkaufen-auf-willhaben-diese-be… ∗∗∗ curl-Schwachstelle durch Microsoft ungepatcht ∗∗∗ --------------------------------------------- In der Bibliothek und im Tool curl gibt es in älteren Versionen eine Schwachstelle, die vom Projekt am 11. Oktober 2023 mit der Version 8.4.0 geschlossen wurde. Microsoft liefert curl mit Windows aus, und es stellte sich die Frage, ob curl zum Patchday, 10. Oktober 2023, ebenfalls aktualisiert wurde. Mein Stand ist, dass in Windows auch nach den Oktober 2023-Updates die veraltete curl-Version enthalten ist. --------------------------------------------- https://www.borncity.com/blog/2023/10/14/curl-schwachstelle-durch-microsoft… ∗∗∗ Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability ∗∗∗ --------------------------------------------- Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. --------------------------------------------- https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-soft… ∗∗∗ Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a ===================== = Vulnerabilities = ===================== ∗∗∗ Exim bugs ∗∗∗ --------------------------------------------- Fixed in 4.96.2/4.97: - CVE-2023-42117: Improper Neutralization of Special Elements - CVE-2023-42119: dnsdb Out-Of-Bounds Read libspf2 Integer Underflow: - CVE-2023-42118: Mitigation: Do not use the `spf` condition in your ACL --------------------------------------------- https://exim.org/static/doc/security/CVE-2023-zdi.txt ∗∗∗ Wordpress: Übernahme durch Lücke in Royal Elementor Addons and Template ∗∗∗ --------------------------------------------- Im Wordpress-Plug-in Royal Elementor Addons and Template missbrauchen Cyberkriminelle eine kritische Lücke. Sie nutzen sie zur Übernahme von Instanzen. --------------------------------------------- https://www.heise.de/news/Wordpress-Uebernahme-durch-Luecke-in-Royal-Elemen… ∗∗∗ Samba: Neue Versionen beheben mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Durch verschiedene Programmierfehler konnten Angreifer auf geheime Informationen bis hin zum Kerberos-TGT-Passwort zugreifen. Aktualisierungen stehen bereit. --------------------------------------------- https://www.heise.de/news/Samba-Neue-Versionen-beheben-mehrere-Sicherheitsl… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (batik, poppler, and tomcat9), Fedora (chromium, composer, curl, emacs, ghostscript, libwebp, libXpm, netatalk, nghttp2, python-asgiref, python-django, and webkitgtk), Mageia (curl and libX11), Oracle (bind, busybox, firefox, and kernel), Red Hat (curl, dotnet6.0, dotnet7.0, and nginx), SUSE (chromium, cni, cni-plugins, grub2, netatalk, opensc, opera, and wireshark), and Ubuntu (iperf3). --------------------------------------------- https://lwn.net/Articles/947891/ ∗∗∗ Vulnerabilities in Video Station ∗∗∗ --------------------------------------------- Three vulnerabilities have been reported to affect Video Station: - CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities - CVE-2023-34977: Cross-site scripting (XSS) vulnerability If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-52 ∗∗∗ Vulnerabilities in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- Two vulnerabilities have been reported to affect several QNAP operating system versions: - CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. - CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-41 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read and expose sensitive data via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-42 ∗∗∗ Vulnerability in Container Station ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute arbitrary commands via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-44 ∗∗∗ web2py vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN80476432/ ∗∗∗ cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ FortiSandbox - XSS on delete endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-311 ∗∗∗ FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-215 ∗∗∗ FortiSandbox - Arbitrary file delete ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-280 ∗∗∗ Red Lion Europe: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-041/ ∗∗∗ Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-043/ ∗∗∗ 2023-10 Security Bulletin: Junos OS and Junos OS Evolved: High CPU load due to specific NETCONF command (CVE-2023-44184) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos… ∗∗∗ IBM Security Verify Access Appliance has multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009735 ∗∗∗ Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953617 ∗∗∗ Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009741 ∗∗∗ IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028513 ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052776 ∗∗∗ Multiple Vulnerabilities of Apache HttpClient have affected IBM Jazz Reporting Service ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052811 ∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Jazz Reporting Services. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052810 ∗∗∗ IBM Jazz Reporting Service is vulnerable to a denial of service (CVE-2023-35116) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052809 ∗∗∗ Vulnerability with snappy-java affect IBM Cloud Object Storage Systems (Oc2023v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052829 ∗∗∗ Require strict cookies for image proxy requests ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ OAuth2 client_secret stored in plain text in the database ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Inviting excessive long email addresses to a calendar event makes the server unresponsive ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r… ∗∗∗ Password of talk conversations can be bruteforced ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7… ∗∗∗ Rate limiter not working reliable when Memcached is installed ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… ∗∗∗ Security updates 1.5.5 and 1.4.15 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15 ∗∗∗ Security update 1.6.4 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2023/10/16/security-update-1.6.4-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2023
by Daily end-of-shift report 13 Oct '23

13 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-10-2023 18:00 − Freitag 13-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware attacks now target unpatched WS_FTP servers ∗∗∗ --------------------------------------------- Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-attacks-now-targe… ∗∗∗ FBI shares AvosLocker ransomware technical details, defense tips ∗∗∗ --------------------------------------------- The U.S. government has updated the list of tools AvosLocker ransomware affiliates use in attacks to include open-source utilities along with custom PowerShell, and batch scripts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-shares-avoslocker-ransom… ∗∗∗ An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit ∗∗∗ --------------------------------------------- In April this year Google's Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wil… ∗∗∗ DarkGate Malware Spreading via Messaging Services Posing as PDF Files ∗∗∗ --------------------------------------------- A piece of malware known as DarkGate has been observed being spread via instant messaging platforms such as Skype and Microsoft Teams. In these attacks, the messaging apps are used to deliver a Visual Basic for Applications (VBA) loader script that masquerades as a PDF document, which, when opened, triggers the download and execution of an AutoIt script designed to launch the malware. --------------------------------------------- https://thehackernews.com/2023/10/darkgate-malware-spreading-via.html ∗∗∗ GNOME what Im sayin? - GNOME libcue 0-click vulnerability ∗∗∗ --------------------------------------------- Am 10. Oktober wurde CVE-2023-43641 veröffentlicht, eine 0-click out-of-bounds array access Schwachstelle in libcue. GNOME verwendet diese Library zum Parsen von cuesheets beim Indizieren von Dateien für die Suchfunktion. Wie schlimm ist es? --------------------------------------------- https://cert.at/de/blog/2023/10/gnome-what-im-sayin-gnome-libcue-0-click-vu… ∗∗∗ WordPress 6.3.2 Security Release – What You Need to Know ∗∗∗ --------------------------------------------- WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordpress-6-3-2-security-release-wha… ∗∗∗ Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malwares ∗∗∗ --------------------------------------------- Because the Lazarus threat group has been active since a long time ago, there are many attack cases and various malware strains are used in each case. In particular, there is also a wide variety of backdoors used for controlling the infected system after initial access. AhnLab Security Emergency response Center (ASEC) is continuously tracking and analyzing attacks by the Lazarus group, and in this post, we will analyze Volgmer and Scout, the two major malware strains used in their attacks. --------------------------------------------- https://asec.ahnlab.com/en/57685/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes iOS Kernel zero-day vulnerability on older iPhones ∗∗∗ --------------------------------------------- Apple has published security updates for older iPhones and iPads to backport patches released one week ago, addressing two zero-day vulnerabilities exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-fixes-ios-kernel-zero-… ∗∗∗ Caching-Proxy: 35 Schwachstellen in Squid schon mehr als 2 Jahre ungepatcht ∗∗∗ --------------------------------------------- Anfang 2021 hatte ein Sicherheitsforscher 55 Schwachstellen an das Entwicklerteam von Squid gemeldet. Ein Großteil ist noch offen. --------------------------------------------- https://www.golem.de/news/caching-proxy-35-schwachstellen-in-squid-schon-me… ∗∗∗ Schwere Sicherheitslücken in Monitoring-Software Zabbix behoben ∗∗∗ --------------------------------------------- In verschiedenen Komponenten der Monitoringsoftware Zabbix klafften kritische Sicherheitslücken, die Angreifern die Ausführung eigenen Codes ermöglichen. --------------------------------------------- https://www.heise.de/news/Schwere-Sicherheitsluecken-in-Monitoring-Software… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, tomcat9, and webkit2gtk), Fedora (cacti, cacti-spine, grafana-pcp, libcue, mbedtls, samba, and vim), Oracle (kernel, libvpx, and thunderbird), Red Hat (bind and galera, mariadb), SUSE (exiv2, go1.20, go1.21, and kernel), and Ubuntu (ffmpeg). --------------------------------------------- https://lwn.net/Articles/947710/ ∗∗∗ cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Nextcloud Security Advisory: Improper restriction of excessive authentication attempts on WebDAV endpoint ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ K000137229 : BIND vulnerability CVE-2022-38178 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137229 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2023
by Daily end-of-shift report 12 Oct '23

12 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-10-2023 18:00 − Donnerstag 12-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Well, this SOCKS - curl SOCKS 5 Heap Buffer Overflow (CVE-2023-38545) ∗∗∗ --------------------------------------------- Nachdem letzte Woche ein Advisory zu "der schlimmsten Schwachstelle in curl seit Langem" angekündigt wurde, konnten verängstigte, verschlafene und chronisch unterkoffeinierte Admins und Security-Spezialisten nach der gestrigen Veröffentlichung den Schaden begutachten. Die gute Nachricht: Die Apokalypse ist an uns vorüber gegangen. Die schlechte Nachricht: Mit dem CVSS(v2) Score lässt sich die Schwere einer Schwachstelle nicht immer ausreichend abbilden. --------------------------------------------- https://cert.at/de/blog/2023/10/well-this-socks-curl-socks-5-heap-buffer-ov… ∗∗∗ ToddyCat: Keep calm and check logs ∗∗∗ --------------------------------------------- In this article, we’ll describe ToddyCat new toolset, the malware used to steal and exfiltrate data, and the techniques used by this group to move laterally and conduct espionage operations. --------------------------------------------- https://securelist.com/toddycat-keep-calm-and-check-logs/110696/ ∗∗∗ Malicious NuGet Package Targeting .NET Developers with SeroXen RAT ∗∗∗ --------------------------------------------- A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT. The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti, is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig, software supply chain security firm Phylum said in a report today. While the real package has received nearly 79,000 downloads to date, the malicious variant is said to have artificially inflated its download count after being published on October 6, 2023, to surpass 100,000 downloads. --------------------------------------------- https://thehackernews.com/2023/10/malicious-nuget-package-targeting-net.html ∗∗∗ New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects ∗∗∗ --------------------------------------------- In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects. --------------------------------------------- https://www.virusbulletin.com/blog/2023/10/new-paper-nexus-android-banking-… ∗∗∗ Backdoor Malware Found on WordPress Website Disguised as Legitimate Plugin ∗∗∗ --------------------------------------------- A backdoor deployed on a compromised WordPress website poses as a legitimate plugin to hide its presence. --------------------------------------------- https://www.securityweek.com/backdoor-malware-found-on-wordpress-website-di… ∗∗∗ Using Velociraptor for large-scale endpoint visibility and rapid threat hunting ∗∗∗ --------------------------------------------- In this post we give on overview of some of the capabilities of Velociraptor, and also how we have leveraged them to conduct some real-time threat hunting shedding light on how it can equip security teams to proactively safeguard digital environments. --------------------------------------------- https://www.pentestpartners.com/security-blog/using-velociraptor-for-large-… ∗∗∗ Angebliche Branchenbücher und Firmenverzeichnisse locken in teure Abo-Falle! ∗∗∗ --------------------------------------------- Aktuell werden uns zahlreiche unseriöse Branchen-, Adressen- und Firmenverzeichnisse gemeldet, die versuchen Unternehmen das Geld aus der Tasche zu ziehen. Per E-Mail, Telefon oder Fax werden Unternehmen dazu überredet, sich in ein nutzloses und oft gar nicht existierendes Branchenbuch einzutragen. Wer auf das Angebot eingeht, schließt ein überteuertes Abo ab, das nur schwer zu kündigen ist. Betroffen von dieser Abzocke sind vor allem kleine und mittlere Unternehmen. --------------------------------------------- https://www.watchlist-internet.at/news/angebliche-branchenbuecher-und-firme… ∗∗∗ XOR Known-Plaintext Attacks ∗∗∗ --------------------------------------------- In this blog post, we show in detail how a known-plaintext attack on XOR encoding works, and automate it with custom tools to decrypt and extract the configuration of a Cobalt Strike beacon. If you are not interested in the theory, just in the tools, go straight to the conclusion. --------------------------------------------- https://blog.nviso.eu/2023/10/12/xor-known-plaintext-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ An analysis of PoS/ cashIT! cash registers ∗∗∗ --------------------------------------------- This report summarizes our findings about vulnerabilities in cashIT!, a cash register system implementing the Austrian cash registers security regulation (RKSV). Besides lack of encryption, outdated software components and low-entropy passwords, these weaknesses include a bypass of origin checks (CVE-2023-3654), unauthenticated remote database exfiltration (CVE-2023-3655), and unauthenticated remote code with administrative privileges on the cash register host machines (CVE-2023-3656). Based on our analysis result, these vulnerabilities affect over 200 cash register installations in Austrian restaurants that are accessible over the Internet. --------------------------------------------- https://epub.jku.at/obvulioa/content/titleinfo/9142358 ∗∗∗ Sicherheitsupdates: Backdoor-Lücke bedroht Netzwerkgeräte von Juniper ∗∗∗ --------------------------------------------- Schwachstellen im Netzwerkbetriebssystem Junos OS bedrohen Routing-, Switching- und Sicherheitsgeräte von Juniper. --------------------------------------------- https://www.heise.de/-9332169 ∗∗∗ 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows ∗∗∗ --------------------------------------------- Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device [..] All these vulnerabilities also have a severity score of 9.8. Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco’s third-party vendor vulnerability disclosure policy. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-webkit-and-yifan-r… ∗∗∗ 40 Schwachstellen in IBM-Sicherheitslösung QRadar SIEM geschlossen ∗∗∗ --------------------------------------------- Mehrere Komponenten in IBM QRadar SIEM weisen Sicherheitslücken auf und gefährden das Security-Information-and-Event-Management-System. --------------------------------------------- https://www.heise.de/-9332542 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 2, 2023 to October 8, 2023) ∗∗∗ --------------------------------------------- Last week, there were 92 vulnerabilities disclosed in 88 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libcue, org-mode, python3.7, and samba), Fedora (libcue, oneVPL, oneVPL-intel-gpu, and xen), Mageia (glibc), Oracle (glibc, kernel, libssh2, libvpx, nodejs, and python-reportlab), Slackware (libcaca), SUSE (gsl, ImageMagick, kernel, opensc, python-urllib3, qemu, rage-encryption, samba, and xen), and Ubuntu (curl and samba). --------------------------------------------- https://lwn.net/Articles/947570/ ∗∗∗ Weintek cMT3000 HMI Web CGI ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-15 ∗∗∗ Santesoft Sante FFT Imaging ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-02 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-01 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-13 ∗∗∗ Hikvision Access Control and Intercom Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-14 ∗∗∗ PILZ : WIBU Vulnerabilities in multiple Products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-033/ ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-16 ∗∗∗ Hikvision Access Control and Intercom Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-14 ∗∗∗ CVE-2023-3281 Cortex XSOAR: Cleartext Exposure of Client Certificate Key in Kafka v3 Integration (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-3281 ∗∗∗ IBM Aspera Faspex has addressed an IP address restriction bypass vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7048851 ∗∗∗ Vulnerability of okio-1.13.0.jar is affecting APM WebSphere Application Server Agent, APM Tomcat Agent, APM SAP NetWeaver Java Stack Agent, APM WebLogic Agent and APM Data Collector for J2SE ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7051173 ∗∗∗ IBM App Connect Enterprise is vulnerable to a potential information disclosure ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7051204 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2023
by Daily end-of-shift report 11 Oct '23

11 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-10-2023 18:00 − Mittwoch 11-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft to kill off VBScript in Windows to block malware delivery ∗∗∗ --------------------------------------------- Microsoft is planning to phase out VBScript in future Windows releases after 30 years of use, making it an on-demand feature until it is removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-to-kill-off-vbscri… ∗∗∗ Microsoft warns of incorrect BitLocker encryption errors ∗∗∗ --------------------------------------------- Microsoft warned customers this week of incorrect BitLocker drive encryption errors being shown in some managed Windows environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-incorrec… ∗∗∗ LinkedIn Smart Links attacks return to target Microsoft accounts ∗∗∗ --------------------------------------------- Hackers are once again abusing LinkedIn Smart Links in phishing attacks to bypass protection measures and evade detection in attempts to steal Microsoft account credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linkedin-smart-links-attacks… ∗∗∗ Support-Ende für Windows Server 2012 R2: Warum Sie das nicht ignorieren dürfen ∗∗∗ --------------------------------------------- Ab sofort steht der Windows Server 2012 R2 komplett ohne Support dar. Doch aufgrund seiner Beliebtheit kommt er noch immer zum Einsatz – das muss sich ändern. --------------------------------------------- https://www.heise.de/news/Support-Ende-fuer-Windows-Server-2012-R2-Warum-Si… ∗∗∗ Wireshark Tutorial: Identifying Hosts and Users ∗∗∗ --------------------------------------------- When a host is infected or otherwise compromised, security professionals need to quickly review packet captures of suspicious network traffic to identify affected hosts and users. --------------------------------------------- https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-u… ∗∗∗ Distribution of Magniber Ransomware Stops (Since August 25th) ∗∗∗ --------------------------------------------- Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. --------------------------------------------- https://asec.ahnlab.com/en/57592/ ∗∗∗ The Risks of Exposing DICOM Data to the Internet ∗∗∗ --------------------------------------------- DICOM has revolutionized the medical imaging industry. However, it also presents potential vulnerabilities when exposed to the open internet. --------------------------------------------- https://www.rapid7.com/blog/post/2023/10/11/the-risks-of-exposing-dicom-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-38545: curl SOCKS5 oversized hostname vulnerability. How bad is it?, (Wed, Oct 11th) ∗∗∗ --------------------------------------------- Today, we got the promised fix for CVE-2023-38545. So here is a quick overview of how severe it is. --------------------------------------------- https://isc.sans.edu/diary/rss/30304 ∗∗∗ Patchday Microsoft: Attacken auf Skype for Business und WordPad ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für etwa Azure, Office und Windows veröffentlicht. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-Attacken-auf-Skype-for-Busines… ∗∗∗ Patchday Adobe: Schadcode-Attacken auf Magento-Shops und Photoshop möglich ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben in Bridge, Commerce, Magento Open Source und Photoshop mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Schadcode-Attacken-auf-Magento-Sho… ∗∗∗ Webbrowser: Google-Chrome-Update schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Google hat das wöchentliche Chrome-Update herausgegeben. Es schließt 20 Sicherheitslücken, von denen mindestens eine als kritisch gilt. --------------------------------------------- https://www.heise.de/news/Webbrowser-Google-Chrome-Update-schliesst-kritisc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, mediawiki, tomcat10, and tomcat9), Fedora (libcaca, oneVPL, oneVPL-intel-gpu, and tracker-miners), Gentoo (curl), Mageia (cups and firefox, thunderbird), Red Hat (curl, kernel, kernel-rt, kpatch-patch, libqb, libssh2, linux-firmware, python-reportlab, tar, and the virt:rhel module), Slackware (curl, libcue, libnotify, nghttp2, and samba), SUSE (conmon, curl, glibc, kernel, php-composer2, python-reportlab, samba, and shadow), [...] --------------------------------------------- https://lwn.net/Articles/947409/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Sicherheitsupdates Fortinet: Angreifer können Passwörter im Klartext einsehen ∗∗∗ --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Fortinet-Angreifer-koennen-Pas… ∗∗∗ K000137202 : Intel BIOS vulnerability CVE-2022-38083 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137202 ∗∗∗ Lenovo System Update Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500581-LENOVO-SYSTEM-UPDATE-VU… ∗∗∗ Lenovo View Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500580-LENOVO-VIEW-DENIAL-OF-S… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (October 2023) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500582-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ Lenovo Preload Directory Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500579-LENOVO-PRELOAD-DIRECTOR… ∗∗∗ [R1] Security Center Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-32 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2023
by Daily end-of-shift report 10 Oct '23

10 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 09-10-2023 18:00 − Dienstag 10-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patch Now: Massive RCE Campaign Wrangles Routers Into Botnet ∗∗∗ --------------------------------------------- Thousands of devices, including D-Link and Zyxel gear, remain vulnerable to takeover despite the availability of patches for the several bugs being exploited by IZ1H9 campaign. --------------------------------------------- https://www.darkreading.com/cloud/patch-now-massive-rce-campaign-d-link-zyx… ∗∗∗ Over 17,000 WordPress sites hacked in Balada Injector attacks last month ∗∗∗ --------------------------------------------- Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-17-000-wordpress-sites-… ∗∗∗ The Art of Concealment: A New Magecart Campaign That’s Abusing 404 Pages ∗∗∗ --------------------------------------------- A new, sophisticated, and covert Magecart web skimming campaign has been targeting Magento and WooCommerce websites. --------------------------------------------- https://www.akamai.com/blog/security-research/magecart-new-technique-404-pa… ∗∗∗ Inzwischen vorhanden: Details zu gefixten Lücken in iOS 17 und Co. ∗∗∗ --------------------------------------------- Als iOS 17, iPadOS 17, watchOS 10 und tvOS 17 erschienen, machte Apple keine Angaben zu enthaltenen Sicherheitspatches. Mittlerweile lassen sie sich einsehen. --------------------------------------------- https://www.heise.de/-9319162 ∗∗∗ ‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History ∗∗∗ --------------------------------------------- Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history. --------------------------------------------- https://www.securityweek.com/rapid-reset-zero-day-exploited-to-launch-large… ∗∗∗ Take a note of SpyNote! ∗∗∗ --------------------------------------------- Among noteworthy spyware, one that has been in the limelight recently is SpyNote. This spyware app spreads via smishing (i.e. malicious SMS messages) by urging the victims to install the app from provided links. Naturally, the hosting and downloading happen outside of the official Play Store app, to prevent the security evaluation done by Google Play Store from thwarting the spread of this spyware. --------------------------------------------- https://blog.f-secure.com/take-a-note-of-spynote/ ∗∗∗ Android-Geräte ab Werk mit Malware infiziert ∗∗∗ --------------------------------------------- Settop-Boxen mit bestimmten Chipsätzen von Allwinner und Rockchip enthalten den Trojaner Badbox. Der zeigt unterwünschte Werbung an und verbreitet schädliche Apps. --------------------------------------------- https://www.zdnet.de/88412275/android-geraete-ab-werk-mit-malware-infiziert/ ∗∗∗ Infostealer with Abnormal Certificate Being Distributed ∗∗∗ --------------------------------------------- Recently, there has been a high distribution rate of malware using abnormal certificates. Malware often disguise themselves with normal certificates. However, in this case, the malware entered the certificate information randomly, with the Subject Name and Issuer Name fields having unusually long strings. As a result, the certificate information is not visible in Windows operating systems, and a specific tool or infrastructure is required to inspect the structure of these certificates. --------------------------------------------- https://asec.ahnlab.com/en/57553/ ∗∗∗ CISA, Government, and Industry Partners Publish Fact Sheet for Organizations Using Open Source Software ∗∗∗ --------------------------------------------- This guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-government-and-industry-partners… ===================== = Vulnerabilities = ===================== ∗∗∗ Per SSID: Schwachstelle in D-Link-Repeater erlaubt Codeausführung ∗∗∗ --------------------------------------------- Beim Netzwerk-Scan des D-Link DAP-X1860 kann es zu einer unerwünschten Codeausführung kommen. Über spezielle SSIDs sind Angriffe möglich. --------------------------------------------- https://www.golem.de/news/per-ssid-schwachstelle-in-d-link-repeater-erlaubt… ∗∗∗ Siemens Security Advisories 2023-10-10 ∗∗∗ --------------------------------------------- SSA-843070: SCALANCE W1750D, SSA-829656: Xpedition Layout Browser, SSA-784849: SIMATIC CP Devices, SSA-770890: SICAM A8000 Devices, SSA-647455: RUGGEDCOM APE1808 devices, SSA-594373: SINEMA Server V14, SSA-524778: Tecnomatix Plant Simulation, SSA-386812: Simcenter Amesim before V2021.1, SSA-295483: Mendix, SSA-160243: SINEC NMS before V2.0, SSA-134651: SICAM A8000 Devices, SSA-035466: SICAM PAS/PQS --------------------------------------------- https://www.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Backup: Acronis schließt Sicherheitslücken im Agent für Linux, Mac und Windows ∗∗∗ --------------------------------------------- Acronis hat eine Aktualisierung des Agent für Linux, Mac und Windows veröffentlicht. Sie dichtet unter anderem ein Leck mit hohem Risiko ab. --------------------------------------------- https://www.heise.de/-9329516 ∗∗∗ Sicherheitsupdates: Schadcode- und Root-Lücken bedrohen IBM-Software ∗∗∗ --------------------------------------------- IBM hat unter anderem im Datenbankmanagementsystem Db2 schwerwiegende Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de/-9329404 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown). --------------------------------------------- https://lwn.net/Articles/947233/ ∗∗∗ One-Click GNOME Exploit Could Pose Serious Threat to Linux Systems ∗∗∗ --------------------------------------------- A one-click exploit targeting the Libcue component of the GNOME desktop environment could pose a serious threat to Linux systems. --------------------------------------------- https://www.securityweek.com/one-click-gnome-exploit-could-pose-serious-thr… ∗∗∗ SAP Releases 7 New Notes on October 2023 Patch Day ∗∗∗ --------------------------------------------- SAP has released seven new notes as part of its October 2023 Security Patch Day, all rated ‘medium severity’. --------------------------------------------- https://www.securityweek.com/sap-releases-7-new-notes-on-october-2023-patch… ∗∗∗ Unverschlüsselte Bluetoothverbindung bei Smartwatch Amazfit Bip U (SYSS-2023-022) ∗∗∗ --------------------------------------------- Die Smartwatch Amazfit Bip U kommuniziert unverschlüsselt mit dem verbundenen Smartphone. Alle Nachrichten können daher von Angreifenden abgehört werden. --------------------------------------------- https://www.syss.de/pentest-blog/unverschluesselte-bluetoothverbindung-bei-… ∗∗∗ Ivanti Endpoint Manager new vulnerabilities ∗∗∗ --------------------------------------------- There are two vulnerabilities we have recently discovered that impact Ivanti Endpoint Manager (EPM) versions 2022 and below. They both have CVSS scores in the ‘Moderate’ range. We are reporting them as CVE-2023-35083 and CVE-2023-35084. --------------------------------------------- https://www.ivanti.com/blog/ivanti-endpoint-manager-new-vulnerabilities ∗∗∗ F5 BIG-IP Security Advisories 2023-10-10 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/new-updated-articles#sort=%40f5_updated_publishe… ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Citrix NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-ga… ∗∗∗ Citrix Hypervisor Multiple Security Updates ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX575089/citrix-hypervisor-multiple-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2023
by Daily end-of-shift report 09 Oct '23

09 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-10-2023 18:00 − Montag 09-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ HelloKitty ransomware source code leaked on hacking forum ∗∗∗ --------------------------------------------- A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source… ∗∗∗ High-Severity Flaws in ConnectedIOs 3G/4G Routers Raise Concerns for IoT Security ∗∗∗ --------------------------------------------- Multiple high-severity security vulnerabilities have been disclosed in ConnectedIOs ER2000 edge routers and the cloud-based management platform that could be exploited by malicious actors to execute malicious code and access sensitive data. --------------------------------------------- https://thehackernews.com/2023/10/high-severity-flaws-in-connectedios.html ∗∗∗ Turn OFF This WatchGuard Feature - GuardLapse ∗∗∗ --------------------------------------------- Picture this: a feature from a security appliance that willingly dispatches its password hashes to any device on the network. That is precisely what WatchGuards SSO does under certain circumstances. --------------------------------------------- https://projectblack.io/blog/turn-off-this-watchguard-feature-guardlapse/ ∗∗∗ Amazon Prime email scammer snatches defeat from the jaws of victory ∗∗∗ --------------------------------------------- A very convincing Amazon Prime scam landed in our mail server today and...went straight to spam. Heres why. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/10/amazon-prime ∗∗∗ Credential Harvesting Campaign Targets Unpatched NetScaler Instances ∗∗∗ --------------------------------------------- Threat actors are targeting Citrix NetScaler instances unpatched against CVE-2023-3519 to steal user credentials. --------------------------------------------- https://www.securityweek.com/credential-harvesting-campaign-targets-unpatch… ∗∗∗ The reality of Apple watch pen testing ∗∗∗ --------------------------------------------- We were approached to do an Apple Watch application test. It seems this isn’t a standard service offered by most companies (including us, although we’ve done plenty of work [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/the-reality-of-apple-watch-pe… ∗∗∗ Immer wieder Abo-Fallen bei IQ-Tests wie auf iq-fast.com/de! ∗∗∗ --------------------------------------------- Wer einen IQ-Test durchführen möchte, findet im Internet unzählige Angebote dafür. Auch iq-fast.com/de lockt mit einem entsprechenden Test auf die eigene Website. Abgesehen von der minderwertigen Qualität des dort angebotenen Tests, der lediglich aus 20 Fragen besteht, führt eine Eingabe der Kreditkartendaten nicht zum Erhalt sinnvoller Ergebnisse, sondern in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/immer-wieder-abo-fallen-bei-iq-tests… ∗∗∗ Fake friends and followers on social media – and how to spot them ∗∗∗ --------------------------------------------- One of the biggest threats to watch out for on social media is fraud perpetrated by people who aren’t who they claim to be. Here’s how to recognize them. --------------------------------------------- https://www.welivesecurity.com/en/social-media/fake-friends-followers-socia… ∗∗∗ Android TV Boxes Infected with Backdoors, Compromising Home Networks ∗∗∗ --------------------------------------------- The Android TV box you recently purchased may be riddled with harmful backdoors. --------------------------------------------- https://www.hackread.com/android-tv-boxes-backdoors-home-networks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freerdp2, gnome-boxes, grub2, inetutils, lemonldap-ng, prometheus-alertmanager, python-urllib3, thunderbird, and vinagre), Fedora (freeimage, fwupd, libspf2, mingw-freeimage, thunderbird, and vim), Gentoo (c-ares, dav1d, Heimdal, man-db, and Oracle VirtualBox), Oracle (bind, bind9.16, firefox, ghostscript, glibc, ImageMagick, and thunderbird), Slackware (netatalk), SUSE (ImageMagick, nghttp2, poppler, python, python-gevent, and yq), and Ubuntu (bind9 and vim). --------------------------------------------- https://lwn.net/Articles/947117/ ∗∗∗ Vulnerabilities in Music Station ∗∗∗ --------------------------------------------- Two path traversal vulnerabilities have been reported to affect Music Station. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-28 ∗∗∗ Vulnerabilities in ClamAV ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been reported in ClamAV. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-26 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating systems. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-37 ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-36 ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-39 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2023
by Daily end-of-shift report 06 Oct '23

06 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-10-2023 18:00 − Freitag 06-10-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploits released for Linux flaw giving root on major distros ∗∗∗ --------------------------------------------- Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Librarys dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploits-released-for-linux-… ∗∗∗ Jetzt patchen! Exploits für glibc-Lücke öffentlich verfügbar ∗∗∗ --------------------------------------------- Nachdem der Bug in der Linux-Bibliothek glibc am vergangenen Dienstag bekannt wurde, sind nun zuverlässig funktionierende Exploits aufgetaucht. --------------------------------------------- https://www.heise.de/-9326518 ∗∗∗ Finanzbetrug per Telefon: Ignorieren Sie Anrufer:innen, die Sie zu Investitionen überreden wollen ∗∗∗ --------------------------------------------- Finanzbetrug ist ein lukratives Geschäft. Der finanzielle Schaden für die Betroffenen ist oft enorm. Gleichzeitig ist der Finanzmarkt streng reguliert, um Betrug in diesem Bereich zu erschweren. Das ist mit ein Grund, wieso Betrüger:innen immer wieder neue Wege finden, um an ihre Opfer zu kommen. Aktuell berichten unsere Leser:innen vermehrt davon, dass sie von Kriminellen angerufen und direkt am Telefon zu Investments überredet werden. --------------------------------------------- https://www.watchlist-internet.at/news/finanzbetrug-per-telefon-ignorieren-… ∗∗∗ Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform ∗∗∗ --------------------------------------------- In this article, we will discuss this issue of how malware authors use obfuscation to make analyzing their Android malware more challenging. We will review two such case studies to illustrate those obfuscation techniques in action. Finally, we’ll cover some overall techniques researchers can use to address these obstacles. --------------------------------------------- https://unit42.paloaltonetworks.com/hooking-framework-in-sandbox-to-analyze… ∗∗∗ Microsoft: Human-operated ransomware attacks tripled over past year ∗∗∗ --------------------------------------------- Human-operated ransomware attacks are up more than 200% since September 2022, according to researchers from Microsoft, who warned that it could represent a shift in the cybercrime underground. --------------------------------------------- https://therecord.media/human-operated-ransomware-attacks-report-microsoft ∗∗∗ New tool: le-hex-to-ip.py, (Thu, Oct 5th) ∗∗∗ --------------------------------------------- So, this week it is my privilege to be TA-ing for Taz Wake for the beta run of his new class FOR577: Linux Incident Response and Threat Hunting. We were looking in the linux /proc filesystem and were noticing in the /proc//net/{tcp/udp/icmp/...} that the IP addresses were listed in hex, but little-endian. I immediately remembered Didier's Handler's Diary from last week about the IPs in the event logs that were in decimal and little endian. --------------------------------------------- https://isc.sans.edu/diary/rss/30284 ∗∗∗ NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke bedroht Dell SmartFabric Storage Software ∗∗∗ --------------------------------------------- Dell hat mehrere gefährliche Sicherheitslücken in SmartFabric Storage Software geschlossen. --------------------------------------------- https://www.heise.de/-9326738 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15). --------------------------------------------- https://lwn.net/Articles/946848/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2023
by Daily end-of-shift report 05 Oct '23

05 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-10-2023 18:00 − Donnerstag 05-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Curl 8.4.0 is to be released on October 11th ... ∗∗∗ --------------------------------------------- ... containing a fix for "the worst security problem found in curl in a long time". The associated CVE is expected to be published shortly after. Use the time to check where you have #curl & #libcurl in your environment. --------------------------------------------- https://twitter.com/pyotam2/status/1709305830573473987 ∗∗∗ Jetzt patchen! Confluence Data Center: Angreifer machen sich zu Admins ∗∗∗ --------------------------------------------- Atlassian hat eine kritische Sicherheitslücke in Confluence Data Center und Server geschlossen. --------------------------------------------- https://www.heise.de/-9325414 ∗∗∗ Lorenz ransomware crew bungles blackmail blueprint by leaking two years of contacts ∗∗∗ --------------------------------------------- A security researcher noticed Lorenz's dark web victim blog was leaking backend code, pulled the data from the site, and uploaded to it a public GitHub repository. The data includes names, email addresses, and the subject line entered into the ransomware group's limited online form to request information from Lorenz. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/05/lorenz_ranso… ∗∗∗ The discovery of Gatekeeper bypass CVE-2023-27943 ∗∗∗ --------------------------------------------- Looking for vulnerabilities is not my usual daily routine. I am a software developer for Endpoint Security software. I implement new features, improve existing functionality, fixing bugs. So, the discovery of this vulnerability was a surprise. And it made me scared that a macOS update broke our product. In the end, it turned out to be quite a severe vulnerability on macOS. --------------------------------------------- https://blog.f-secure.com/discovery-of-gatekeeper-bypass-cve-2023-27943/ ∗∗∗ H1 2023 – a brief overview of main incidents in industrial cybersecurity ∗∗∗ --------------------------------------------- In this overview, we discuss cybercriminal and hacktivist attacks on industrial organizations. --------------------------------------------- https://ics-cert.kaspersky.com/publications/h1-2023-a-brief-overview-of-mai… ∗∗∗ Looking at the Attack Surface of the Sony XAV-AX5500 Head Unit ∗∗∗ --------------------------------------------- In this post, we look at the attack surface of another target in a different category. The Sony XAV-AX5500 is a popular aftermarket head unit that interacts with different systems within a vehicle. It also offers attackers a potential foothold into an automobile. --------------------------------------------- https://www.thezdi.com/blog/2023/10/5/looking-at-the-attack-surface-of-the-… ∗∗∗ Exposing Infection Techniques Across Supply Chains and Codebases ∗∗∗ --------------------------------------------- This entry delves into threat actors intricate methods to implant malicious payloads within seemingly legitimate applications and codebases. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/j/infection-techniques-across-… ∗∗∗ Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I ∗∗∗ --------------------------------------------- At 2021, we found Pre-auth RCE vulnerabilities(CVE-2022-24673 and CVE-2022-3942) in Canon and HP printers, and vulnerabilty(CVE-2021-44734) in Lexmark. We used these vulnerabilities to exploit Canon ImageCLASS MF644Cdw, HP Color LaserJet Pro MFP M283fdw and Lexmark MC3224i in Pwn2Own Austin 2021. Following we will describe the details of the Canon and HP vulnerabilities and exploitation. --------------------------------------------- https://devco.re/blog/2023/10/05/your-printer-is-not-your-printer-hacking-p… ∗∗∗ EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability ∗∗∗ --------------------------------------------- Threat actors are exploiting the open redirection vulnerability on Indeed.com to launch EvilProxy phishing attacks against high-ranking executives. --------------------------------------------- https://www.hackread.com/evilproxy-phishing-kit-microsoft-indeed-vulnerabil… ∗∗∗ CISA and NSA Release New Guidance on Identity and Access Management ∗∗∗ --------------------------------------------- Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-and-nsa-release-new… ∗∗∗ Notruf-Tool Cisco Emergency Responder mit statischen Zugangsdaten ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für mehrere Produkte wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://www.heise.de/-9325669 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2023-10-04 ∗∗∗ --------------------------------------------- Cisco has published 3 Security Advisories (1 Critical, 1 High, 1 Medium Severity) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ (0Day) D-Link ∗∗∗ --------------------------------------------- ZDI-23-1501 - ZDI-23-1525: Multiple Routers, DIR-X3260, DAP-2622, DAP-1325 and D-View --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Wieder Exploit-Update für iOS und iPadOS – das wohl auch Hitzeproblem fixt ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Donnerstag erneut wichtige Fixes für sein iPhone- und iPad-Betriebssystem vorgelegt. Es geht um Sicherheit und Überhitzung. --------------------------------------------- https://www.heise.de/-9325367 ∗∗∗ Malware-Schutz: Schwachstellen in Watchguard EPDR und AD360 geschlossen ∗∗∗ --------------------------------------------- In den Malware-Schutzlösungen Watchguard EPDR und AD360 klaffen teils Sicherheitslücken mit hohem Risiko. Aktualisierungen stehen bereit. --------------------------------------------- https://www.heise.de/-9326078 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 25, 2023 to October 1, 2023) ∗∗∗ --------------------------------------------- Last week, there were 90 vulnerabilities disclosed in 68 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libx11, and libxpm), Fedora (ckeditor, drupal7, glibc, golang-github-cncf-xds, golang-github-envoyproxy-control-plane, golang-github-hashicorp-msgpack, golang-github-minio-highwayhash, golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, golang-github-protobuf, golang-google-protobuf, nats-server, and pgadmin4), Red Hat (firefox and thunderbird), SUSE (chromium, exim, ghostscript, kernel, poppler, python-gevent, and python-reportlab), and Ubuntu (binutils, exim4, jqueryui, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-kvm, linux-oem-6.1, nodejs, and python-django). --------------------------------------------- https://lwn.net/Articles/946698/ ∗∗∗ ZDI-23-1498: Ansys SpaceClaim X_B File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1498/ ∗∗∗ Open Redirect in SAP® BSP Test Application it00 (Bypass for CVE-2020-6215 Patch) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/open-redirect-in-bsp-tes… ∗∗∗ Qognify NiceVision ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02 ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-03 ∗∗∗ Hitachi Energy AFS65x, AFF66x, AFS67x, and AFR67x Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2023
by Daily end-of-shift report 04 Oct '23

04 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-10-2023 18:00 − Mittwoch 04-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitswarnung: Schwachstellen in Qualcomm-Treibern werden aktiv ausgenutzt ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Qualcomm-Treibern gefährden Smartphones und Tablets weltweit. Patches sind vorhanden - zumindest bei den Herstellern. --------------------------------------------- https://www.golem.de/news/sicherheitswarnung-schwachstellen-in-qualcomm-tre… ∗∗∗ Looney Tunables: Schwachstelle in C-Bibliothek gefährdet Linux-Systeme ∗∗∗ --------------------------------------------- Eine Pufferüberlauf-Schwachstelle im dynamischen Lader von glibc ermöglicht es Angreifern, auf Linux-Systemen Root-Rechte zu erlangen. --------------------------------------------- https://www.golem.de/news/looney-tunables-schwachstelle-in-c-bibliothek-gef… ∗∗∗ Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement ∗∗∗ --------------------------------------------- Microsoft security researchers recently identified an attack where attackers attempted to move laterally to a cloud environment through a SQL Server instance. The attackers initially exploited a SQL injection vulnerability in an application within the target’s environment to gain access and elevated permissions to a Microsoft SQL Server instance deployed in an Azure Virtual Machine (VM). --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vect… ∗∗∗ Optimizing WordPress: Security Beyond Default Configurations ∗∗∗ --------------------------------------------- Default configurations in software are not always the most secure. For example, you might buy a network-attached home security camera from your friendly neighborhood electronics store. While these are handy to keep an eye on your property from the comfort of your phone, they also typically come shipped with a default username and password. And since they are connected to the web, they can be accessed from anywhere. Attackers know this, [...] --------------------------------------------- https://blog.sucuri.net/2023/10/optimizing-wordpress-security-beyond-defaul… ∗∗∗ Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems. Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities ShellTorch. "These vulnerabilities [...] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world's largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover," [...] --------------------------------------------- https://thehackernews.com/2023/10/warning-pytorch-models-vulnerable-to.html ∗∗∗ Patchday: Attacken auf Android 11, 12 und 13 beobachtet ∗∗∗ --------------------------------------------- Unter anderem Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Zwei Lücken haben Angreifer bereits im Visier. --------------------------------------------- https://www.heise.de/-9324125.html ∗∗∗ Linux tries to dump Windows notoriously insecure RNDIS protocol ∗∗∗ --------------------------------------------- Here we go again. Linux developers are trying, once more, to rid Linux of Microsofts Remote Network Driver Interface Specification. Heres why its complicated. --------------------------------------------- https://www.zdnet.com/home-and-office/networking/linux-tries-to-dump-window… ∗∗∗ Five Misconfigurations Threatening Your AWS Environment Today ∗∗∗ --------------------------------------------- In the ever-expanding realm of AWS, with over 200 services at your disposal, securing your cloud account configurations and mastering complex environments can feel like an overwhelming challenge. To help you prioritize and root them out, we’ve put together a guide for AWS configurations that are most commonly overlooked. Here are five of the top misconfigurations that could be lurking in your AWS environment right now. --------------------------------------------- https://blog.aquasec.com/five-misconfigurations-threatening-your-aws-enviro… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server ∗∗∗ --------------------------------------------- Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. --------------------------------------------- https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalati… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc, postgresql-11, and thunderbird), Fedora (openmpi, pmix, prrte, and slurm), Gentoo (glibc and libvpx), Oracle (kernel), Red Hat (kernel), Slackware (libX11 and libXpm), SUSE (firefox, kernel, libeconf, libqb, libraw, libvpx, libX11, libXpm, mdadm, openssl-1_1, poppler, postfix, python311, rubygem-puma, runc, and vim), and Ubuntu (freerdp2, glibc, grub2-signed, grub2-unsigned, libx11, libxpm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, and mozjs102). --------------------------------------------- https://lwn.net/Articles/946496/ ∗∗∗ New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks ∗∗∗ --------------------------------------------- Supermicro has released BMC IPMI firmware updates to address multiple vulnerabilities impacting select motherboard models. --------------------------------------------- https://www.securityweek.com/new-supermicro-bmc-vulnerabilities-could-expos… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2023
by Daily end-of-shift report 03 Oct '23

03 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 02-10-2023 18:00 − Dienstag 03-10-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ AVM: Fritzbox-Schwachstelle wohl ohne Fernzugriff ausnutzbar ∗∗∗ --------------------------------------------- Seit Anfang September verteilt AVM Sicherheitsupdates für die Fritzbox. Inzwischen gibt es weitere Informationen zur gepatchten Schwachstelle. --------------------------------------------- https://www.golem.de/news/avm-fritzbox-schwachstelle-wohl-ohne-fernzugriff-… ∗∗∗ Exclusive: Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more) ∗∗∗ --------------------------------------------- Researchers have identified the exfiltration infrastructure of a LockBit affiliate while investigating a LockBit extortion incident that occurred in Q3 2023. --------------------------------------------- https://securityaffairs.com/151862/breaking-news/exfiltration-infrastructur… ∗∗∗ BunnyLoader, a new Malware-as-a-Service advertised in cybercrime forums ∗∗∗ --------------------------------------------- Zscaler ThreatLabz researchers discovered a new malware-as-a-service (MaaS) that is called BunnyLoader, which has been advertised for sale in multiple cybercrime forums since September 4, 2023. --------------------------------------------- https://securityaffairs.com/151869/malware/bunnyloader-maas.html ∗∗∗ Security researchers believe mass exploitation attempts against WS_FTP have begun ∗∗∗ --------------------------------------------- Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_updat… ∗∗∗ Cloudflare Protection Bypass Vulnerability on Threat Actors’ Radar ∗∗∗ --------------------------------------------- Researchers have identified two mechanisms that hinge on the assumption that traffic originating from Cloudflare towards the origin server is inherently trustworthy, while traffic from other origins should be blocked. --------------------------------------------- https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-ac… ∗∗∗ Drei Fragen und Antworten: Der beste Schutz für das Active Directory ∗∗∗ --------------------------------------------- Bis zu 90 Prozent aller Angriffe bedienen sich Microsofts Active Directory – es ist der Hebel, um die eigene Sicherheit zu verbessern. Wir zeigen, wie das geht. --------------------------------------------- https://www.heise.de/news/Drei-Fragen-und-Antworten-Der-beste-Schutz-fuer-d… ∗∗∗ Exim-Lücke: Erste Patches laufen ein ∗∗∗ --------------------------------------------- Nach verschiedenen Kommunikationspannen hat das Exim-Team kritische Sicherheitslücken im beliebten Mailserver behoben. Debian verteilt bereits Updates. --------------------------------------------- https://www.heise.de/news/Exim-Luecke-Erste-Patches-laufen-ein-9323709.html… ∗∗∗ Angriffe auf ältere Android-Geräte: Lücke in Mali-GPU nur teilweise geschlossen ∗∗∗ --------------------------------------------- Aufgrund mehrerer Schwachstellen im Treiber der Grafikeinheit Mali sind unter anderem Smartphone-Modelle von Samsung und Xiaomi verwundbar. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-aeltere-Android-Geraete-Luecke-in-Ma… ∗∗∗ Booking.com: Achtung bei „fehlgeschlagener Zahlung“ oder „Verifikation Ihrer Zahlungsinfos“ ∗∗∗ --------------------------------------------- Fälle, in denen Unterkünfte über booking.com gebucht wurden und Buchende anschließend zur Verifikation ihrer Zahlungen oder zu einer neuerlichen Zahlung aufgefordert werden, häufen sich aktuell. Vorsicht ist geboten, denn die Aufforderungen stammen von Kriminellen, die sich Zugang zu den Buchungsdaten verschaffen konnten und es nun auf das Geld der Hotelgäste abgesehen haben! --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-achtung-bei-fehlgeschlage… ∗∗∗ Fortinet Labs Uncovers Series of Malicious NPM Packages Stealing Data ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered a series of malicious packages concealed within NPM (Node Package Manager), the primary software repository for JavaScript developers. The researchers utilized a dedicated system designed to detect nefarious open-source packages across multiple ecosystems, including PyPI and NPM. --------------------------------------------- https://www.hackread.com/fortinet-labs-malicious-npm-packages-steal-data/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Edge, Teams get fixes for zero-days in open-source libraries ∗∗∗ --------------------------------------------- Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-teams-get-fi… ∗∗∗ Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers ∗∗∗ --------------------------------------------- Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-says-hackers-exploi… ∗∗∗ Jetzt patchen! Ransomware schlüpft durch kritische TeamCity-Lücke ∗∗∗ --------------------------------------------- Angreifer nutzen eine Sicherheitslücke des Software-Distributionssystems TeamCity aus, das weltweit über 30.000 Firmen wie Citibank, HP und Nike einsetzen. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Ransomware-schluepft-durch-kritisch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird). --------------------------------------------- https://lwn.net/Articles/946313/ ∗∗∗ Mattermost security updates Desktop app v5.5.1 and Mobile app v2.8.1 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses the vulnerability CVE-2023-4863 of the third-party library libwebp which was affecting the Desktop app and the Mobile iOS app. We highly recommend that you apply the update. The security update is available for Mattermost dot releases Desktop app v5.5.1 and Mobile app v2.8.1. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-desktop-app-v5-5-1-… ∗∗∗ K000137090 : Node.js vulnerabilities CVE-2018-12121, CVE-2018-12122, and CVE-2018-12123 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137090?utm_source=f5support&utm_medi… ∗∗∗ K000137093 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137093?utm_source=f5support&utm_medi… ∗∗∗ The IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit are vulnerable to a server-side request forgery due to Apache Batik (CVE-2022-44730, CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7043490 ∗∗∗ Vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7043727 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to Google Protocol Buffer protobuf-cpp (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7045071 ∗∗∗ Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035373 ∗∗∗ Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035370 ∗∗∗ Multiple vulnerabilities in the IBM Java Runtime affects IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035371 ∗∗∗ A vulnerability in libcURL affect IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035382 ∗∗∗ IBM Spectrum Symphony openssl 1.1.1 End of Life ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7045753 ∗∗∗ IBM\u00ae Db2\u00ae is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010573 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2023
by Daily end-of-shift report 02 Oct '23

02 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-09-2023 18:00 − Montag 02-10-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Meet LostTrust ransomware — A likely rebrand of the MetaEncryptor gang ∗∗∗ --------------------------------------------- The LostTrust ransomware operation is believed to be a rebrand of MetaEncryptor, utilizing almost identical data leak sites and encryptors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-losttrust-ransomware-a-… ∗∗∗ New Marvin attack revives 25-year-old decryption flaw in RSA ∗∗∗ --------------------------------------------- A flaw related to the PKCS #1 v1.5 padding in SSL servers discovered in 1998 and believed to have been resolved still impacts several widely-used projects today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-marvin-attack-revives-25… ∗∗∗ The Silent Threat of APIs: What the New Data Reveals About Unknown Risk ∗∗∗ --------------------------------------------- The rapid growth of APIs creates a widening attack surface and increasing unknown cybersecurity risks. --------------------------------------------- https://www.darkreading.com/attacks-breaches/silent-threat-of-apis-what-new… ∗∗∗ Jetzt patchen: Exploit für kritische Sharepoint-Schwachstelle aufgetaucht ∗∗∗ --------------------------------------------- Er ist Teil einer sehr effektiven Exploit-Kette zur Schadcodeausführung auf Sharepoint-Servern, die ein Forscher kürzlich offenlegte. --------------------------------------------- https://www.golem.de/news/jetzt-patchen-exploit-fuer-kritische-sharepoint-s… ∗∗∗ Cybercriminals Using New ASMCrypt Malware Loader to Fly Under the Radar ∗∗∗ --------------------------------------------- Threat actors are selling a new crypter and loader called ASMCrypt, which has been described as an "evolved version" of another loader malware known as DoubleFinger. "The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week. --------------------------------------------- https://thehackernews.com/2023/09/cybercriminals-using-new-asmcrypt.html ∗∗∗ BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground ∗∗∗ --------------------------------------------- Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader thats being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," [...] --------------------------------------------- https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html ∗∗∗ Security researchers believe mass exploitation attempts against WS_FTP have begun ∗∗∗ --------------------------------------------- Early signs emerge after Progress Software said there were no active attempts last week Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_updat… ∗∗∗ Temporary suspension of automatic snap registration following security incident ∗∗∗ --------------------------------------------- On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed. Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately. --------------------------------------------- https://forum.snapcraft.io/t/temporary-suspension-of-automatic-snap-registr… ∗∗∗ The Hitchhikers Guide to Malicious Third-Party Dependencies ∗∗∗ --------------------------------------------- The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., NPM, PyPI) serve as public databases that users can query to retrieve packages for various functionalities, [...] In this work, we show how attackers can [...] achieve arbitrary code execution on victim machines, thereby realizing open-source software supply chain chain attacks. --------------------------------------------- https://arxiv.org/abs/2307.09087 ∗∗∗ Fritzbox-Sicherheitsleck analysiert: Risiko sogar bei deaktiviertem Fernzugriff ∗∗∗ --------------------------------------------- AVM schließt bei vielen Fritzboxen eine Sicherheitslücke. Unserer Analyse zufolge lässt sie sich aus der Ferne ausnutzen – sogar mit abgeschaltetem Fernzugriff. --------------------------------------------- https://www.heise.de/-9323225.html ∗∗∗ BSI-Umfrage: Kritische Infrastrukturen haben Nachholbedarf bei IT-Sicherheit ∗∗∗ --------------------------------------------- Vor allem bei der Umsetzung organisatorischer Sicherheitsmaßnahmen hapert es noch bei Betreibern kritischer Infrastrukturen. Gründe: Personal- und Geldmangel. --------------------------------------------- https://www.heise.de/-9323606.html ∗∗∗ Don’t Let Zombie Zoom Links Drag You Down ∗∗∗ --------------------------------------------- Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks. --------------------------------------------- https://krebsonsecurity.com/2023/10/dont-let-zombie-zoom-links-drag-you-dow… ∗∗∗ Silverfort Open Sources Lateral Movement Detection Tool ∗∗∗ --------------------------------------------- Silverfort has released the source code for its lateral movement detection tool LATMA, to help identify and analyze intrusions. --------------------------------------------- https://www.securityweek.com/silverfort-open-sources-lateral-movement-detec… ∗∗∗ Die Österreichische Post AG verkauft keine Zufallspakete für 2 Euro! ∗∗∗ --------------------------------------------- Betrügerische Werbeschaltungen auf Facebook spielen vor, dass die Post AG nicht zustellbare Pakete für nur 2 Euro verkauft. Angeblich haben Sie so die Möglichkeit, mit tollen Gegenständen wie Tablets, Kaffeemaschinen oder Büchern überrascht zu werden. Achtung: Es handelt sich um reinen Betrug. Werbung und Profile stammen nicht von der Post und die Pakete existieren nicht. Sie landen hier in einer Abo-Falle oder geben Ihr Zahlungsmittel unbeabsichtigt für Zahlungen durch Kriminelle frei. --------------------------------------------- https://www.watchlist-internet.at/news/die-oesterreichische-post-ag-verkauf… ∗∗∗ Keine Warnung zu den aktuellen Exim Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) ∗∗∗ --------------------------------------------- Am Mittwoch 27. September wurden durch die Zero Day Initiative sechs Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) im Mail Transfer Agent (MTA) Exim veröffentlicht.[1][2][3][4][5][6] Nach interner Analyse und im Austausch mit Experten sind wir zu ähnlichen Schlüssen, wie nun auf der offiziellen Mailingliste des Projekts veröffentlicht[7], gekommen. --------------------------------------------- https://cert.at/de/aktuelles/2023/10/keine-warnung-zu-den-aktuellen-exim-sc… ∗∗∗ E-Mail-Angriff via Dropbox ∗∗∗ --------------------------------------------- BEC 3.0-Angriffe häufen sich und sind noch schwieriger zu erkennen, weil Hacker Links über legitime Dienste versenden. --------------------------------------------- https://www.zdnet.de/88412118/e-mail-angriff-via-dropbox/ ∗∗∗ Kritische Sicherheitsupdates: Chrome, Edge, Firefox, Thunderbird,Tor ∗∗∗ --------------------------------------------- Ende September 2023 gab es Sicherheitsupdates für diverse Software, die kritische Schwachstellen (0-Days) schließen sollen. Bei den Chromium-Browsern wurde eine Sicherheitslücke im V8 Encoder geschlossen (betrifft Google Chrome und beim Edge). Die Mozilla Entwickler haben ebenfalls Notfall-Updates für den Firefox und den Thunderbird herausgebracht. Und Tor wurde diesbezüglich ebenfalls aktualisiert. Ich fasse mal die Updates in diesem Sammelbeitrag zusammen. --------------------------------------------- https://www.borncity.com/blog/2023/10/02/kritische-sicherheitsupdates-chrom… ∗∗∗ Bitsight identifies nearly 100,000 exposed industrial control systems ∗∗∗ --------------------------------------------- Bitsight has identified nearly 100,000 exposed industrial control systems (ICS) potentially allowing an attacker to access and control physical infrastructure. --------------------------------------------- https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-ind… ===================== = Vulnerabilities = ===================== ∗∗∗ JetBrains TeamCity Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- Topic: JetBrains TeamCity Unauthenticated Remote Code Execution Risk: High Text:## # This module requires Metasploit [...] --------------------------------------------- https://cxsecurity.com/issue/WLB-2023100003 ∗∗∗ OpenRefines Zip Slip Vulnerability Could Let Attackers Execute Malicious Code ∗∗∗ --------------------------------------------- A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below. --------------------------------------------- https://thehackernews.com/2023/10/openrefines-zip-slip-vulnerability.html ∗∗∗ Security updates available in PDF-XChange Editor/Tools 10.1.1.381 ∗∗∗ --------------------------------------------- Released version 10.1.1.381, which addresses potential security and stability issues. --------------------------------------------- https://www.tracker-software.com/support/security-bulletins.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cups, firefox-esr, firmware-nonfree, gerbv, jetty9, libvpx, mosquitto, open-vm-tools, python-git, python-reportlab, and trafficserver), Fedora (firefox, giflib, libvpx, libwebp, webkitgtk, and xen), Gentoo (Chromium, Google Chrome, Microsoft Edge, ClamAV, GNU Binutils, and wpa_supplicant, hostapd), Mageia (flac, giflib, indent, iperf, java, libvpx, libxml2, quictls, wireshark, and xrdp), Oracle (kernel), Slackware (libvpx and mozilla), and SUSE (bind, python, python-bugzilla, roundcubemail, seamonkey, and xen). --------------------------------------------- https://lwn.net/Articles/946186/ ∗∗∗ Suprema BioStar 2 ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-01 ∗∗∗ Multiple Vulnerabilities in Electrolink FM/DAB/TV Transmitter ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ K000137058 : Linux kernel vulnerability CVE-2022-4269 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137058 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2023
by Daily end-of-shift report 29 Sep '23

29 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-09-2023 18:00 − Freitag 29-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Version 1.0: Ungepatchte Schwachstellen im Mail Transfer Agent Exim ∗∗∗ --------------------------------------------- Der Open Source Mail Transfer Agent (MTA) Exim weist mehrere schwerwiegende ungepatchte Schwachstellen auf. Besonders kritisch ist eine Buffer Overflow Schwachstelle in der SMTP-Implementierung, CVE-2023-42115, die einer entfernten, unauthorisierten angreifenden Person gegebenenfalls das Ausführen von Code mit Rechten des Service Accounts, mit dem Exim betrieben wird, ermöglicht. Sie erreicht daher eine CVSS-Bewertung von 9.8 ("kritisch"). --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-2… ∗∗∗ Betrifft unzählige Anwendungen: Zero-Day-Schwachstelle in VP8-Videokodierung ∗∗∗ --------------------------------------------- Google hat mal wieder eine Zero-Day-Schwachstelle in Chrome gepatcht. Neben gängigen Webbrowsern sind aber auch viele andere Apps betroffen. --------------------------------------------- https://www.golem.de/news/betrifft-unzaehlige-anwendungen-zero-day-schwachs… ∗∗∗ Dringend patchen: Schwachstelle mit maximalem Schweregrad in WS_FTP ∗∗∗ --------------------------------------------- Der Entwickler der Datentransfersoftware Moveit hat erneut kritische Schwachstellen behoben - dieses Mal in der Serveranwendung WS_FTP. --------------------------------------------- https://www.golem.de/news/dringend-patchen-schwachstelle-mit-maximalem-schw… ∗∗∗ Important release of LibreOffice 7.6.2 Community and LibreOffice 7.5.7 Community with key security fix ∗∗∗ --------------------------------------------- The Document Foundation is releasing LibreOffice 7.6.2 Community and LibreOffice 7.5.7 Community ahead of schedule to address a security issue known as CVE 2023-4863, which originates in a widely used code library known as libwebp, created by Google more than a decade ago to render the then-new WebP graphics format. --------------------------------------------- https://blog.documentfoundation.org/blog/2023/09/26/lo-762-and-lo-757/ ∗∗∗ Jetzt patchen! Angreifer haben Netzwerkgeräte von Cisco im Visier ∗∗∗ --------------------------------------------- Cisco hat unter anderem eine kritische Lücke in Catalyst SD-WAN geschlossen. Außerdem gibt es Sicherheitsupdates für weitere Produkte. --------------------------------------------- https://www.heise.de/-9320947.html ∗∗∗ Balkonkraftwerke: Hoymiles schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Der Wechselrichterhersteller hat die Lücken in der API geschlossen – das haben wir verifiziert. Im Gespräch gelobte Hoymiles Besserung. --------------------------------------------- https://www.heise.de/-9321291.html ∗∗∗ Malicious ad served inside Bings AI chatbot ∗∗∗ --------------------------------------------- Users looking for software downloads may be tricked into visiting malicious websites via their interaction with Bing Chat. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/09/malicious-ad-… ∗∗∗ Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks ∗∗∗ --------------------------------------------- Hackers have set their sights on CVE-2023-34468, an RCE vulnerability in Apache NiFi that impacts thousands of organizations. --------------------------------------------- https://www.securityweek.com/hackers-set-sights-on-apache-nifi-flaw-that-ex… ∗∗∗ Oktober ist Cyber Security Month: Tipps und Veranstaltungen ∗∗∗ --------------------------------------------- Im Oktober dreht sich alles um Cyber-Sicherheit. Machen auch Sie mit und nutzen Sie das vielfältige Angebot. Wir zeigen Ihnen, wie Sie Ihre Kenntnisse zu Phishing, Randsomeware und Co. verbessern. --------------------------------------------- https://www.watchlist-internet.at/news/oktober-ist-cyber-security-month-tip… ∗∗∗ Betrügerisches EP-Gewinnspiel wird massenhaft per SMS verschickt ∗∗∗ --------------------------------------------- „Gratulation an die EP Electronic Gewinner”. Dieser Text steht in einer SMS, die derzeit massenhaft von Kriminellen verschickt wird. Besonders perfid: In der SMS werden auch die Namen der angeblichen Gewinner:innen genannt. Selbst wenn Ihr Name in der SMS auftaucht, sollten Sie nicht auf den mitgeschickten Link klicken! Betrüger:innen versuchen Sie in die Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-ep-gewinnspiel-wird-… ∗∗∗ CL0P Seeds ^_- Gotta Catch Em All! ∗∗∗ --------------------------------------------- CL0P is distributing ransomware data via torrents. We investigate this new method, including seeds we’ve tracked — disguising victims with Pokemon. Catch them all! --------------------------------------------- https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-… ∗∗∗ Phishing via Dropbox ∗∗∗ --------------------------------------------- A burgeoning attack involving Dropbox is making the rounds. In the first two weeks of September, we saw 5,440 of these attacks. Hackers are using Dropbox to create fake login pages that eventually lead to a credential harvesting page. It’s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites—like Dropbox—to send and host phishing material. --------------------------------------------- https://blog.checkpoint.com/harmony-email/phishing-via-dropbox/ ∗∗∗ Analysis of Time-to-Exploit Trends: 2021-2022 ∗∗∗ --------------------------------------------- Mandiant Intelligence analyzed 246 vulnerabilities that were exploited between 2021 and 2022. Sixty-two percent (153) of the vulnerabilities were first exploited as zero-day vulnerabilities. The number of exploited vulnerabilities each year continues to increase, while the overall times-to-exploit (TTEs) we are seeing are decreasing. Exploitation of a vulnerability is most likely to occur before the end of the first month following the release of a patch. --------------------------------------------- https://www.mandiant.com/resources/blog/time-to-exploit-trends-2021-2022 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, and vim), Gentoo (Fish, GMP, libarchive, libsndfile, Pacemaker, and sudo), Oracle (nodejs:16 and nodejs:18), Red Hat (virt:av and virt-devel:av), Slackware (mozilla), SUSE (chromium, firefox, Golang Prometheus, iperf, libqb, and xen), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/945965/ ∗∗∗ Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, Firefox Focus for Android 118.1.0, and Thunderbird 115.3.1. ∗∗∗ --------------------------------------------- CVE-2023-5217: Heap buffer overflow in libvpx Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ ∗∗∗ Vulnerabilities in node.js affect Cloud Pak Sytem [CVE-2023-28154, CVE-2022-46175, CVE-2022-3517] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038776 ∗∗∗ IBM Instana Observability is vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7041863 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from go-toolset and amicontained ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039373 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2023-29409 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032246 ∗∗∗ Vulnerabilities in XStream library affects IBM Engineering Test Management (ETM) (CVE-2022-40151) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042166 ∗∗∗ Vulnerabilities in xercesImpl library affects IBM Engineering Test Management (ETM) (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042167 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering product is affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042172 ∗∗∗ Vulnerabilities in batik-all library affects IBM Engineering Test Management (ETM) (CVE-2022-44730, CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042170 ∗∗∗ Multiple vulnerabilities in IBM Storage Defender \u2013 Data Protect ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040913 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2023
by Daily end-of-shift report 28 Sep '23

28 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-09-2023 18:00 − Donnerstag 28-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researchers Release Details of New RCE Exploit Chain for SharePoint ∗∗∗ --------------------------------------------- One of the already-patched flaws enables elevation of privilege, while the other enables remote code execution. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/reseachers-release-deta… ∗∗∗ Unzählige Anwendungen betroffen: Chaos bei WebP-Lücke ∗∗∗ --------------------------------------------- Anfangs ordnete Google die Lücke aber nur dem hauseigenen Webbrowser Chrome zu. Mittlerweile hat Google sich aber korrigiert und für die alte Sicherheitslücke (CVE-2023-4863 "hoch") den neuen Eintrag CVE-2023-5129 mit einer kritischen Einstufung (CVSS Score 10 von 10) eingereicht. Dieser wurde aber bereits nach sechs Stunden durch Google als ungültig erklärt. Als Grund ist angegeben, dass der neue Eintrag sich mit dem alten Eintrag doppelt. --------------------------------------------- https://www.heise.de/-9319783 ∗∗∗ SMS Security & Privacy Gaps Make It Clear Users Need a Messaging Upgrade ∗∗∗ --------------------------------------------- Like any forty-year-old technology, SMS is antiquated compared to its modern counterparts. That’s especially concerning when it comes to security. --------------------------------------------- http://security.googleblog.com/2023/09/sms-security-privacy-gaps-make-it-cl… ∗∗∗ Mit Cloudflare Cloudflare umgehen ∗∗∗ --------------------------------------------- Von Cloudflare-Kunden konfigurierte Schutzmechanismen (z. B. Firewall, DDoS-Schutz) für Webseiten können aufgrund von Lücken in den mandantenübergreifenden Schutzmaßnahmen umgangen werden, wodurch Kunden potenziell Angriffen ausgesetzt sind, welche von Cloudflare verhindert werden sollten. --------------------------------------------- https://certitude.consulting/blog/de/cloudflare-verwenden-um-cloudflare-zu-… ∗∗∗ TrendMicro veröffentlicht kritischen Patch für Apex One SP1 Build 12512 ∗∗∗ --------------------------------------------- Der kritische Patch beseitigt gleich mehrere Bugs, wovon einer verhindert, dass der Apex One-Server Virenerkennungsprotokolldaten von verwalteten Sicherheitsagenten empfangen kann. --------------------------------------------- https://www.borncity.com/blog/2023/09/28/trendmicro-verffentlicht-kritische… ∗∗∗ SSH keys stolen by stream of malicious PyPI and npm packages ∗∗∗ --------------------------------------------- A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2023-09-27 ∗∗∗ --------------------------------------------- Cisco has published 15 security advisories: (1x Critical, 7x High, 6x Medium, 1x Informational) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Hoymiles: Bedrohliche Lücken in der S-Miles-Cloud ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat sich Hoymiles Cloudservice genauer angesehen und Lücken gefunden, über die Wechselrichter sogar zerstört werden können. --------------------------------------------- https://www.heise.de/-9319500 ∗∗∗ Mozilla: Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, and Firefox Focus for Android 118.1.0. ∗∗∗ --------------------------------------------- CVE-2023-5217: Heap buffer overflow in libvpx. Impact: critical --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ ∗∗∗ Google Chrome 117.0.5938.132 ∗∗∗ --------------------------------------------- Google hat zum 27. September 2023 Updates des Google Chrome Browsers 117 im Stable Channel für Mac, Linux und Windows freigegeben. Es ist ein Sicherheitsupdate, das ausgerollt werden und mehrere Schwachstellen (Einstufung teilweise als "hoch") beseitigen sollen. --------------------------------------------- https://www.borncity.com/blog/2023/09/28/google-chrome-117-0-5938-132/ ∗∗∗ GStreamer Security Advisories 2023-09-20 ∗∗∗ --------------------------------------------- GStreamer has published 3 security advisories at 2023-09-20. --------------------------------------------- https://gstreamer.freedesktop.org/security/ ∗∗∗ Hancom Office 2020 HWord footerr use-after-free vulnerability ∗∗∗ --------------------------------------------- A use-after-free vulnerability exists in the footerr functionality of Hancom Office 2020 HWord 11.0.0.7520. A specially crafted .doc file can lead to a use-after-free. An attacker can trick a user into opening a malformed file to trigger this vulnerability. --------------------------------------------- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1759 ∗∗∗ Accusoft ImageGear dcm_pixel_data_decode out-of-bounds write vulnerability ∗∗∗ --------------------------------------------- An out-of-bounds write vulnerability exists in the dcm_pixel_data_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability. --------------------------------------------- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1802 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ncurses), Fedora (emacs, firecracker, firefox, libkrun, python-oauthlib, and virtiofsd), Mageia (glibc and vim), Oracle (18), SUSE (bind, binutils, busybox, cni, cni-plugins, container-suseconnect, containerd, curl, exempi, ffmpeg, firefox, go1.19-openssl, go1.20-openssl, gpg2, grafana, gsl, gstreamer-plugins-bad, gstreamer-plugins-base, libpng15, libwebp, mutt, nghttp2, open-vm-tools, pmix, python-brotlipy, python3, python310, qemu, quagga, rubygem-actionview-5_1, salt, supportutils, xen, and xrdp), and Ubuntu (libwebp, minidlna, puma, and python2.7, python3.5). --------------------------------------------- https://lwn.net/Articles/945829/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0009 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-39928, CVE-2023-35074, CVE-2023-39434, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0009.html ∗∗∗ (0Day) Control Web Panel ∗∗∗ --------------------------------------------- ZDI-23-1476 - ZDI-23-1479 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) Exim ∗∗∗ --------------------------------------------- ZDI-23-1468 - ZDI-23-1473 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ ZDI-23-1475: (0Day) Avast Premium Security Sandbox Protection Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1475/ ∗∗∗ ZDI-23-1474: (0Day) Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1474/ ∗∗∗ Drupal: Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-047 ∗∗∗ Drupal: Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-046 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rockwell Automation PanelView 800 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-271-01 ∗∗∗ DEXMA DexGate ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-271-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2023
by Daily end-of-shift report 27 Sep '23

27 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-09-2023 18:00 − Mittwoch 27-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Unzählige Anwendungen betroffen: WebP-Schwachstelle erreicht maximalen Schweregrad ∗∗∗ --------------------------------------------- Die Schwachstelle in der WebP-Bibliothek wurde zuvor fälschlicherweise als Chrome-Bug markiert. Sie betrifft aber weitaus mehr Anwendungen. --------------------------------------------- https://www.golem.de/news/unzaehlige-anwendungen-betroffen-webp-schwachstel… ∗∗∗ Apple Releases MacOS Sonoma Including Numerous Security Patches, (Tue, Sep 26th) ∗∗∗ --------------------------------------------- As expected, Apple today released macOS Sonoma (14.0). This update, in addition to new features, provides patches for about 60 different vulnerabilities. --------------------------------------------- https://isc.sans.edu/diary/rss/30252 ∗∗∗ ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families ∗∗∗ --------------------------------------------- Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year. "ShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of ransomware programs," Group-IB and Bridewell said in a joint technical report. --------------------------------------------- https://thehackernews.com/2023/09/shadowsyndicate-new-cybercrime-group.html ∗∗∗ Reports about Cyber Actors Hiding in Router Firmware ∗∗∗ --------------------------------------------- On September 27, 2023, a joint cybersecurity advisory (CSA) was released detailing activities of the cyber actors known as BlackTech. The CSA describes how BlackTech is able to modify router firmware without detection. [...] Cisco has reviewed the report. Cisco would like to highlight the following key facts: The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. [...] --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Hacking htmx applications ∗∗∗ --------------------------------------------- With the normal flow of frontend frameworks moving from hipster to mainstream in the coming few months, during a test, you bump into this strange application that receives HTML with `hx-` attributes in responses. Congrats, you are testing your first htmx application, let me give you the building blocks to play with for testing this type of application. --------------------------------------------- https://medium.com/@matuzg/hacking-htmx-applications-f8d29665faf ∗∗∗ A Deep Dive into Brute Ratel C4 payloads – Part 2 ∗∗∗ --------------------------------------------- Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework. There aren’t a lot of Brute Ratel samples available in the wild. This second part of the analysis presents the remaining commands executed by the agent. --------------------------------------------- https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/ ∗∗∗ Fake Bitwarden installation packages delivered RAT to Windows users ∗∗∗ --------------------------------------------- Windows users looking to install the Bitwarden password manager may have inadvertently installed a remote access trojan (RAT). The ZenRAT malware A malicious website spoofing Bitwarden’s legitimate one (located at bitwariden[.]com) has been offering fake installation packages containing the ZenRAT malware. --------------------------------------------- https://www.helpnetsecurity.com/2023/09/27/windows-bitwarden-rat/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/945700/ ∗∗∗ New GPU Side-Channel Attack Allows Malicious Websites to Steal Data ∗∗∗ --------------------------------------------- GPUs from AMD, Apple, Arm, Intel, Nvidia and Qualcomm are vulnerable to a new type of side-channel attack named GPU.zip. --------------------------------------------- https://www.securityweek.com/new-gpu-side-channel-attack-allows-malicious-w… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0020 ∗∗∗ --------------------------------------------- VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2023-34043) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0020.html ∗∗∗ K000136909 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000136909 ∗∗∗ K000136907 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43124 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000136907 ∗∗∗ semver-6.3.0.tgz is vulnerable to CVE-2022-25883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039430 ∗∗∗ Okio GzipSource is vulnerable to CVE-2023-3635 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039433 ∗∗∗ Certifi is vulnerable to CVE-2023-37920 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039436 ∗∗∗ VMware Tanzu Spring for Apache Kafka is vulnerable to CVE-2023-34040 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039438 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039519 ∗∗∗ Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040603 ∗∗∗ Vulnerability of jython-standalone-2.7.0.jar have affected APM WebSphere Application Server Agent and APM Tomcat Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040614 ∗∗∗ IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040672 ∗∗∗ IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in IBM Websphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040744 ∗∗∗ The Bouncy Castle Crypto Package For Java (bc-java) component is vulnerable to CVE-2023-33201 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028107 ∗∗∗ Control Access issues in PCOMM ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031707 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2023
by Daily end-of-shift report 26 Sep '23

26 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Montag 25-09-2023 18:00 − Dienstag 26-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A new spin on the ZeroFont phishing technique, (Tue, Sep 26th) ∗∗∗ --------------------------------------------- Last week, I came across an interesting phishing e-mail, in which a text written in a font with zero-pixel size was used in quite a novel way. --------------------------------------------- https://isc.sans.edu/diary/rss/30248 ∗∗∗ Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR ∗∗∗ --------------------------------------------- A remote code execution when the user attempts to view a benign file within a ZIP archive. The issue occurs because a) ZIP archive may include a benign file such as an ordinary .JPG file and also a folder that has the same name as the benign file, and the contents of the folder which may include executable content are processed during an attempt to access only the benign file. --------------------------------------------- https://blog.securelayer7.net/analysis-of-cve-2023-38831-zero-day-vulnerabi… ∗∗∗ Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted ∗∗∗ --------------------------------------------- >From what was observed in previous cases, we were able to clearly identify a distribution campaign, using phishing webpages to trick victims into installing malicious APKs, which feature a larger list of targets compared to its previous versions. --------------------------------------------- https://www.threatfabric.com/blogs/xenomorph ∗∗∗ PGP-verschlüsselte E-Mails mit macOS 14: GPGTools warnt vor schnellem Upgrade ∗∗∗ --------------------------------------------- macOS 14 sägt Mail-Plug-ins ab, bewährte Tools wie GPG funktionieren deshalb nicht mehr. GPGTools stellt aber eine neue Extension für Apple Mail in Aussicht. --------------------------------------------- https://www.heise.de/-9318030 ∗∗∗ Vorsicht, wenn PCM Marketing anruft ∗∗∗ --------------------------------------------- Unternehmen werden im Moment häufig von der Marketing-Agentur „PCM Marketing“ angerufen und an eine Kündigung eines Abos erinnert. Bei Nichtkündigung kommt es angeblich zu hohen Kosten. Nach dem Telefonat erhalten Sie ein E-Mail mit einer ausgefüllten Vorlage, die Sie unterschreiben und zurückschicken sollen. Achtung: Unterschreiben Sie nicht, Sie werden in ein teures Abo gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-pcm-marketing-anruft/ ∗∗∗ Fortifying your wireless network: A comprehensive guide to defend against wireless attacks ∗∗∗ --------------------------------------------- In this in-depth blog, we will delve into the technical intricacies of safeguarding your network against wireless threats. Armed with this knowledge, you can confidently defend your wireless infrastructure against potential attackers. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/fortifying-your-wir… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2023-20588 / XSA-439 ∗∗∗ --------------------------------------------- Version 1 accidentally linked to the wrong AMD bulletin. This has been corrected in v2. All other information in v1 is believed to be correct. | Impact: An attacker might be able to infer data from a different execution context on the same CPU core. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-439.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exempi, glib2.0, lldpd, and netatalk), Fedora (curl, libppd, and linux-firmware), Oracle (kernel), and SUSE (Cadence, frr, modsecurity, python-CairoSVG, python-GitPython, and tcpreplay). --------------------------------------------- https://lwn.net/Articles/945559/ ∗∗∗ Firefox 118 und 115.3 ESR freigegeben ∗∗∗ --------------------------------------------- Zum 26. September 2023 haben die Mozilla-Entwickler den neuen Firefox 118 sowie das Wartungsupdate des Firefox 115.3 ESR veröffentlicht. Mit den Updates wurden einige Schwachstellen geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/09/26/firefox-118-115-3-freigegeben/ ∗∗∗ Suprema BioStar 2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-01 ∗∗∗ Advantech EKI-1524-CE series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-04 ∗∗∗ Hitachi Energy Asset Suite 9 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-02 ∗∗∗ Baker Hughes Bently Nevada 3500 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-05 ∗∗∗ Mitsubishi Electric FA Engineering Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03 ∗∗∗ IBM Storage Protect Server is susceptible to numerous vulnerabilities due to Golang Go (CVE-2023-29402, CVE-2023-29403, CVE-2023-29404, CVE-2023-29405, CVE-2023-29406, CVE-2023-29400, CVE-2023-24540, CVE-2023-24539, X-Force 250518) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038772 ∗∗∗ Vulnerability with kernel , OpenJDK jna-platform affect IBM Cloud Object Storage Systems (Sept2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038968 ∗∗∗ Vulnerability with bcprov-jdk affect IBM Cloud Object Storage Systems (Sept2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038966 ∗∗∗ Vulnerability with Python affect IBM Cloud Object Storage Systems (Sept2023v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038969 ∗∗∗ IBM InfoSphere Information Server is vulnerable to OS command injection (CVE-2022-35717) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038982 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to privilege escalation attack due to Apache Cassandra ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039222 ∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039262 ∗∗∗ Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039367 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2023
by Daily end-of-shift report 25 Sep '23

25 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-09-2023 18:00 − Montag 25-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Akira Ransomware Mutates to Target Linux Systems ∗∗∗ --------------------------------------------- The newly emerged ransomware actively targets both Windows and Linux systems with a double-extortion approach. --------------------------------------------- https://www.darkreading.com/attacks-breaches/akira-ransomware-mutates-to-ta… ∗∗∗ Predator-Spyware: Staatstrojaner wurde über iOS-Schwachstellen eingeschleust ∗∗∗ --------------------------------------------- Intellexa hat die jüngst von Apple gepatchten Schwachstellen in iOS ausgenutzt, um eine Zero-Day-Exploit-Kette für iPhones zu entwickeln. --------------------------------------------- https://www.golem.de/news/predator-spyware-staatstrojaner-wurde-ueber-ios-s… ∗∗∗ Blocking Visual Studio Code embedded reverse shell before its too late ∗∗∗ --------------------------------------------- Since July 2023, Microsoft is offering the perfect reverse shell, embedded inside Visual Studio Code, a widely used development tool. With just a few clicks, any user with a github account can share their visual studio desktop on the web. VS code tunnel is almost considered a lolbin (Living Of the Land Binary). --------------------------------------------- https://ipfyx.fr/post/visual-studio-code-tunnel/ ∗∗∗ iRacing Exploit allows attackers to take control of users computer ∗∗∗ --------------------------------------------- If you have updated iRacing since 2023 Season 2 Patch 5, you’re safe. But if you have the game installed and haven’t updated it, it’s important to either update or uninstall it as soon as possible. Keep in mind this exploit is possible even if you haven’t got an active iRacing subscription, so if you were thinking about updating it later, it’s worth uninstalling it in the meanwhile. --------------------------------------------- https://blog.ss23.geek.nz/2023/09/21/iracing-electron-rce-exploit.html ∗∗∗ Außergewöhnliche Malware nimmt westeuropäische Telkos ins Visier ∗∗∗ --------------------------------------------- Lua Dream ist ein mittels Lua modular aufgebauter Schädling, der es auf Telekommunikationsunternehmen abgesehen hat – und wahrscheinlich aus Asien stammt. --------------------------------------------- https://www.heise.de/-9315204.html ∗∗∗ In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover ∗∗∗ --------------------------------------------- A critical vulnerability in the TeamCity CI/CD server could allow unauthenticated attackers to execute code and take over vulnerable servers. --------------------------------------------- https://www.securityweek.com/in-the-wild-exploitation-expected-for-critical… ∗∗∗ Webinar: Manipulation durch Dark Patterns – wie kann ich mich schützen? ∗∗∗ --------------------------------------------- Dark Patterns werden im Internet eingesetzt, um uns zu Handlungen zu verleiten, die nicht in unserem Interesse liegen – und so z. B. mehr Geld auszugeben oder mehr Daten zu teilen, als wir eigentlich möchten. Dieses Webinar erklärt, wie uns Dark Patterns manipulieren und wie Sie sich davor schützen können. Nehmen Sie kostenlos teil: Dienstag 03. Oktober 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-manipulation-durch-dark-patt… ∗∗∗ Gefälschtes Gewinnspiel für ÖBB-Geschenkkarten & iPhone 15 Pro ∗∗∗ --------------------------------------------- Uns werden aktuell betrügerische Gewinnspiele für das neue iPhone sowie ÖBB-Geschenkkarten zum Gratis-Zugfahren gemeldet. Die Gewinnspiele werden über Soziale Netzwerke, Messenger und per E-Mail verbreitet. Den Gewinn bekommen Sie angeblich, wenn Sie € 1,95 zahlen. Wer bezahlt verliert aber Geld! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-oebb-g… ∗∗∗ SCCM Hierarchy Takeover ∗∗∗ --------------------------------------------- tl;dr: There is no security boundary between sites in the same hierarchy. When an administrative user is granted a security role in SCCM, such as Full Administrator or Infrastructure Administrator, in any primary site, the underlying database changes propagate upward to the central administration site (CAS) and then to other primary sites in the hierarchy. This means that if an attacker gains control of any primary site, they gain control of the entire SCCM hierarchy. --------------------------------------------- https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087 ∗∗∗ iOS 17 update secretly changed your privacy settings; here’s how to set them back ∗∗∗ --------------------------------------------- Many iPhone users who upgraded their iPhones to the recently-released iOS 17 will be alarmed to hear that they may have actually downgraded their security and privacy. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/ios-17-update-secretly-chan… ∗∗∗ From ScreenConnect to Hive Ransomware in 61 hours ∗∗∗ --------------------------------------------- In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, [...] --------------------------------------------- https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-… ∗∗∗ CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR) ∗∗∗ --------------------------------------------- AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system’s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining. --------------------------------------------- https://asec.ahnlab.com/en/57222/ ∗∗∗ Kaspersky Reveals Alarming IoT Threats and Dark Web DDoS Boom ∗∗∗ --------------------------------------------- Kaspersky Unveils Alarming IoT Vulnerabilities and Dark Webs Thriving DDoS Economy. --------------------------------------------- https://www.hackread.com/iot-vulnerabilities-dark-web-ddos-economy/ ===================== = Vulnerabilities = ===================== ∗∗∗ Elasticsearch 8.9.0, 7.17.13 Security Update ∗∗∗ --------------------------------------------- An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. --------------------------------------------- https://discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/34… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, elfutils, flac, ghostscript, libapache-mod-jk, lldpd, and roundcube), Fedora (linux-firmware, roundcubemail, and thunderbird), Mageia (curl, file, firefox/thunderbird, ghostpcl, libtommath, and nodejs), Oracle (kernel, open-vm-tools, qemu, and virt:ol and virt-devel:rhel), SUSE (bind, busybox, djvulibre, exempi, ImageMagick, libqb, libssh2_org, opera, postfix, python, python36, renderdoc, webkit2gtk3, and xrdp), and Ubuntu (accountsservice and open-vm-tools). --------------------------------------------- https://lwn.net/Articles/945503/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-41991 Apple Multiple Products Improper Certificate Validation Vulnerability CVE-2023-41992 Apple Multiple Products Kernel Privilege Escalation Vulnerability CVE-2023-41993 Apple Multiple Products WebKit Code Execution Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/25/cisa-adds-three-known-ex… ∗∗∗ RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php ∗∗∗ Wago: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-042/ ∗∗∗ Stored Cross-Site Scripting in der mb Support broker management Solution openVIVA c2 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scr… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2023
by Daily end-of-shift report 22 Sep '23

22 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-09-2023 18:00 − Freitag 22-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters ∗∗∗ --------------------------------------------- No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin. --------------------------------------------- https://arstechnica.com/?p=1970341 ∗∗∗ GitHub passkeys generally available for passwordless sign-ins ∗∗∗ --------------------------------------------- GitHub has made passkeys generally available across the platform today to secure accounts against phishing and allow passwordless logins for all users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-passkeys-generally-av… ∗∗∗ iOS, iPad OS, Watch OS und MacOS: Apple behebt aktiv ausgenutzte Schwachstellen ∗∗∗ --------------------------------------------- Drei Zero-Day-Schwachstellen in iOS, iPad OS, Watch OS sowie Mac OS sollen bereits aktiv ausgenutzt werden. Patches stehen jetzt bereit. --------------------------------------------- https://www.golem.de/news/ios-ipad-os-watch-os-und-macos-apple-behebt-aktiv… ∗∗∗ The WebP 0day ∗∗∗ --------------------------------------------- Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apples Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached:"Google is aware that an exploit for CVE-2023-4863 exists in the wild." --------------------------------------------- https://blog.isosceles.com/the-webp-0day/ ∗∗∗ Proof-of-Concept-Exploit für WinRAR-Lücke bringt VenomRAT-Malware mit ∗∗∗ --------------------------------------------- Mitte August haben die Entwickler eine Zero-Day-Lücke in WinRAR ausgebessert. Dafür taucht ein gefälschter PoC auf, der Malware mitbringt. --------------------------------------------- https://www.heise.de/-9313479.html ∗∗∗ Qnap warnt vor Codeschmuggel durch Schwachstellen ∗∗∗ --------------------------------------------- Qnap warnt vor Sicherheitslücken im QTS-Betriebssystem und der Multimedia Console, durch die Angreifer Schadcode einschleusen können. --------------------------------------------- https://www.heise.de/-9313549.html ∗∗∗ Sicherheitslücke: Datenleaks auf Drupal-Websites möglich ∗∗∗ --------------------------------------------- Unter bestimmten Voraussetzungen können Angreifer mit dem Content Management System Drupal erstellte Seiten attackieren. Abgesicherte Versionen sind verfügbar. --------------------------------------------- https://www.heise.de/-9313594.html ∗∗∗ Schon einmal auf einen Fake-Shop hineingefallen? ∗∗∗ --------------------------------------------- Sie kaufen regelmäßig online ein und verwenden dabei Ihr Mobiltelefon? Sie sind schon einmal in Berührung mit Fake-Shops gekommen oder waren Opfer von Internetbetrug? Sie möchten mehr darüber erfahren, welche präventiven Maßnahmen es gibt, um den Einkauf in Fake-Shops zu verhindern? Sie möchten aktiv an der Gestaltung einer Lösung mitarbeiten? Dann nehmen Sie an unserem Workshop teil! --------------------------------------------- https://www.watchlist-internet.at/news/schon-einmal-auf-einen-fake-shop-hin… ∗∗∗ Finding Deserialization Bugs in the SolarWind Platform ∗∗∗ --------------------------------------------- It’s been a while since I have written a blog post, please accept my sincerest apologies. This is because a lot of fun stuff that I’ve recently done is going to be presented during conferences. Please treat this post as a small introduction to my upcoming Hexacon 2023 talk titled “Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization”. --------------------------------------------- https://www.thezdi.com/blog/2023/9/21/finding-deserialization-bugs-in-the-s… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-1449: (0Day) Intel Driver & Support Assistant Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Intel Driver & Support Assistant. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1449/ ∗∗∗ (0Day) Ashlar-Vellum Cobalt AR Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- The specific flaw exists within the parsing of AR files [...] Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. (ZDI-23-1450 - ZDI-23-1454) --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gsl), Fedora (dotnet6.0 and dotnet7.0), Oracle (libwebp), Slackware (bind, cups, and seamonkey), SUSE (kernel and rust, rust1.72), and Ubuntu (cups, flac, gnome-shell, imagemagick, and python3.5). --------------------------------------------- https://lwn.net/Articles/945322/ ∗∗∗ Vulnerabilities in Apache HTTP Server ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Apache HTTP Server have been reported to affect certain QNAP operating systems. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-12 ∗∗∗ Vulnerability in Legacy QTS ∗∗∗ --------------------------------------------- A buffer copy without checking size of input vulnerability has been reported to affect certain legacy versions of QTS. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-25 ∗∗∗ Vulnerability in Multimedia Console ∗∗∗ --------------------------------------------- A buffer copy without checking size of input vulnerability has been reported to affect certain versions of Multimedia Console. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-29 ∗∗∗ Security update 1.5.4 released ∗∗∗ --------------------------------------------- We just published a security update to the LTS version 1.5 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability: Cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar. See the full changelog in the release notes in the release notes on the Github download page. We strongly recommend to update all productive installations of Roundcube 1.5.x with this new version. --------------------------------------------- https://roundcube.net/news/2023/09/18/security-update-1.5.4-released ∗∗∗ Security update 1.4.14 released ∗∗∗ --------------------------------------------- We just published a security update to the LTS version 1.4 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability: Cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar. See the full changelog in the release notes in the release notes on the Github download page. We strongly recommend to update all productive installations of Roundcube 1.4.x with this new version. --------------------------------------------- https://roundcube.net/news/2023/09/18/security-update-1.4.14-released ∗∗∗ Security update 1.6.3 released ∗∗∗ --------------------------------------------- We just published a security update to the version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability: Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages,reported by Niraj Shivtarkar. See the full changelog in the release notes in the release notes on the Github download page. We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version. --------------------------------------------- https://roundcube.net/news/2023/09/15/security-update-1.6.3-released ∗∗∗ [R1] Nessus Version 10.5.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-31 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2023
by Daily end-of-shift report 21 Sep '23

21 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-09-2023 18:00 − Donnerstag 21-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Free Download Manager releases script to check for Linux malware ∗∗∗ --------------------------------------------- The developers of Free Download Manager (FDM) have published a script to check if a Linux device was infected through a recently reported supply chain attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-download-manager-releas… ∗∗∗ P2PInfect botnet activity surges 600x with stealthier malware variants ∗∗∗ --------------------------------------------- The P2PInfect botnet worm is going through a period of highly elevated activity volumes starting in late August and then picking up again in September 2023. --------------------------------------------- https://www.bleepingcomputer.com/news/security/p2pinfect-botnet-activity-su… ∗∗∗ LUCR-3: Scattered Spider Getting SaaS-y in the Cloud ∗∗∗ --------------------------------------------- LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property (IP) for extortion. LUCR-3 targets Fortune 2000 companies across various sectors to include but not limited to Software, Retail, Hospitality, Manufacturing, and Telecoms. --------------------------------------------- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud ∗∗∗ Remote Code Execution in Tutanota Desktop due to Code Flaw ∗∗∗ --------------------------------------------- In this article, we explained how an innocent-looking mistake in the code could significantly impact the security of an application. We showed how we found a Cross-Site Scripting vulnerability in Tutanota, a popular end-to-end encrypted webmail service, and explained how an attacker could have exploited the flaw to execute arbitrary code on a victims system. --------------------------------------------- https://www.sonarsource.com/blog/remote-code-execution-in-tutanota-desktop-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Critical - Cache poisoning - SA-CORE-2023-006 ∗∗∗ --------------------------------------------- This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. --------------------------------------------- https://www.drupal.org/sa-core-2023-006 ∗∗∗ MOVEit Transfer: Schwachstellen ermöglichen Angreifern Datenschmuggel ∗∗∗ --------------------------------------------- Neue MOVEit Transfer-Versionen schließen teils hochriskante Sicherheitslücken. IT-Verantwortliche sollten sie zügig installieren. --------------------------------------------- https://www.heise.de/-9312162 ∗∗∗ Sicherheitsupdate: Passwort-Lücke bedroht Nagios XI ∗∗∗ --------------------------------------------- Angreifer können die Server-Monitoring-Lösung Nagios XI attackieren. Eine dagegen abgesicherte Version ist verfügbar. --------------------------------------------- https://www.heise.de/-9312331 ∗∗∗ Sicherheitsupdate: Authentifizierung von HPE OneView umgehbar ∗∗∗ --------------------------------------------- Die IT-Infrastrukturmanagementlösung OneView von HPE ist verwundbar. Der Entwickler hat zwei kritische Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9312816 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023) ∗∗∗ --------------------------------------------- Last week, there were 55 vulnerabilities disclosed in 46 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 15 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (frr and libyang), Fedora (golang-github-prometheus-exporter-toolkit, golang-github-xhit-str2duration, golang-gopkg-alecthomas-kingpin-2, libpano13, and open-vm-tools), Oracle (firefox, frr, and thunderbird), Red Hat (dmidecode, kernel, kernel-rt, kpatch-patch, libwebp: critical, linux-firmware, mariadb:10.3, ncurses, postgresql:15, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox, open-vm-tools, and thunderbird), SUSE (binutils, bluez, chromium, curl, gcc7, go1.20, go1.21, grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python- cryptography-vectors, python-google-api-core, pyt, gstreamer-plugins-good, kernel, libcares2, libxml2, mdadm, mutt, and python-brotlipy), and Ubuntu (indent, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.0, linux-oem-6.1, and memcached). --------------------------------------------- https://lwn.net/Articles/945073/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mutt, netatalk, and python2.7), Fedora (chromium, golang-github-prometheus-exporter-toolkit, golang-github-xhit-str2duration, and golang-gopkg-alecthomas-kingpin-2), Oracle (dmidecode, frr, libwebp, open-vm-tools, and thunderbird), Red Hat (libwebp and open-vm-tools), SUSE (cups, frr, mariadb, openvswitch3, python39, qemu, redis7, rubygem-rails-html-sanitizer, and skopeo), and Ubuntu (bind9, cups, and libppd). --------------------------------------------- https://lwn.net/Articles/945173/ ∗∗∗ Synology-SA-23:13 SRM ∗∗∗ --------------------------------------------- A vulnerability allow remote attackers to bypass security constraint via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_13 ∗∗∗ ISC Releases Security Advisories for BIND 9 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/21/isc-releases-security-ad… ∗∗∗ Frauscher: Multiple Vulnerabilities in FDS101 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-038/ ∗∗∗ Rockwell Automation FactoryTalk View Machine Edition ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-264-06 ∗∗∗ Rockwell Automation Connected Components Workbench ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-264-05 ∗∗∗ Rockwell Automation Select Logix Communication Modules ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-264-04 ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-264-03 ∗∗∗ Real Time Automation 460 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-264-01 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963075 ∗∗∗ IBM Virtualization Engine TS7700 is susceptible to a denial of service due to use of Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031979 ∗∗∗ Vulnerabilities in CKEditor library affects IBM Engineering Test Management (ETM) (CVE-2021-32809, CVE-2021-37695) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037094 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM Storage Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037135 ∗∗∗ IBM Events Operator is affected by a denial of service in OpenSSL (CVE-2023-0215). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037162 ∗∗∗ A vulnerability in Red Hat Enterprise Linux may affect IBM Robotic Process Automation for Cloud Pak and result in elevated privileges (CVE-2023-3899). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037164 ∗∗∗ IBM Events Operator is affected by a denial of service in OpenSSL (CVE-2022-4450). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037167 ∗∗∗ IBM Events Operator is vulnerable to a denial of service in OpenSSL (CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037165 ∗∗∗ Vulnerability in node.js package may affect IBM Storage Scale GUI (CVE-2022-25883) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037185 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2023
by Daily end-of-shift report 20 Sep '23

20 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-09-2023 18:00 − Mittwoch 20-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gitlab warnt vor kritischer Sicherheitslücke ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke bedroht die Enterprise-Anwender des Repository-Diensts Gitlab. Kunden sollten unverzüglich ein Update einspielen. --------------------------------------------- https://www.heise.de/-9311249.html ∗∗∗ Atlassian stopft Sicherheitslecks in Bitbucket, Confluence und Jira ∗∗∗ --------------------------------------------- Atlassian warnt vor Sicherheitslücken in Bitbucket, Confluence und Jira. Aktualisierte Fassungen dichten sie ab. --------------------------------------------- https://www.heise.de/-9311520.html ∗∗∗ Trend Micro: Update schließt ausgenutzte, kritische Schwachstelle CVE-2023-41179 ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer und Administratoren von Trend Micro die Sicherheitsprodukte Apex One und Worry-Free Business Security unter Windows einsetzen. In den Produkten gibt es eine kritische Sicherheitslücke (CVE-2023-41179), die bereits in freier Wildbahn ausgenutzt wird. Der Hersteller bietet aber [...] --------------------------------------------- https://www.borncity.com/blog/2023/09/20/trend-micro-notfall-update-schliet… ∗∗∗ Analyzing a Modern In-the-wild Android Exploit ∗∗∗ --------------------------------------------- In December 2022, Google’s Threat Analysis Group (TAG) discovered an in-the-wild exploit chain targeting Samsung Android devices. TAG’s blog post covers the targeting and the actor behind the campaign. This is a technical analysis of the final stage of one of the exploit chains, specifically CVE-2023-0266 (a 0-day in the ALSA compatibility layer) and CVE-2023-26083 (a 0-day in the Mali GPU driver) as well as the techniques used by the [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-and… ∗∗∗ Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. Sonatype said it has discovered 14 different npm packages so far: [...] --------------------------------------------- https://thehackernews.com/2023/09/fresh-wave-of-malicious-npm-packages.html ∗∗∗ The mystery of the CVEs that are not vulnerabilities ∗∗∗ --------------------------------------------- Researchers have raised the alarm about a large set of CVE for older bugs that never were vulnerabilities. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/09/the-mystery-of-the-cves-that… ∗∗∗ Shodan Verified Vulns 2023-09-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-09-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] In diesem Monat folgen die Schwachstellen in den unteren zwei Dritteln wieder dem Abwärtstrend und nähern sich der Nullmarke oder haben diese bereits erreicht. Im oberen Drittel ist im Gegensatz zu den Vormonaten ein leichter Anstieg bei FREAK (CVE-2015-0204) (+131) und Logjam (CVE-2015-4000) (+63) zu verzeichnen. --------------------------------------------- https://cert.at/de/aktuelles/2023/9/shodan-verified-vulns-2023-09-01 ∗∗∗ #StopRansomware: Snatch Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more [...] --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a ∗∗∗ Attacker Unleashes Stealthy Crypto Mining via Malicious Python Package ∗∗∗ --------------------------------------------- Recently, our team came across a Python package named “culturestreak”. A closer look reveals a darker purpose: unauthorized cryptocurrency mining. Let’s break down how “culturestreak” operates, its potential impact, and the broader implications for user security and ethical [...] --------------------------------------------- https://checkmarx.com/blog/attacker-unleashes-stealthy-crypto-mining-via-ma… ∗∗∗ Protect CNC Machines in Networked IT/OT Environments ∗∗∗ --------------------------------------------- Networking IT/OT environments is a bit like walking a tightrope, balancing the pursuit of intelligence and efficiency against the risks of exposing OT systems to the wider world. Trend Micro recently teamed up with global machine tool company Celada to identify specific risks associated with industrial CNC machines—and how to mitigate them. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/23/i/cnc-machine-security.html ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Security Flaws Exposed in Nagios XI Network Monitoring Software ∗∗∗ --------------------------------------------- Multiple security flaws have been disclosed in the Nagios XI network monitoring software that could result in privilege escalation and information disclosure. The four security vulnerabilities, tracked from CVE-2023-40931 through CVE-2023-40934, impact Nagios XI versions 5.11.1 and lower. Following responsible disclosure on August 4, 2023, They have been patched as of September 11, 2023, [...] --------------------------------------------- https://thehackernews.com/2023/09/critical-security-flaws-exposed-in.html ∗∗∗ Xen Security Advisory CVE-2023-34322 / XSA-438 ∗∗∗ --------------------------------------------- top-level shadow reference dropped too early for 64-bit PV guests | Impact: Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks all cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-438.html ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ IBM Security Guardium is affected by an SQL Injection vulnerability (CVE-2023-33852) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028514 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981101 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028506 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028511 ∗∗∗ IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2022-43904) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028509 ∗∗∗ IBM Security Guardium is affected by an Hazardous Input Validation vulnerability (CVE-2022-43903) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030110 ∗∗∗ IBM Storage Protect is vulnerable to a remote attack due to Java ( CVE-2023-21967 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034474 ∗∗∗ IBM Storage Protect is vulnerable to deserialization issues due to Java ( CVE-2022-40609 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034467 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035336 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-28513). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035334 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035367 ∗∗∗ A vulnerability in python-request affects IBM Robotic Process Automation for Cloud Pak and may result in an attacker obtaining sensitive information (CVE-2023-32681) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034002 ∗∗∗ A vulnerability in gRPC may affect IBM Robotic Process Automation and result in an attacker obtaining sensitive information. (CVE-2023-32731) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034007 ∗∗∗ A vulnerability in Apache Johnzon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-33008) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034006 ∗∗∗ A vulnerability in Microsoft ASP.NET Core may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2023-35391). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034005 ∗∗∗ IBM Security Guardium is affected by a Command injection in CLI vulnerability [CVE-2023-35893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027853 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2023
by Daily end-of-shift report 19 Sep '23

19 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Montag 18-09-2023 18:00 − Dienstag 19-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Tausende Juniper-Firewalls immer noch ohne Sicherheitsupdate ∗∗∗ --------------------------------------------- Aufgrund eines neuen Exploits sind Attacken auf Juniper-Firewalls jetzt noch einfacher. Sicherheitspatches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Tausende-Juniper-Firewalls-immer-no… ∗∗∗ Bumblebee malware returns in new attacks abusing WebDAV folders ∗∗∗ --------------------------------------------- The malware loader Bumblebee has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bumblebee-malware-returns-in… ∗∗∗ Security baseline for Microsoft Edge version 117 ∗∗∗ --------------------------------------------- Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode (Added) --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Härtung des Dateitransfers: Microsoft sichert das SMB-Protokoll ab ∗∗∗ --------------------------------------------- Mit zwei Maßnahmen sichert Microsoft sowohl die SMB Client- als auch die Serverseite besser ab. Wir zeigen, worauf Administratoren achten müssen. --------------------------------------------- https://www.heise.de/news/Haertung-des-Dateitransfers-Microsoft-sichert-das… ∗∗∗ CISA Says Owl Labs Vulnerabilities Requiring Close Physical Range Exploited in Attacks ∗∗∗ --------------------------------------------- The US cybersecurity agency CISA says four vulnerabilities found last year in Owl Labs video conferencing devices — flaws that require the attacker to be in close range of the target — have been exploited in attacks. --------------------------------------------- https://www.securityweek.com/cisa-says-owl-labs-vulnerabilities-requiring-c… ∗∗∗ Fake-Shop-Trends im Herbst und Winter ∗∗∗ --------------------------------------------- Warme Jacken, Skianzüge und Regenstiefel haben wieder Saison. Auch die Nachfrage nach Pellets und Holz steigt langsam wieder. Das wissen auch Kriminelle und stellen ihre Fake-Shops auf Herbst- und Winterangebote um. Wir zeigen Ihnen, welche Fake-Shop-Trends es gerade gibt und wie Sie sich vor betrügerischen Angeboten schützen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-trends-im-herbst-und-winte… ∗∗∗ Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT ∗∗∗ --------------------------------------------- Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477. They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of whalersplonk committed a fake PoC script to their GitHub repository. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/ ===================== = Vulnerabilities = ===================== ∗∗∗ Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2023-38346) ∗∗∗ --------------------------------------------- VxWorks is a real-time operating system used in many embedded devices in high-availability environments with high safety and security requirements. This includes important industrial, medical, airospace, networking and automotive devices. For example, NASAs Curiosity rover currently deployed on planet Mars is using Wind Rivers VxWorks operating system. --------------------------------------------- https://www.pentagrid.ch/en/blog/wind-river-vxworks-tarextract-directory-tr… ∗∗∗ SolarWinds Platform 2023.3.1 Release Notes ∗∗∗ --------------------------------------------- SolarWinds Platform 2023.3.1 is a service release providing bug and security fixes for release 2023.3. For information about the 2023.3 release, including EOL notices and upgrade information, see SolarWinds Platform 2023.3 Release Notes. --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, flac, gnome-shell, libwebp, openjdk-11, and xrdp), Fedora (giflib), Oracle (kernel), Red Hat (busybox, dbus, firefox, frr, kpatch-patch, libwebp, open-vm-tools, and thunderbird), Slackware (netatalk), SUSE (flac, gcc12, kernel, libeconf, libwebp, libxml2, and thunderbird), and Ubuntu (binutils, c-ares, libraw, linux-intel-iotg, nodejs, python-django, and vsftpd). --------------------------------------------- https://lwn.net/Articles/944848/ ∗∗∗ Trend Micro Patches Exploited Zero-Day Vulnerability in Endpoint Security Products ∗∗∗ --------------------------------------------- Trend Micro on Tuesday released an advisory to warn customers that a critical vulnerability affecting Apex One and other endpoint security products has been exploited in the wild. --------------------------------------------- https://www.securityweek.com/trend-micro-patches-exploited-zero-day-vulnera… ∗∗∗ Spring Security 5.8.7, 6.0.7, 6.1.4, 6.2.0-M1 Released, including fixes for CVE-2023-34042 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/09/18/spring-security-5-8-7-6-0-7-6-1-4-6-2-0-m… ∗∗∗ Spring for GraphQL 1.0.5, 1.1.6, 1.2.3 released ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/09/19/spring-for-graphql-1-0-5-1-1-6-1-2-3-rele… ∗∗∗ Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ PHOENIX CONTACT: Multiple products affected by WIBU Codemeter Vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-030/ ∗∗∗ Omron CJ/CS/CP Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-05 ∗∗∗ Omron Engineering Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-04 ∗∗∗ Omron Engineering Software Zip-Slip ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-03 ∗∗∗ Vulnerabilities in Bash affect ProtecTIER (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690049 ∗∗∗ Multiple vulnerabilities in OpenSSL affect ProtecTIER ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/691201 ∗∗∗ Multiple vulnerabilities in Samba – including Badlock – affect ProtecTIER ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/691257 ∗∗∗ Vulnerability in Linux Kernel affects ProtecTIER: Dirty COW vulnerability (CVE-2016-5195) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/696401 ∗∗∗ Vulnerability in glibc library affects ProtecTIER(CVE-2014-5119) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690187 ∗∗∗ Vulnerability in OpenSSL affects ProtecTIER (CVE-2016-2108) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/695443 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ IBM Storage Protect Operations Center is vulnerable to denial of service due to Websphere Application Server Liberty ( CVE-2023-28867 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034039 ∗∗∗ IBM Storage Protect Server is vulnerable to denial of service and other attacks due to Db2 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034037 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034198 ∗∗∗ Vulnerabilities in Linux kernel and Python can affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034265 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules tough-cookie and semver (CVE-2023-26136, CVE-2022-25883). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031733 ∗∗∗ A vulnerability in the Administrative command line client affects IBM Storage Protect Client, IBM Storage Protect for Virtual Environments, and IBM Storage Protect for Space Management (CVE-2023-40368) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034288 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2023
by Daily end-of-shift report 18 Sep '23

18 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-09-2023 18:00 − Montag 18-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BlackCat ransomware hits Azure Storage with Sphynx encryptor ∗∗∗ --------------------------------------------- The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets Azure cloud storage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azu… ∗∗∗ Microsoft leaks 38TB of private data via unsecured Azure storage ∗∗∗ --------------------------------------------- The Microsoft AI research division accidentally leaked dozens of terabytes of sensitive data starting in July 2020 while contributing open-source AI learning models to a public GitHub repository. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-leaks-38tb-of-pri… ∗∗∗ Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients ∗∗∗ --------------------------------------------- Software development company Retool has disclosed that the accounts of 27 of its cloud customers were compromised following a targeted and SMS-based social engineering attack. The San Francisco-based firm blamed a Google Account cloud synchronization feature recently introduced in April 2023 for making the breach worse, calling it a "dark pattern." "The fact that Google Authenticator syncs to the cloud is a novel attack vector," Snir Kodesh, Retool's head of engineering, said. "What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication." --------------------------------------------- https://thehackernews.com/2023/09/retool-falls-victim-to-sms-based.html ∗∗∗ Fuzzing with multiple servers in parallel: AFL++ with Network File Systems ∗∗∗ --------------------------------------------- When fuzzing large-scale applications, using a single server (even with 4 64-core AMD Ryzen CPUs) may not be powerful enough by itself. That’s where parallelized/distributed fuzzing comes in (i.e. automatic sharing of results between fuzzing systems). In this guide, we’ll take a look at how to set up multiple servers fuzzing the same program using AFL++, linked all together with an NFS (Network File System). --------------------------------------------- https://joshua.hu/fuzzing-multiple-servers-parallel-aflplusplus-nfs ∗∗∗ donut-decryptor ∗∗∗ --------------------------------------------- donut-decryptor checks file(s) for known signatures of the donut obfuscators loader shellcode. If located, it will parse the shellcode to locate, decrypt, and extract the DONUT_INSTANCE structure embedded in the binary, and report pertinent configuration data. If a DONUT_MODULE is present in the binary it is decrypted and dumped to disk. --------------------------------------------- https://github.com/volexity/donut-decryptor ∗∗∗ CVE-2023-34040 Spring Kafka Deserialization Remote Code Execution ∗∗∗ --------------------------------------------- MEDIUM | AUGUST 23, 2023 | CVE-2023-34040: In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers [...] According to the description in security bulletin, we can simply attain some critical points resulting in the vulnerability. --------------------------------------------- https://pyn3rd.github.io/2023/09/15/CVE-2023-34040-Spring-Kafka-Deserializa… ∗∗∗ AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation ∗∗∗ --------------------------------------------- The Sysdig Threat Research Team (TRT) has uncovered a novel cloud-native cryptojacking operation which they’ve named AMBERSQUID. This operation leverages AWS services not commonly used by attackers, such as AWS Amplify, AWS Fargate, and Amazon SageMaker. The uncommon nature of these services means that they are often overlooked from a security perspective, and the AMBERSQUID operation can cost victims more than $10,000/day. --------------------------------------------- https://sysdig.com/blog/ambersquid/ ∗∗∗ Fileless Remote Code Execution on Juniper Firewalls ∗∗∗ --------------------------------------------- CVE-2023-36845 is a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. Juniper scored the vulnerability as a medium severity issue. However, in this blog, we’ll show you how this vulnerability alone can achieve remote, unauthenticated code execution without even touching the disk. --------------------------------------------- https://vulncheck.com/blog/juniper-cve-2023-36845 ∗∗∗ Sherlock: Spyware kommt über Online-Werbung ∗∗∗ --------------------------------------------- Die israelische Firma Insanet soll eine Spähsoftware entwickelt haben, die über gezielte Werbebanner auf Windows-PCs und gängige Smartphones ausgespielt wird. --------------------------------------------- https://www.heise.de/-9308891.html ∗∗∗ CISA Releases New Identity and Access Management Guidance ∗∗∗ --------------------------------------------- CISA has released new guidance on how federal agencies can integrate identity and access management into their ICAM architecture. --------------------------------------------- https://www.securityweek.com/cisa-releases-new-identity-and-access-manageme… ∗∗∗ Verkaufen auf Vinted: Vermeintliche Käufer:innen locken auf gefälschte Zahlungsplattform ∗∗∗ --------------------------------------------- Sie verkaufen etwas auf Vinted? Vorsicht, wenn interessierte Käufer:innen nach Ihrer E-Mail-Adresse fragen. Dahinter steckt eine Betrugsmasche, die darauf abzielt, Sie auf eine gefälschte Vinted-Zahlungsplattform zu locken. Auf dieser Plattform erhalten Sie angeblich den Kaufbetrag. Tatsächlich stehlen die Kriminellen dort Ihre Bank- oder Kreditkartendaten und überzeugen Sie, Zahlungen freizugeben. --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-vinted-vermeintliche-k… ∗∗∗ Vorsicht: Steam Fake Accounts und Scam-Methoden ∗∗∗ --------------------------------------------- Kurze Warnung für Leser und Leserinnen, die auf der Plattform Steam unterwegs sind. Ein Leser hat mich auf eine Betrugswelle aufmerksam gemacht, die gerade läuft und mit gefälschten Konten operiert. --------------------------------------------- https://www.borncity.com/blog/2023/09/16/vorsicht-steam-fake-accounts-und-s… ∗∗∗ 18th September – Threat Intelligence Report ∗∗∗ --------------------------------------------- For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin. --------------------------------------------- https://research.checkpoint.com/2023/18th-september-threat-intelligence-rep… ∗∗∗ Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement ∗∗∗ --------------------------------------------- While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actors server - a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which weve dubbed SprySOCKS due to its swift behavior and SOCKS implementation. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linu… ∗∗∗ MidgeDropper Variant Targets Work-from-Home Employees on Windows PCs ∗∗∗ --------------------------------------------- If you are working from home, you need to be on the lookout for the new and complex variant of MidgeDropper malware. --------------------------------------------- https://www.hackread.com/midgedropper-variant-work-from-home-windows/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap-Updates schließen hochriskante Lücke ∗∗∗ --------------------------------------------- Qnap hat aktualisierte Betriebssysteme veröffentlicht. Die neuen QTS-, QuTS-hero- und QuTScloud-Releases schließen teils hochriskante Lücken. --------------------------------------------- https://www.heise.de/-9308427.html ∗∗∗ Anonymisierendes Linux: Kritische libWebP-Lücke in Tails 5.17.1 geschlossen ∗∗∗ --------------------------------------------- Die Maintainer des anonymisierenden Linux Tails für den USB-Stick haben in Version 5.17.1 die bereits angegriffene, kritische libWebP-Lücke geschlossen. --------------------------------------------- https://www.heise.de/-9307906.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libwebp, and thunderbird), Fedora (chromium, curl, flac, libtommath, libwebp, matrix-synapse, python-matrix-common, redis, and rust-pythonize), Gentoo (binwalk, ghostscript, python-requests, rar, samba, and wireshark), Oracle (.NET 6.0, kernel, and kernel-container), Slackware (python3), and SUSE (firefox). --------------------------------------------- https://lwn.net/Articles/944744/ ∗∗∗ Authenticated Remote Code Execution und fehlende Authentifizierung in Atos Unify OpenScape ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-remote-… ∗∗∗ Vulnerabilities in Apache Struts library affect Tivoli Netcool\/OMNIbus WebGUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7033228 ∗∗∗ Vulnerabilities in Certifi, cryptography, python-requests and Tornado can affect IBM Storage Protect Plus Microsoft File Systems Backup and Restore [CVE-2023-37920, CVE-2023-38325, CVE-2023-32681, CVE-2023-28370] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031489 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2023
by Daily end-of-shift report 15 Sep '23

15 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-09-2023 18:00 − Freitag 15-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ What is Secure Shell (SSH) & How to Use It: Security & Best Practices ∗∗∗ --------------------------------------------- In this blog post, we’re going to delve deeper into what Secure Shell (SSH) is, how it operates, and why it’s useful. We’ll cover everything from the basics of connecting with SSH to common commands and best practices for ensuring secure communications and file transfers. --------------------------------------------- https://blog.sucuri.net/2023/09/what-is-secure-shell-ssh-how-to-use-it-secu… ∗∗∗ A detailed analysis of the Money Message Ransomware ∗∗∗ --------------------------------------------- The threat actor group, Money Message ransomware, first appeared in March 2023, demanding million-dollar ransoms from its targets. Its configuration, which contains the services and processes to stop a ransomware attack, can be found at the end of the executable. The ransomware creates a mutex and deletes the Volume Shadow Copies using vssadmin.exe. --------------------------------------------- https://resources.securityscorecard.com/research/analysis-money-message-ran… ∗∗∗ Mehr Sicherheit für (Open-)Sourcecode: OpenSSF veröffentlicht Leitfaden ∗∗∗ --------------------------------------------- Ein Leitfaden der Open Source Security Foundation zeigt Tools und Best Practices zum Absichern von Code auf Versionsverwaltungsplattformen auf. --------------------------------------------- https://www.heise.de/-9306112.html ∗∗∗ Watch out, this LastPass email with "Important information about your account" is a phish ∗∗∗ --------------------------------------------- The consequences of last year's LastPass breach continue to be felt, with the latest insult to users coming in the form of a highly convincing phishing email. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/09/nasty-lastpass-phish ∗∗∗ Threat Group Assessment: Turla (aka Pensive Ursa) ∗∗∗ --------------------------------------------- Pensive Ursa was chosen to be the main focus for the 2023 MITRE ATT&CK evaluation. MITRE has described Turla as being “known for their targeted intrusions and innovative stealth.” The results of this evaluation, including Palo Alto Networks scoring, will be published in late September 2023. --------------------------------------------- https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/ ∗∗∗ Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety ∗∗∗ --------------------------------------------- UNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smshing) to obtain credentials to gain and escalate access to victim organizations. At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations. --------------------------------------------- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-r… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Sicherheitslösungen von Fortinet als Sicherheitsrisiko ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind verwundbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/-9306543.html ∗∗∗ Management-Controller Lenovo XCC: Angreifer können Passwörter manipulieren ∗∗∗ --------------------------------------------- Der Computerhersteller Lenovo hat in XClarity Controller mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9304734.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares and samba), Fedora (borgbackup, firefox, and libwebp), Oracle (.NET 6.0 and kernel), Slackware (libwebp), SUSE (chromium and firefox), and Ubuntu (atftp, dbus, gawk, libssh2, libwebp, modsecurity-apache, and mutt). --------------------------------------------- https://lwn.net/Articles/944581/ ∗∗∗ QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032220 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to HTTP header injection due to Go CVE-2023-29406 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032249 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to bypassing security restrictions due to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032238 ∗∗∗ IBM Virtualization Engine TS7700 is susceptible to a denial of service due to use of Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031979 ∗∗∗ Due to use of Golang Go, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032901 ∗∗∗ Multiple vulnerabilities in jackson-databind affect IBM Application Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032899 ∗∗∗ IBM Operational Decision Manager August 2023 - Multiple CVEs addressed ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032928 ∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029387 ∗∗∗ CVE-2023-24539, CVE-2023-29400, CVE-2023-29403, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404, CVE-2023-29405 related to Go affect IBM CICS TX Standard 11.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7033006 ∗∗∗ CVE-2023-24540, CVE-2023-29402, CVE-2023-29404, CVE-2023-29405 related to Go affect IBM CICS TX Advanced 11.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7033004 ∗∗∗ Vulnerabilities in Golang, openSSH and openJDK might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029389 ∗∗∗ Vulnerabilities in snappy-java might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029381 ∗∗∗ Vulnerabilities in cURL libcurl might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029380 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2023
by Daily end-of-shift report 14 Sep '23

14 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-09-2023 18:00 − Donnerstag 14-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit ∗∗∗ --------------------------------------------- Security researcher Gabe Kirkpatrick has made a proof-of-concept (PoC) exploit available for CVE-2023-38146, aka "ThemeBleed," which enables attackers to trigger arbitrary remote code execution if the target opens a specially crafted .theme file. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-themebleed-rce-bu… ∗∗∗ Top 10 Facts About MOVEit Breach ∗∗∗ --------------------------------------------- This breach exposed the vulnerabilities inherent in some of the world’s most trusted platforms and highlighted the audacity and capabilities of modern cybercriminals. Furthermore, becoming the primary attack vector for the Cl0p ransomware group, it has led to many other attacks. --------------------------------------------- https://socradar.io/top-10-facts-about-moveit-breach/ ∗∗∗ Column-Level Encryption 101: What is It, implementation & Benefits ∗∗∗ --------------------------------------------- By encrypting individual columns of data, organizations can limit access to the data, reduce the potential damage of a breach and help ensure the privacy of their customers information. In this post, we will explore the power of column-level encryption for data security. So let’s dive in. --------------------------------------------- https://www.piiano.com/blog/column-level-encryption ∗∗∗ Uncursing the ncurses: Memory corruption vulnerabilities found in library ∗∗∗ --------------------------------------------- Microsoft has discovered a set of memory corruption vulnerabilities in a library called ncurses, which provides APIs that support text-based user interfaces (TUI). Released in 1993, the ncurses library is commonly used by various programs on Portable Operating System Interface (POSIX) operating systems, including Linux, macOS, and FreeBSD. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/09/14/uncursing-the-ncur… ∗∗∗ PSA: Ongoing Webex malvertising campaign drops BatLoader ∗∗∗ --------------------------------------------- A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex. Threat actors have bought an advert that impersonates Cisco's brand and is displayed first when performing a Google search. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex… ∗∗∗ QR-Code in E-Mails von vermeintlichen Lieferanten führt zu Phishing-Seite ∗∗∗ --------------------------------------------- Aktuell ist ein besonders perfides Phishing-Mail im Umlauf: Unternehmen werden von ihnen bekannten Lieferanten kontaktiert, die ein Angebot per QR-Code übermitteln. Zumindest wird das in der Nachricht behauptet. Tatsächlich führt das Scannen des QR-Codes auf eine Phishing-Seite. Kriminelle versuchen dabei, an die Zugangsdaten für das Microsoft-Konto der Mitarbeiter:innen zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/qr-code-in-e-mails-von-vermeintliche… ∗∗∗ Vorsicht vor Phishing-E-Mails von "oesterreich.gv.at" & "a-trust.at" ∗∗∗ --------------------------------------------- Momentan befinden sich zahlreiche Phishing-Nachrichten von vermeintlich vertrauenswürdigen Absendern in Umlauf. Die Nachrichten versprechen angebliche Rückerstattungen von Oesterreich.gv.at. Klicken Sie nicht auf die Links, Ihre Daten werden gestohlen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-e-mails-von-oe… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiGuard PSIRT Advisories ∗∗∗ --------------------------------------------- Fortiguard Labs have released 12 Advisories for FortiADC, FortiAPs, FortiAP-U, FortiClient-EMS, FortiManager & FortiAnalyzer, FortiOS & FortiProxy, FortiPresence, FortiSIEM, FortiTester and FortiWeb. (Severity: 3x High, 8x Medium, 1x Low) --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=2023&product=FortiWeb,FortiSIEM,… ∗∗∗ Siemens hat mit 14.09.2023 weitere 2 Security Advisories veröffentlicht ∗∗∗ --------------------------------------------- SSA-646240: Sensitive Information Disclosure in SIMATIC PCS neo Administration Console (5.5), SSA-357182: Local Privilege Escalation Vulnerability in Spectrum Power 7 (8.2) --------------------------------------------- https://www.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023) ∗∗∗ --------------------------------------------- Last week, there were 107 vulnerabilities disclosed in 89 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libwebp, ruby-loofah, and ruby-rails-html-sanitizer), Fedora (open-vm-tools and salt), Oracle (.NET 7.0, dmidecode, flac, gcc, httpd:2.4, keylime, libcap, librsvg2, and qemu-kvm), Red Hat (.NET 6.0 and .NET 7.0), Slackware (libarchive and mozilla), SUSE (chromium and kernel), and Ubuntu (curl, firefox, ghostscript, open-vm-tools, postgresql-9.5, and thunderbird). --------------------------------------------- https://lwn.net/Articles/944481/ ∗∗∗ Drupal: Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-045 ∗∗∗ Rockwell Automation Pavilion8 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-257-07 ∗∗∗ Palo Alto: CVE-2023-3280 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-3280 ∗∗∗ Palo Alto: CVE-2023-38802 PAN-OS: Denial-of-Service (DoS) Vulnerability in BGP Software (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-38802 ∗∗∗ : PostgreSQL Vulnerability Affects IBM Connect:Direct Web Service (CVE-2023-39417) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032120 ∗∗∗ CISA Adds Three Known Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/13/cisa-adds-three-known-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2023
by Daily end-of-shift report 13 Sep '23

13 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-09-2023 18:00 − Mittwoch 13-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Angriffe mittels präparierter PDF-Dateien auf Adobe Acrobat ∗∗∗ --------------------------------------------- Adobe hat in Acrobat und Reader, Connect und Experience Manager mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-9303487 ∗∗∗ Notfallpatch sichert Firefox und Thunderbird gegen Attacken ab ∗∗∗ --------------------------------------------- Mozilla hat in seinen Webbrowsern und seinem Mailclient eine Sicherheitslücke geschlossen, die Angreifer bereits ausnutzen. --------------------------------------------- https://heise.de/-9303536 ∗∗∗ Microsoft Security Update Summary (12. September 2023) ∗∗∗ --------------------------------------------- Am 12. September 2023 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office- sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 61 CVE-Schwachstellen, zwei sind 0-day Schwachstellen. Nachfolgend findet sich ein kompakter Überblick über diese Updates [...] --------------------------------------------- https://www.borncity.com/blog/2023/09/13/microsoft-security-update-summary-… ∗∗∗ Threat landscape for industrial automation systems. Statistics for H1 2023 ∗∗∗ --------------------------------------------- In the first half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased from H2 2022 by just 0.3 pp to 34%. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-s… ∗∗∗ Malware distributor Storm-0324 facilitates ransomware access ∗∗∗ --------------------------------------------- The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool [...] --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributo… ∗∗∗ Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints ∗∗∗ --------------------------------------------- Three interrelated high-severity security flaws discovered in Kubernetes could be exploited to achieve remote code execution with elevated privileges on Windows endpoints within a cluster. The issues, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and impact all Kubernetes environments with Windows nodes. Fixes for the vulnerabilities were released on August 23, 2023, [...] --------------------------------------------- https://thehackernews.com/2023/09/alert-new-kubernetes-vulnerabilities.html ∗∗∗ OpenSSL 1.1.1 reaches end of life for all but the well-heeled ∗∗∗ --------------------------------------------- $50k to breathe new life into its corpse. The rest of us must move on to OpenSSL 3.0 OpenSSL 1.1.1 has reached the end of its life, making a move to a later version essential for all, bar those with extremely deep pockets. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/09/12/openssl_111_… ∗∗∗ macOS Info-Stealer Malware ‘MetaStealer’ Targeting Businesses ∗∗∗ --------------------------------------------- The MetaStealer macOS information stealer has been targeting businesses to exfiltrate keychain and other valuable information. --------------------------------------------- https://www.securityweek.com/macos-info-stealer-malware-metastealer-targeti… ∗∗∗ How Next-Gen Threats Are Taking a Page From APTs ∗∗∗ --------------------------------------------- Cybercriminals are increasingly trying to find ways to get around security, detection, intelligence and controls as APTs start to merge with conventional cybercrime. --------------------------------------------- https://www.securityweek.com/how-next-gen-threats-are-taking-a-page-from-ap… ∗∗∗ How Three Letters Brought Down UK Air Traffic Control ∗∗∗ --------------------------------------------- The UK bank holiday weekend at the end of August is a national holiday in which it sometimes seems the entire country ups sticks and makes for somewhere with a beach. This year though, many of them couldn’t, because the country’s NATS air traffic system went down and stranded many to grumble in the heat of a crowded terminal. At the time it was blamed on faulty flight data, but news now emerges that the data which brought down an entire country’s air traffic control may have not been faulty at all. --------------------------------------------- https://hackaday.com/2023/09/13/how-three-letters-brought-down-uk-air-traff… ∗∗∗ 3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack ∗∗∗ --------------------------------------------- Attackers resorted to new ransomware after deployment of LockBit was blocked on targeted network. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/3am-rans… ∗∗∗ White House urging dozens of countries to publicly commit to not pay ransoms ∗∗∗ --------------------------------------------- The U.S. National Security Council (NSC) is urging the governments of all countries participating in the International Counter Ransomware Initiative (CRI) to issue a joint statement announcing they will not pay ransoms to cybercriminals, according to three sources with knowledge of the plans. --------------------------------------------- https://therecord.media/counter-ransomware-initiative-members-ransom-paymen… ∗∗∗ September 2023 release of new Exchange Server CVEs (resolved by August 2023 Security Updates) ∗∗∗ --------------------------------------------- You may have noticed there were several new Exchange Server CVEs that were released today (a part of September 2023 ‘Patch Tuesday’). If you haven’t yet, you can go to the Security Update Guide and filter on Exchange Server under Product Family to review CVE information. The CVEs released today were actually addressed in the August 2023 Exchange Server Security Update (SU). Due to the timing of validation of those fixes and release dates, we decided to release the CVEs as a part of September 2023 ‘Patch Tuesday’ release cycle. We know that many customers are accustomed to checking for Microsoft security releases on the second Tuesday of every month, and we did not want these CVEs to go unnoticed. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/september-2023-re… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e2guardian), Fedora (libeconf), Red Hat (dmidecode, kernel, kernel-rt, keylime, kpatch-patch, libcap, librsvg2, linux-firmware, and qemu-kvm), Slackware (mozilla), SUSE (chromium and shadow), and Ubuntu (cups, dotnet6, dotnet7, file, flac, and ruby-redcloth). --------------------------------------------- https://lwn.net/Articles/944354/ ∗∗∗ BSRT-2023-001 Vulnerabilities in Management Console and Self Service Impact AtHoc Server ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ VU#347067: Multiple BGP implementations are vulnerable to improperly formatted BGP updates ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/347067 ∗∗∗ PHP Shopping Cart-4.2 Multiple-SQLi ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023090037 ∗∗∗ Cisco IOS XR Software Compression ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Image Verification Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software iPXE Boot Signature Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Model-Driven Programmability Behavior with AAA Authorization ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Connectivity Fault Management Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Access Control List Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000136157 : sssd vulnerability CVE-2022-4254 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000136157?utm_source=f5support&utm_medi… ∗∗∗ Trumpf: Multiple Products affected by WIBU Codemeter Vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-031/ ∗∗∗ Elliptic Labs Virtual Lock Sensor Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500576-ELLIPTIC-LABS-VIRTUAL-… ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500578 ∗∗∗ Intel Dynamic Tuning Technology Advisory ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500577-INTEL-DYNAMIC-TUNING-T… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2023
by Daily end-of-shift report 12 Sep '23

12 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Montag 11-09-2023 18:00 − Dienstag 12-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New WiKI-Eve attack can steal numerical passwords over WiFi ∗∗∗ --------------------------------------------- A new attack dubbed WiKI-Eve can intercept the cleartext transmissions of smartphones connected to modern WiFi routers and deduce individual numeric keystrokes at an accuracy rate of up to 90%, allowing numerical passwords to be stolen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-wiki-eve-attack-can-stea… ∗∗∗ Free Download Manager backdoored – a possible supply chain attack on Linux machines ∗∗∗ --------------------------------------------- Kaspersky researchers analyzed a Linux backdoor disguised as Free Download Manager software that remained under the radar for at least three years. --------------------------------------------- https://securelist.com/backdoored-free-download-manager-linux-malware/11046… ∗∗∗ Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper ∗∗∗ --------------------------------------------- "A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," Fortinet FortiGuard Labs researcher Cara Lin said. --------------------------------------------- https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html ∗∗∗ Gefälschte Post-, DHL und UPS-Benachrichtigungen im Umlauf ∗∗∗ --------------------------------------------- Sie warten gerade auf ein Paket? Nehmen Sie Benachrichtigungen über den Lieferstatus genau unter die Lupe. Momentan kursieren viele betrügerische Infos. Per E-Mail oder SMS werden Sie informiert, dass noch Zollgebühren oder Versandkosten bezahlt werden müssen. Klicken Sie nicht auf den Link. Sie landen auf einer betrügerischen Seite, die Kreditkartendaten abgreift. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-post-dhl-und-ups-benachr… ∗∗∗ Das European Cyber Shield ∗∗∗ --------------------------------------------- Die EU will im Rahmen vom "Digital Europe Programme" mit Förderungen für die Vernetzung von SOCs die Sicherheit der EU stärken und das System über einen neuen "Cyber Solidarity Act" dauerhaft einrichten. Ich hab dazu im Rahmen des CSIRTs Network Meetings im Juni einen Vortrag gehalten, dessen Inhalt ich jetzt auf ein ausformuliertes Paper (auf Englisch) erweitert habe. --------------------------------------------- https://cert.at/de/blog/2023/9/european-cyber-shield ∗∗∗ Persistent Threat: New Exploit Puts Thousands of GitHub Repositories and Millions of Users at Risk ∗∗∗ --------------------------------------------- A new vulnerability has been discovered that could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations. This technique could be used to perform a Repojacking attack (hijacking popular repositories to distribute malicious code). --------------------------------------------- https://checkmarx.com/blog/persistent-threat-new-exploit-puts-thousands-of-… ∗∗∗ Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter ∗∗∗ --------------------------------------------- Windows arbitrary file deletion vulnerabilities should no longer be considered mere annoyances or tools for Denial-of-Service (DoS) attacks. Over the past couple of years, these vulnerabilities have matured into potent threats capable of unearthing a portal to full system compromise. This transformation is exemplified in CVE-2023-27470 (an arbitrary file deletion vulnerability in N-Able’s Take Control Agent with a CVSS Base Score of 8.8) demonstrating that what might initially seem innocuous can, in fact, expose unexpected weaknesses within your system. --------------------------------------------- https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabili… ===================== = Vulnerabilities = ===================== ∗∗∗ NSO-Exploit: Apple fixt auch ältere Versionen von macOS, iOS und iPadOS ∗∗∗ --------------------------------------------- Nach Notfall-Updates für aktuelle Betriebssysteme schiebt Apple nun auch Patches für ältere Versionen nach. Man sollte flott aktualisieren. --------------------------------------------- https://heise.de/-9301842 ∗∗∗ Patchday: SAP schließt kritische Datenleak-Lücke in BusinessObjects ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für SAP-Software erschienen. Admins sollten zeitnah handeln. --------------------------------------------- https://heise.de/-9302399 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-cookiejar and orthanc), Oracle (firefox, kernel, and kernel-container), Red Hat (flac and httpd:2.4), Slackware (vim), SUSE (python-Django, terraform-provider-aws, terraform-provider-helm, and terraform-provider-null), and Ubuntu (c-ares, curl, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-raspi, and linux-ibm, linux-ibm-5.4). --------------------------------------------- https://lwn.net/Articles/944263/ ∗∗∗ ICS Patch Tuesday: Critical CodeMeter Vulnerability Impacts Several Siemens Products ∗∗∗ --------------------------------------------- ICS Patch Tuesday: Siemens has released 7 new advisories and Schneider Electric has released 1 new advisory. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-critical-codemeter-vulnerabi… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0008 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-28198, CVE-2023-32370,CVE-2023-40397. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0008.html ∗∗∗ Google Chrome 116.0.5845.187/.188 fixt kritische Schwachstelle ∗∗∗ --------------------------------------------- Google hat zum 11. September 2023 Updates des Google Chrome Browsers 116 im Stable und Extended Channel für Mac, Linux und Windows freigegeben. Es sind Sicherheitsupdates, die ausgerollt werden und eine Schwachstelle (Einstufung als "kritisch") beseitigen sollen. --------------------------------------------- https://www.borncity.com/blog/2023/09/11/google-chrome-116-0-5845-187-188-f… ∗∗∗ Fujitsu Software Infrastructure Manager ∗∗∗ --------------------------------------------- An issue was discovered in Fujitsu Software Infrastructure Manager (ISM) before 2.8.0.061. The ismsnap component (in this specific case at /var/log/fujitsu/ServerViewSuite/ism/FirmwareManagement/FirmwareManagement.log) allows insecure collection and storage of authorization credentials in cleartext. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-255-02 ∗∗∗ Sicherheitsupdates in Foxit PDF Reader 2023.2 und Foxit PDF Editor 2023.2 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ Hitachi Energy Lumada APM Edge ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-255-01 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031625 ∗∗∗ Control Access issues in PCOMM ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031707 ∗∗∗ Multiple Security vulnerabilities in IBM Java in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001699 ∗∗∗ A vulnerability in FasterXML Jackson Core may affect IBM Robotic Process Automation and result in an application crash (IBM X-Force ID: 256137). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031716 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable could provide weaker than expected security. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031051 ∗∗∗ Vulnerability in Open JDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031729 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules tough-cookie and semver (CVE-2023-26136, CVE-2022-25883). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031733 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031754 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2023
by Daily end-of-shift report 11 Sep '23

11 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-09-2023 18:00 − Montag 11-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Teams phishing attack pushes DarkGate malware ∗∗∗ --------------------------------------------- A new phishing campaign is abusing Microsoft Teams messages to send malicious attachments that install the DarkGate Loader malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-att… ∗∗∗ Facebook Messenger phishing wave targets 100K business accounts per week ∗∗∗ --------------------------------------------- Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-messenger-phishing-… ∗∗∗ From Caribbean shores to your devices: analyzing Cuba ransomware ∗∗∗ --------------------------------------------- The article analyzes the malicious tactics, techniques and procedures (TTP) used by the operator of the Cuba ransomware, and details a Cuba attack incident. --------------------------------------------- https://securelist.com/cuba-ransomware/110533/ ∗∗∗ New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World ∗∗∗ --------------------------------------------- A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer. --------------------------------------------- https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.h… ∗∗∗ Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows ∗∗∗ --------------------------------------------- A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz. --------------------------------------------- https://thehackernews.com/2023/09/cybercriminals-using-powershell-to.html ∗∗∗ Passwortmanager: LastPass-Hacker scheinen Kennworttresore zu knacken ∗∗∗ --------------------------------------------- Cyberkriminelle haben vergangenes Jahr LastPass-Kennworttresore kopiert. Nun scheinen sie diese zu knacken und Krypto-Wallets leerzuräumen. --------------------------------------------- https://heise.de/-9300583 ∗∗∗ From ERMAC to Hook: Investigating the technical differences between two Android malware variants ∗∗∗ --------------------------------------------- Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of ERMAC to further examine the technical differences between these malware families. --------------------------------------------- https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-t… ∗∗∗ Zahlreiche unseriöse Dirndl-Shops im Umlauf ∗∗∗ --------------------------------------------- Wiesenzeit ist Dirndlzeit! Das wissen auch unseriöse Shop-Betreiber:innen. Damit möglichst viele potenzielle Opfer davon erfahren, wird auf Werbung via Facebook und Instagram gesetzt. Versprochen werden hochwertige Dirndl zu einem unschlagbar günstigen Preis. Erfahrungsberichte zeigen jedoch, dass nur minderwertige Kleidung bei den Konsument:innen ankommt. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-unserioese-dirndl-shops-i… ∗∗∗ A classification of CTI Data feeds ∗∗∗ --------------------------------------------- We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria’s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic. --------------------------------------------- https://cert.at/en/blog/2023/9/cti-data-feeds ===================== = Vulnerabilities = ===================== ∗∗∗ Pyramid vulnerable to directory traversal ∗∗∗ --------------------------------------------- Pyramid provided by Pylons Project contains a directory traversal vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN41113329/ ∗∗∗ HPE OneView: Kritische Lücke erlaubt Umgehung von Authentifizierung ∗∗∗ --------------------------------------------- HPE warnt vor mehreren Sicherheitslücken in OneView, einer Infrastrukurverwaltungssoftware. Angreifer könnten etwa die Anmeldung umgehen. --------------------------------------------- https://heise.de/-9301047 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (frr, kernel, libraw, mutt, and open-vm-tools), Fedora (cjose, pypy, vim, wireshark, and xrdp), Gentoo (apache), Mageia (chromium-browser-stable, clamav, ghostscript, librsvg, libtiff, openssl, poppler, postgresql, python-pypdf2, and unrar), Red Hat (flac), SUSE (firefox, geoipupdate, icu73_2, libssh2_org, rekor, skopeo, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp-5.4, linux-gkeop, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-6.2, linux-ibm, linux-oracle, linux-starfive, linux-gcp-5.15, linux-gkeop-5.15, and opendmarc). --------------------------------------------- https://lwn.net/Articles/944190/ ∗∗∗ Security updates available in PDF-XChange Editor/Tools 10.1.0.380 ∗∗∗ --------------------------------------------- https://www.tracker-software.com/support/security-bulletins.html ∗∗∗ Mattermost security updates 8.1.2 (ESR) / 8.0.3 / 7.8.11 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-8-1-2-esr-8-0-3-7-8… ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031271 ∗∗∗ Vulnerability in BIND affects IBM Integrated Analytics System (Sailfish)[CVE-2023-2828] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031294 ∗∗∗ Vulnerability in OpenSSH affects IBM Integrated Analytics System (Sailfish)[CVE-2023-38408] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031293 ∗∗∗ Vulnerabilities in IBM Websphere Application Server affects IBM Application Performance Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031576 ∗∗∗ Due to use of, IBM Application Performance Management is vulnerable to a local authenticated attacker to obtain sensitive information. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031614 ∗∗∗ A vulnerability in Microsoft .NET may affect IBM Robotic Process Automation allowing an attacker to conduct spoofing attacks (CVE-2022-34716) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031620 ∗∗∗ A vulnerability in Microsoft .NET Core may affect IBM Robotic Process Automation and result in a remote attacker obtaining sensitive information (CVE-2018-8292). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029529 ∗∗∗ A vulnerability in Microsoft .NET Framework may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2022-41064) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031621 ∗∗∗ IBM Robotic Process Automation could disclose sensitive information from access to RPA scripts, workflows and related data (CVE-2023-38718) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031619 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031624 ∗∗∗ A vulnerability in Newtonsoft.Json may affect IBM Robotic Process Automation and result in a denial of service (IBM X-Force ID: 234366). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031623 ∗∗∗ IBM Cognos Command Center is affected by multiple vulnerabilities (CVE-2023-21939, CVE-2023-21967, CVE-2022-29117, XFID: 234366) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012455 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2023
by Daily end-of-shift report 08 Sep '23

08 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-09-2023 18:00 − Freitag 08-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Post-Quantum Cryptography ∗∗∗ --------------------------------------------- Das Aufkommen von fähigen Quantencomputern hat massive Seiteneffekte auf die Sicherheit diverser kryptografischer Grundoperationen. Diese sind in den letzten Jahren zu essentiellen Bausteinen unserer IT Architektur – insbesondere in vernetzten Systemen – geworden. Noch funktioniert alles, aber wenn wir nicht bald anfangen, uns auf die diese kommende Gefahr vorzubereiten, dann wird die Transition zu „post-quantum cryptography“ eine Schmerzhafte werden. [..] Ich darf nächste Woche bei einer Veranstaltung dazu am Podium sitzen. Und wenn ich mich schon darauf vorbereite, dann teile ich doch gleich meine Quellen und Schlussfolgerungen. --------------------------------------------- https://cert.at/de/blog/2023/9/post-quantum-cryptography ∗∗∗ CISA warns of critical Apache RocketMQ bug exploited in attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added to its catalog of known exploited vulnerabilities (KEV) a critical-severity issue tracked as CVE-2023-33246 that affects Apaches RocketMQ distributed messaging and streaming platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-apach… ∗∗∗ Paranoids Vulnerability Research: Ivanti Issues Security Alert ∗∗∗ --------------------------------------------- The vulnerability allowed for remote code execution — giving a bad actor a method to distribute malicious software through a tool that sends out security updates. And, as part of the research process, we confirmed the feasibility of this by developing an end-to-end exploit that showcases how malware can be distributed to managed endpoints (demo). --------------------------------------------- https://www.yahooinc.com/paranoids/paranoids-vulnerability-research-ivanti-… ∗∗∗ Malvertising-Kampagne will Mac-Nutzern Atomic Stealer unterjubeln ∗∗∗ --------------------------------------------- IT-Forscher beobachten eine Malvertising-Kampagne, deren Urheber Mac-Nutzern den Atomic Stealer unterschieben wollen. Der klaut etwa Krypto-Währungen. --------------------------------------------- https://heise.de/-9298637 ∗∗∗ Emsisoft Tells Users to Update Products, Reboot Systems Due to Certificate Mishap ∗∗∗ --------------------------------------------- The problem, the company says, affects its Extended Validation (EV) code signing certificate that was renewed on August 23 and used to sign all program files compiled after that date, including the latest software version, released on September 4. --------------------------------------------- https://www.securityweek.com/emsisoft-tells-users-to-update-products-reboot… ∗∗∗ New Phishing Campaign Launched via Google Looker Studio ∗∗∗ --------------------------------------------- Cybersecurity firm Check Point is warning of a new type of phishing attacks that abuse Google Looker Studio to bypass protections. --------------------------------------------- https://www.securityweek.com/new-phishing-campaign-launched-via-google-look… ∗∗∗ MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors ∗∗∗ --------------------------------------------- CISA obtained five malware samples - including artifacts related to SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0 ∗∗∗ W3LL-Phishing Kit kann Multifaktor-Authentifizierung aushebeln; Tausende von Microsoft 365-Konten gekapert ∗∗∗ --------------------------------------------- Der in Singapur angesiedelte Sicherheitsanbieter Group-IB hat die Tage einen Sicherheits-Report veröffentlicht, der auf spezielle Aktivitäten einer W3LL genannten Gruppe von Cyberkriminellen hinweist. Die Cybergang hat ein spezielles Phishing-Kit entwickelt, um Microsoft 365-Konten zu kapern und bietet diese Dienstleistung mindestens 500 anderen Cybergangs über einen geheimen W3LL Store an. --------------------------------------------- https://www.borncity.com/blog/2023/09/08/w3ll-phishing-kit-kann-multifaktor… ∗∗∗ A Deep Dive into 70 Layers of Obfuscated Info-Stealer Malware ∗∗∗ --------------------------------------------- In the battle of hackers against defenders, we consistently find hackers trying to disguise their true intent. We have analyzed an interesting sample that was armed with multiple layers of obfuscation. These packages were quite the challenge. --------------------------------------------- https://checkmarx.com/blog/a-deep-dive-into-70-layers-of-obfuscated-info-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates für macOS, iOS/iPadOS schließen zwei 0-Days der NSO-Group (Pegasus Spyware) ∗∗∗ --------------------------------------------- Apple hat zum 7. September 2023 wieder einen Schwung Sicherheitsupdates für seine Betriebssysteme macOS, iOS/iPadOS und auch WatchOS veröffentlicht. Mit diesen Updates werden zwei 0-Day-Schwachstellen geschlossen, die von der Pegasus Spyware der NSO-Group für die Überwachung von Mobilgeräten missbraucht wurden. --------------------------------------------- https://www.borncity.com/blog/2023/09/08/sicherheitsupdates-fr-macos-ios-ip… ∗∗∗ OpenSSL Security Advisory [8th September 2023] ∗∗∗ --------------------------------------------- POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807). Severity: Low --------------------------------------------- https://www.openssl.org/news/secadv/20230908.txt ∗∗∗ QNAP Security Advisories 2023-09-08 ∗∗∗ --------------------------------------------- QNAP has released 4 security advisories: (1x High, 3x Medium) --------------------------------------------- https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libssh2, memcached, and python-django), Fedora (netconsd), Oracle (firefox and thunderbird), Scientific Linux (firefox), SUSE (open-vm-tools), and Ubuntu (grub2-signed, grub2-unsigned, shim, and shim-signed, plib, and python2.7, python3.5). --------------------------------------------- https://lwn.net/Articles/943990/ ∗∗∗ Notepad++ v8.5.7 fixt Schwachstellen ∗∗∗ --------------------------------------------- Mitte August 2023 hatte Sicherheitsforscher Jaroslav Lobacevski vier Schwachstellen (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) im Editor Notepad ++ für Windows öffentlich gemacht. Die Einstufung der Schwachstellen reicht von mittel bis hoch. Der Entwickler hat diese Schwachstellen, nachdem ihm diese seit Monaten bekannt sind, nun mit dem Update auf Notepad++ v8.5.7 beseitigt. --------------------------------------------- https://www.borncity.com/blog/2023/09/08/notepad-v8-5-7-fixt-schwachstellen/ ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in WP 6xxx Web panels ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-018/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2023
by Daily end-of-shift report 07 Sep '23

07 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-09-2023 18:00 − Donnerstag 07-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Next-Generation Context Aware Password Cracking ∗∗∗ --------------------------------------------- TLDR; Using ChatGPT, an attacker can generate a list of password guesses based on the context of the target such as a company’s description or social media accounts. --------------------------------------------- https://medium.com/@doctoreww/next-generation-context-aware-password-cracki… ∗∗∗ Cisco warnt vor teils kritischen Lücken und liefert Updates für mehrere Produkte ∗∗∗ --------------------------------------------- In mehreren Cisco-Produkten lauern Sicherheitslücken, die Updates schließen sollen. Eine gilt sogar als kritisch. --------------------------------------------- https://heise.de/-9297182 ∗∗∗ FreeWorld ransomware attacks MSSQL—get your databases off the Internet ∗∗∗ --------------------------------------------- When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the internet is of interest to cybercriminals. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/09/freeworld-ransomware-attacks… ∗∗∗ Ozempic, Wegovy & Co: Vorsicht vor Fake-Shops mit „Schlankheitsmitteln“ ∗∗∗ --------------------------------------------- Diabetes-Medikamente wie Ozempic, Saxenda oder Metformin sind seit einiger Zeit von Lieferengpässen betroffen. Der Grund: Elon Musk, Kim Kardashian und andere Prominente nutzen diese und ähnliche Medikamente zum Abnehmen, der Hype dieser „Abnehmspritzen“ ließ nicht lange auf sich warten. Ein Trend, den sich auch Kriminelle zunutze machen. Sie bieten die eigentlich verschreibungspflichtigen Medikamente in Fake-Shops als Schlankheitsmittel an. --------------------------------------------- https://www.watchlist-internet.at/news/ozempic-wegovy-co-vorsicht-vor-fake-… ∗∗∗ A classification of CTI Data feeds ∗∗∗ --------------------------------------------- We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria’s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic. --------------------------------------------- https://cert.at/en/blog/2023/9/cti-data-feeds ∗∗∗ Cybercriminals target graphic designers with GPU miners ∗∗∗ --------------------------------------------- Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware including PhoenixMiner and lolMiner on infected machines. --------------------------------------------- https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-… ∗∗∗ CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells ∗∗∗ --------------------------------------------- This Cybersecurity Advisory has been updated with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/06/cisa-releases-update-thr… ∗∗∗ MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 ∗∗∗ --------------------------------------------- CISA received 4 files for analysis from an incident response engagement conducted at an Aeronautical Sector organization [..] CISA has provided indicators of compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR). --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-250a ===================== = Vulnerabilities = ===================== ∗∗∗ Aruba-Controller und -Gateways mit hochriskanten Sicherheitslücken ∗∗∗ --------------------------------------------- Für Aruba-Controller und -Gateways der Serien 9000 und 9200 gibt es Updates, die hochriskante Sicherheitslücken schließen. --------------------------------------------- https://heise.de/-9297925 ∗∗∗ Cisco Security Advisories 2023-09-06 - 2023-09-06 ∗∗∗ --------------------------------------------- Cisco has released 6 security advisories: (1x Critical, 1x High, 4x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Sicherheitsupdates: Unbefugte Zugriffe auf TP-Link-Router möglich ∗∗∗ --------------------------------------------- Angreifer können verschiedene Router von TP-Link attackieren und im schlimmsten Fall eigene Befehle auf Geräten ausführen. --------------------------------------------- https://heise.de/-9297306 ∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗ --------------------------------------------- Update - September 5th 2023: A new variant of the SRX upload vulnerability has been published by external researchers (CVE-2023-36851). All fixes listed under Solution below break the RCE chain --------------------------------------------- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-B… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023) ∗∗∗ --------------------------------------------- Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox). --------------------------------------------- https://lwn.net/Articles/943856/ ∗∗∗ CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed) ∗∗∗ --------------------------------------------- CVE-2023-4528 affects all versions of JSCAPE MFT Server prior to version 2023.1.9 on all platforms (Windows, Linux, and MacOS). See the JSCAPE advisory for more information [..] CVE-2023-4528 has been addressed in JSCAPE version 2023.1.9 which is now available for customer deployment. --------------------------------------------- https://www.rapid7.com/blog/post/2023/09/07/cve-2023-4528-java-deserializat… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-250-01 Dover Fueling Solutions MAGLINK LX Console (CVSS v3 9.1), ICSA-23-250-02 Phoenix Contact TC ROUTER and TC CLOUD CLIENT (CVSS v3 9.6), ICSA-23-250-03 Socomec MOD3GP-SY-120K (CVSS v3 10.0), ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft (Update) (CVSS v3 7.8) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/07/cisa-releases-four-indus… ∗∗∗ Drupal: WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-044 ∗∗∗ Drupal: highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-043 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2023
by Daily end-of-shift report 06 Sep '23

06 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-09-2023 18:00 − Mittwoch 06-09-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Schadcode-Attacken auf Android 11, 12, 13 möglich ∗∗∗ --------------------------------------------- Google und weitere Hersteller von Android-Geräten haben wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-9296497 ∗∗∗ Microsoft überarbeitet Downfall-Empfehlungen; MSI liefert BIOS-Update für UNSUPPORTED_PROCESSOR-Problem ∗∗∗ --------------------------------------------- Im August war die sogenannte Downfall-Schwachstelle in Prozessoren bekannt geworden, die ein Abfließen von Informationen ermöglicht. Nun hat Microsoft seinen Support-Beitrag mit Hinweisen zur Downfall-Schwachstelle unter Windows aktualisiert und Informationen zum Deaktivieren der Schutzmaßnahmen entfernt. Weiterhin gab es nach Installation [..] --------------------------------------------- https://www.borncity.com/blog/2023/09/06/microsoft-berarbeitet-downfall-emp… ∗∗∗ Pandoras box is now open: the well-known Mirai trojan arrives in a new disguise to Android-based TV sets and TV boxes ∗∗∗ --------------------------------------------- Doctor Web has identified a family of Android.Pandora trojans that compromise Android devices, either during firmware updates or when applications for viewing pirated video content are installed. This backdoor inherited its advanced DDoS-attack capabilities from its ancestor, the well-known Linux.Mirai trojan. --------------------------------------------- https://news.drweb.com/show/?i=14743 ∗∗∗ Security Relevant DNS Records, (Wed, Sep 6th) ∗∗∗ --------------------------------------------- DNS has a big security impact. DNS is in part responsible for your traffic reaching the correct host on the internet. But there is more to DNS then name resolution. I am going to mention a few security relevant record types here, in no particular order: [..] --------------------------------------------- https://isc.sans.edu/diary/rss/30194 ∗∗∗ Bogus URL Shorteners Go Mobile-Only in AdSense Fraud Campaign ∗∗∗ --------------------------------------------- Since September 2022, our team has been tracking a bogus URL shortener redirect campaign that started with just a single domain: ois[.]is. By the beginning of 2023, this malware campaign had expanded to over a hundred domain names to redirect traffic to low quality Q&A sites and monetize traffic via Google AdSense. In fact, since the beginning of this year alone, Sucuri’s remote website scanner has detected various strains of this malware on over 24,000 websites. --------------------------------------------- https://blog.sucuri.net/2023/09/bogus-url-shorteners-go-mobile-only-in-adse… ∗∗∗ Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant ∗∗∗ --------------------------------------------- The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. --------------------------------------------- https://thehackernews.com/2023/09/alert-phishing-campaigns-deliver-new.html ∗∗∗ Lord Of The Ring0 - Part 5 ∗∗∗ --------------------------------------------- In this blog post, I’ll explain two common hooking methods (IRP Hooking and SSDT Hooking) and two different injection techniques from the kernel to the user mode for both shellcode and DLL (APC and CreateThread) with code snippets and examples from Nidhogg. --------------------------------------------- https://idov31.github.io/2023/07/19/lord-of-the-ring0-p5.html ∗∗∗ A review of SolarWinds attack on Orion platform using persistent threat agents and techniques for gaining unauthorized access ∗∗∗ --------------------------------------------- This paper of work examines the SolarWinds attack, designed on Orion Platform security incident. It analyses the persistent threats agents and potential technical attack techniques to gain unauthorized access. [..] It concludes with necessary remediation actions on cyber hygiene countermeasures, common vulnerabilities and exposure analysis and solutions. --------------------------------------------- https://arxiv.org/abs/2308.10294 ∗∗∗ What is ISO 27002:2022 Control 8.9? A Quick Look at the Essentials ∗∗∗ --------------------------------------------- Configuration management is now presented as a new control in the new, revised edition of ISO 27002:2022 (Control 8.9). It is a crucial component of an organizations security management. This blog will guide you through the essentials of Control 8.9. --------------------------------------------- https://www.tripwire.com/state-of-security/what-iso-270022022-control-89-qu… ∗∗∗ Peeking under the bonnet of the Litter Robot 3 ∗∗∗ --------------------------------------------- I began to wonder what interesting things I may find when doing a small tear down of the Litter Robot’s components including the PCB, firmware, and mobile application. [..] So, please follow me on my journey to understanding the extraction and analysis of an ESP32 IOT device, reverse engineering a Flutter mobile application, and capturing and analysing the network traffic between the device, the mobile app and the internet. --------------------------------------------- https://www.elttam.com/blog/re-of-lr3/ ∗∗∗ Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach ∗∗∗ --------------------------------------------- [..] Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials [..] Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections [..] According to MetaMask’s Monahan, users who stored any important passwords with LastPass [..] should change those credentials immediately --------------------------------------------- https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-s… ∗∗∗ Android 14 blocks all modification of system certificates, even as root ∗∗∗ --------------------------------------------- If youre an Android developer, tester, reverse engineer, or anybody else interested in directly controlling who your device trusts, this is going to create some new challenges. Before we get into the finer details, first I want to talk a little about the context around Android CA management and how we got here [..] --------------------------------------------- https://httptoolkit.com/blog/android-14-breaks-system-certificate-installat… ∗∗∗ You patched yet? Years-old Microsoft security holes still hot targets for cyber-crooks ∗∗∗ --------------------------------------------- And so we can believe it when Qualys yesterday said 15 of the 20 most-exploited software vulnerabilities it has observed are in Microsofts code. [..] The No. 1 flaw on the list was patched in November 2017, a code execution hole in Microsoft Offices Equation Editor wed have hoped had been mostly mitigated by now. --------------------------------------------- https://www.theregister.com/2023/09/05/qualys_top_20_vulnerabilities/ ∗∗∗ Code Vulnerabilities Leak Emails in Proton Mail ∗∗∗ --------------------------------------------- In this blog post, we first present the technical details of the vulnerabilities we found in Proton Mail. We show how an innocent-looking piece of code led to a Cross-Site Scripting issue that made it possible for attackers to steal unencrypted emails and impersonate victims. As part of a 3-post series, we will cover other severe vulnerabilities we found in Skiff and Tutanota Desktop in the coming weeks. --------------------------------------------- https://www.sonarsource.com/blog/code-vulnerabilities-leak-emails-in-proton… ∗∗∗ 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets ∗∗∗ --------------------------------------------- We scanned the Alexa Top 1 Million Websites for leaked secrets. We found thousands of exposed source code repositories and hundreds of live API keys. These are our top 5 takeaways --------------------------------------------- https://trufflesecurity.com/blog/4500-of-the-top-1-million-websites-leaked-… ∗∗∗ Apache Superset Part II: RCE, Credential Harvesting and More ∗∗∗ --------------------------------------------- In this post, we disclose all the issues we’ve reported to Superset, including two new high severity vulnerabilities, CVE-2023-39265 and CVE-2023-37941, that are fixed in the just released 2.1.1 version of Superset. We strongly recommend that all Superset users upgrade to this version. --------------------------------------------- https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-a… ∗∗∗ New phishing tool hijacked thousands of Microsoft business email accounts ∗∗∗ --------------------------------------------- Researchers have uncovered a hidden “phishing empire” targeting businesses in Europe, Australia and the U.S. with a sophisticated new tool. A hacking group called W3LL, which has been active since at least 2017, has created an English-language underground marketplace to sell a phishing kit that can bypass multi-factor authentication, according to a report [..] --------------------------------------------- https://therecord.media/w3ll-phishing-toolkit-bec-microsoft-365-accounts ∗∗∗ Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft) ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor’s server to carry out additional malicious behaviors. --------------------------------------------- https://asec.ahnlab.com/en/56756/ ∗∗∗ SapphireStealer: Open-source information stealer enables credential and data theft ∗∗∗ --------------------------------------------- SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims. --------------------------------------------- https://blog.talosintelligence.com/sapphirestealer-goes-open-source/ ∗∗∗ Threat Actor Continues to Plague the Open-Source Ecosystem with Sophisticated Info-Stealing Malware ∗∗∗ --------------------------------------------- In May, we sounded the alarm about PYTA31, an advanced persistent threat actor distributing the “WhiteSnake” malware. Since then, we’ve been rigorously monitoring this group, which has been active from April through mid-August, distributing malicious PyPI packages laced with “WhiteSnake Malware.” --------------------------------------------- https://checkmarx.com/blog/threat-actor-continues-to-plague-the-open-source… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Angreifer können Kontrolle über Asus-Router erlangen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden verschiedene Router-Modelle von Asus. Patches sichern Geräte ab. --------------------------------------------- https://heise.de/-9296210 ∗∗∗ Webbrowser: Hochriskante Schwachstellen in Google Chrome geschlossen ∗∗∗ --------------------------------------------- Google stopft mit aktualisiertern Chrome-Versionen vier als hochriskant eingestufte Sicherheitslücken. --------------------------------------------- https://heise.de/-9295977 ∗∗∗ Researchers Discover Critical Vulnerability in PHPFusion CMS ∗∗∗ --------------------------------------------- No patch is available yet for the bug, which can enable remote code execution under the correct circumstances. --------------------------------------------- https://www.darkreading.com/application-security/researchers-discover-criti… ∗∗∗ Forthcoming OpenSSL Release ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1w. This release will be made available on Monday 11th September 2023 between 1300-1700 UTC. This is a security-fix release. The highest severity issue fixed in this release is Low --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-September/000271.ht… ∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗ --------------------------------------------- 2023-09-05: Important update for SRX customers --------------------------------------------- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-B… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aom and php7.3), Fedora (freeimage and mingw-freeimage), Scientific Linux (thunderbird), SUSE (amazon-ssm-agent, chromium, container-suseconnect, docker, glib2, php7, python-Django1, and rubygem-rails-html-sanitizer), and Ubuntu (kernel, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-ibm, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-gcp, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia). --------------------------------------------- https://lwn.net/Articles/943679/ ∗∗∗ VU#304455: Authentication Bypass in Tenda N300 Wireless N VDSL2 Modem Router ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/304455 ∗∗∗ Stored Cross-Site Scripting Vulnerability Patched in Newsletter WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/09/stored-cross-site-scripting-vulnerab… ∗∗∗ AtlasVPN to Patch IP Leak Vulnerability After Public Disclosure ∗∗∗ --------------------------------------------- https://www.securityweek.com/atlasvpn-to-patch-ip-leak-vulnerability-after-… ∗∗∗ Dozens of Unpatched Flaws Expose Security Cameras Made by Defunct Company Zavio ∗∗∗ --------------------------------------------- https://www.securityweek.com/dozens-of-unpatched-flaws-expose-security-came… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2023
by Daily end-of-shift report 05 Sep '23

05 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Montag 04-09-2023 18:00 − Dienstag 05-09-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit MinIO storage system to breach corporate networks ∗∗∗ --------------------------------------------- Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-minio-storag… ∗∗∗ DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates ∗∗∗ --------------------------------------------- A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate."The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week. --------------------------------------------- https://thehackernews.com/2023/08/darkgate-malware-activity-spikes-as.html ∗∗∗ New Python Variant of Chaes Malware Targets Banking and Logistics Industries ∗∗∗ --------------------------------------------- Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes."It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up [..] --------------------------------------------- https://thehackernews.com/2023/09/new-python-variant-of-chaes-malware.html ∗∗∗ New BLISTER Malware Update Fuelling Stealthy Network Infiltration ∗∗∗ --------------------------------------------- An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic.“New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,” Elastic Security Labs researchers [..] --------------------------------------------- https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html ∗∗∗ Nascent Malware Campaign Targets npm, PyPI, and RubyGems Developers ∗∗∗ --------------------------------------------- Python Malware: On the morning of September 3, 2023, our automated platform notified us of the first package in this campaign: kwxiaodian [..] This follows a common pattern we see across many early campaigns and one we witnessed a few weeks back [..] Obfuscated Javascript Packages: At roughly the same time, we received notifications about malicious package publications on npm. Rubygems Package: The Rubygems package follows similar patterns to both the PyPI and npm packages. --------------------------------------------- https://blog.phylum.io/malware-campaign-targets-npm-pypi-and-rubygems-devel… ∗∗∗ Common usernames submitted to honeypots ∗∗∗ --------------------------------------------- Based on reader feedback, I decided to take a look at usernames submitted to honeypots. The usernames that are seen on a daily basis look very familiar. [..] I exported the username data from my honeypot, which is a little over 16 months of data --------------------------------------------- https://isc.sans.edu/diary/rss/30188 ∗∗∗ Uncovering Web Cache Deception: A Missed Vulnerability in the Most Unexpected Places ∗∗∗ --------------------------------------------- During the assessment of the target application, it was observed that the server had implemented restrictions to prevent Web Cache Deception attacks on API/Web endpoints that had session tokens or data in the response. Unfortunately, the same precautions were not implemented on the /404 page or any /nonexistingurl. We discovered that the response for any endpoint that doesnt exist contained PII information without any cache controls in place. --------------------------------------------- https://blog.agilehunt.com/blogs/security/web-cache-deception-attack-on-404… ∗∗∗ Whats in a name? [..] The .kids TLD is not alright ∗∗∗ --------------------------------------------- Cisco Talos successfully registered the domain name: your-dns-needs-immediate-attention.kids. Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.” [..] we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more. --------------------------------------------- https://blog.talosintelligence.com/whats-in-a-name/ ∗∗∗ Inconsistencies in the Common Vulnerability Scoring System (CVSS) ∗∗∗ --------------------------------------------- The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users. --------------------------------------------- https://www.schneier.com/blog/archives/2023/09/inconsistencies-in-the-commo… ∗∗∗ CVE-2023-4634 - Tricky Unauthenticated RCE on Wordpress Media Library Assistant Plugin using a good old Imagick ∗∗∗ --------------------------------------------- As discussed in many of our articles, you already know that WordPress and related plugins are taking up a large space in the global attack surface [..] The vulnerability described below is a perfect example --------------------------------------------- https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/ ∗∗∗ When URL parsers disagree (CVE-2023-38633) ∗∗∗ --------------------------------------------- Discovery and walkthrough of CVE-2023-38633 in librsvg, when two URL parser implementations (Rust and Glib) disagree on file scheme parsing leading to path traversal. --------------------------------------------- https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-3… ∗∗∗ Vorsicht vor betrügerischen PayPal-Anrufen ∗∗∗ --------------------------------------------- Ihr Telefon klingelt. Sie heben ab und eine Tonbandstimme meldet sich: „Hallo, hier ist PayPal. Sie haben soeben 738 Euro überwiesen. Um den Zahlvorgang abzubrechen, drücken Sie die 1.“ Drücken Sie keinesfalls die 1, hierbei handelt es sich um eine Betrugsmasche. Legen Sie auf! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-paypal-… ===================== = Vulnerabilities = ===================== ∗∗∗ ASUS routers vulnerable to critical remote code execution flaws ∗∗∗ --------------------------------------------- Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-routers-vulnerable-to-c… ∗∗∗ Multiple vulnerabilities in F-RevoCRM ∗∗∗ --------------------------------------------- * An attacker who can access the product may execute an arbitrary OS command on the server where the product is running - CVE-2023-41149 * An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-41150 --------------------------------------------- https://jvn.jp/en/jp/JVN78113802/ ∗∗∗ Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions (CVE-2023-3634) ∗∗∗ --------------------------------------------- Festo developed the products according to the respective state of the art. As a result, the protocols used no longer fully meet todays security requirements. The products are designed and developed for use in sealed-off (industrial) networks. If the network is not adequately sealed off, unauthorized access to the product can cause damage or malfunctions, particularly Denial of Service (DoS) or loss of integrity. Remediation: Update of user documentation in next product version. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-020/ ∗∗∗ 9 Vulnerabilities Patched in SEL Power System Management Products ∗∗∗ --------------------------------------------- Researchers at industrial cybersecurity firm Nozomi Networks have analyzed the company’s SEL-5030 acSELerator QuickSet and SEL-5037 Grid Configurator, software products designed to allow engineers and technicians to configure and manage devices for power system protection, control, metering and monitoring, and to create and deploy settings for SEL power system devices. Nozomi researchers discovered a total of nine vulnerabilities, including four that have been assigned a ‘high severity’ rating --------------------------------------------- https://www.securityweek.com/9-vulnerabilities-patched-in-sel-power-system-… ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-248-01 Fujitsu Limited Real-time Video Transmission Gear IP series: CVE-2023-38433 * ICSMA-23-248-01 Softneta MedDream PACS Premium: CVE-2023-40150, CVE-2023-39227 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/05/cisa-releases-two-indust… ∗∗∗ AVM: Fritzbox-Firmware 7.57 und 7.31 stopfen Sicherheitsleck ∗∗∗ --------------------------------------------- AVM hat für zahlreiche Fritzboxen die Firmware 7.57 und 7.31 veröffentlicht. Es handelt sich um ein Stabilitäts- und Sicherheitsupdate. --------------------------------------------- https://heise.de/-9294758 ∗∗∗ Xen XSA-437: arm32: The cache may not be properly cleaned/invalidated ∗∗∗ --------------------------------------------- A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. CVE ID: CVE-2023-34321 --------------------------------------------- https://xenbits.xen.org/xsa/advisory-437.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (file and thunderbird), Fedora (exercism, libtommath, moby-engine, and python-pyramid), Oracle (cups and kernel), Red Hat (firefox, kernel, kernel-rt, kpatch-patch, and thunderbird), SUSE (amazon-ecs-init, buildah, busybox, djvulibre, exempi, firefox, gsl, keylime, kubernetes1.18, php7, and sccache), and Ubuntu (docker-registry and linux-azure-5.4). --------------------------------------------- https://lwn.net/Articles/943584/ ∗∗∗ IBM UrbanCode Build is vulnerable to CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030594 ∗∗∗ IBM UrbanCode Build is vulnerable to CVE-2023-28708 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030596 ∗∗∗ Vulnerabilities found in batik-all-1.7.jar, batik-dom-1.7.jar which is shipped with IBM Intelligent Operations Center(CVE-2018-8013, CVE-2017-5662, CVE-2015-0250) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030598 ∗∗∗ Due to use of FasterXML Jackson-databind, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030601 ∗∗∗ Due to use of Kafka, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to obtain sensitive information. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030604 ∗∗∗ Due to use of Spark from Hadoop, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to traverse directories on the system. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030603 ∗∗∗ Due to use of Apache Cassandra , IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to an authenticated attacker to gaining elevated privileges. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030602 ∗∗∗ Due to use of IBM WebSphere Application Server Liberty, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030610 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository due to July 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030605 ∗∗∗ Due to use of NodeJS, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030612 ∗∗∗ A security vulnerability has been identified in IBM SDK, Java Technology Edition shipped with IBM Tivoli Business Service Manager (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030613 ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030614 ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030615 ∗∗∗ Vulnerability found in commons-io-1.3.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030617 ∗∗∗ Vulnerabilities found in poi-ooxml-3.9.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-5644, CVE-2019-12415, CVE-2014-3574, CVE-2014-3529) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030627 ∗∗∗ Vulnerability found in pdfbox-1.8.1.jar which is shipped with IBM Intelligent Operations Center(220742, CVE-2018-11797, CVE-2016-2175) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030626 ∗∗∗ Vulnerabilities found in poi-3.9.jar, poi-scratchpad-3.9.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-12626, CVE-2014-9527) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030629 ∗∗∗ Vulnerabilities found in jackson-mapper-asl-1.9.13.jar which is shipped with IBM Intelligent Operations Center(CVE-2019-10202, CVE-2019-10172) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030623 ∗∗∗ Multiple Vulnerabilities found in Turf.js which is shipped with IBM Intelligent Operations Center(CVE-2020-15168, CVE-2022-0235) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030624 ∗∗∗ Vulnerability found in fontbox-1.8.1.jarr which is shipped with IBM Intelligent Operations Center(CVE-2018-8036) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030622 ∗∗∗ Vulnerabilities found in cxf-rt-transports-http-3.0.3.jar which is shipped with IBM Intelligent Operations Center(CVE-2016-6812, CVE-2018-8039, CVE-2020-13954) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030618 ∗∗∗ Vulnerability found in fop-1.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-5661) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030621 ∗∗∗ Multiple Vulnerabilities found in Turf.js which is shipped with IBM Intelligent Operations Center(CVE-2021-44906, CVE-2020-7598) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030625 ∗∗∗ Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2018-1000632) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030619 ∗∗∗ Vulnerability found in commons-codec-1.5.jar which is shipped with IBM Intelligent Operations Center(177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030616 ∗∗∗ IBM MQ is affected by a denial of service vulnerability in OpenSSL (CVE-2023-2650) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027922 ∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030632 ∗∗∗ A Vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030634 ∗∗∗ Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2020-10683) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030636 ∗∗∗ Vulnerability found in xmlgraphics-commons-1.5.jar which is shipped with IBM Intelligent Operations Center(CVE-2020-11988) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030630 ∗∗∗ Multiple Vulnerabilities found in IBM DB2 which is shipped with IBM Intelligent Operations Center(CVE-2022-43929, CVE-2022-43927, CVE-2014-3577, CVE-2022-43930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030638 ∗∗∗ Vulnerabilities found in batik-bridge-1.7.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-40146, CVE-2022-38648, CVE-2022-38398) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030631 ∗∗∗ Vulnerability found in cxf-core-3.5.4.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030633 ∗∗∗ Vulnerability found in cxf-rt-transports-http-3.5.3.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-46363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030635 ∗∗∗ Vulnerability found in commons-net-1.4.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2021-37533) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030637 ∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030641 ∗∗∗ Vulnerabilities found in jackson-mapper-asl which is shipped with IBM Intelligent Operations Center(CVE-2019-10172, CVE-2019-10202) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030639 ∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2023-21830, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030640 ∗∗∗ A vulnerability found in IBM WebSphere Application Server Liberty which is shipped with IBM Intelligent Operations Center(CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030642 ∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030643 ∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030644 ∗∗∗ Multiple Angular vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2023-26116, CVE-2023-26117, CVE-2023-26118, CVE-2022-25869, CVE-2022-25844) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030667 ∗∗∗ IBM SDK, Java Technology Edition, Security Update August 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030664 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager (CVE-2023-22045, CVE-2023-22049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030666 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2023
by Daily end-of-shift report 04 Sep '23

04 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-09-2023 18:00 − Montag 04-09-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Chrome extensions can steal plaintext passwords from websites ∗∗∗ --------------------------------------------- A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a websites source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-… ∗∗∗ New ‘YouPorn’ sextortion scam threatens to leak your sex tape ∗∗∗ --------------------------------------------- A new sextortion scam is making the rounds that pretends to be an email from the adult site YouPorn, warning that a sexually explicit video of you was uploaded to the site and suggesting you pay to have it taken down. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-youporn-sextortion-scam-… ∗∗∗ Yes, theres an npm package called @(-.-)/env and some others like it ∗∗∗ --------------------------------------------- Strangely named npm packages like -, @!-!/-, @(-.-)/env, and --hepl continue to exist on the internets largest software registry. While not all of these may necessarily pose an obvious security risk, some were named before npm enforced naming guidelines and could potentially break tooling. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/yes-theres-an-npm-package-… ∗∗∗ PoC Exploit Released for Critical VMware Arias SSH Auth Bypass Vulnerability ∗∗∗ --------------------------------------------- Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight). The flaw, tracked as CVE-2023-34039, is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation. --------------------------------------------- https://thehackernews.com/2023/09/poc-exploit-released-for-critical.html ∗∗∗ Webinar: Betrugsfallen im Internet erkennen ∗∗∗ --------------------------------------------- Wie schütze ich mich vor Internetkriminalität? Wie kann ich einen Fake Shop von einem seriösen Online-Shop unterscheiden? Wo lauern die dreistesten Abo-Fallen? Wie verschaffen sich Kriminelle Zugang zu meinen Daten? Das Webinar informiert über gängige Betrugsfallen im Internet und hilft, diese zu erkennen. Nehmen Sie kostenlos teil: Dienstag 12. September 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-betrugsfallen-im-internet-er… ∗∗∗ Neue Phishing-Mails im Namen der ÖGK und des Finanzamtes unterwegs ∗∗∗ --------------------------------------------- Aktuell sind zwei neue Phishing-Mails im Umlauf. In der einen geben sich Kriminelle als Österreichische Gesundheitskasse (ÖGK) aus und behaupten, dass Sie eine Erstattung erhalten. Im anderen Mail wird Ihnen im Namen von FinanzOnline eine Erhöhung der Rente versprochen. Beide Mails fordern Sie auf, auf einen Link zu klicken. Ignorieren Sie diese Mails. Kriminelle stehlen damit Ihre Bankdaten. --------------------------------------------- https://www.watchlist-internet.at/news/neue-phishing-mails-im-namen-der-oeg… ∗∗∗ Decryptor für Key Group Ransomware verfügbar ∗∗∗ --------------------------------------------- Sicherheitsforscher von ElectricIQ haben in den Routinen der Key Group Ransomware eine Schwachstelle entdeckt, die es ermöglichte, Entschlüsselungs-Tools zur Wiederherstellung verschlüsselter Dateien zu entwickeln. --------------------------------------------- https://www.borncity.com/blog/2023/09/03/decryptor-fr-key-group-ransomware-… ∗∗∗ Firmware-Updates: Surface Laptop 4 und Surface Duo ∗∗∗ --------------------------------------------- Microsoft hat zum 31. August 2023 ein Firmware-Update für seinen Surface Laptop 4 veröffentlicht, welches Sicherheitsprobleme und ein Lade-Problem beheben soll. Zudem gibt es wohl das (vermutlich) letzte Firmware-Update für das Smartphone Surface Duo. --------------------------------------------- https://www.borncity.com/blog/2023/09/03/firmware-updates-surface-laptop-4-… ===================== = Vulnerabilities = ===================== ∗∗∗ Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change ∗∗∗ --------------------------------------------- The application suffers from an insecure access control allowing an unauthenticated attacker to change accounts passwords and bypass authentication gaining panel control access. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php ∗∗∗ Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC ∗∗∗ --------------------------------------------- An unauthenticated attacker can retrieve the controllers configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (firefox, kernel, kubernetes, and mediawiki), Mageia (openldap), SUSE (terraform), and Ubuntu (atftp, busybox, and thunderbird). --------------------------------------------- https://lwn.net/Articles/943492/ ∗∗∗ Mattermost security updates 8.1.1 (ESR) / 8.0.2 / 7.8.10 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 8.1.1 (Extended Support Release), 8.0.2, and 7.8.10 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-8-1-1-esr-8-0-2-7-8… ∗∗∗ Sicherheitslücken (CVE-2023-40481, CVE-2023-31102) in 7-ZIP; Fix in Version 23.00 (August 2023) ∗∗∗ --------------------------------------------- Kurzer Nachtrag vom Ende August 2023. Im Programm 7-Zip, welches zum Packen und Entpacken von ZIP-Archivdateien eingesetzt wird, haben Sicherheitsforscher gleich zwei Schwachstellen gefunden. Die Schwachstellen CVE-2023-40481 und CVE-2023-31102 werden vom Sicherheitsaspekt als hoch riskant eingestuft [..] Beide Schwachstellen wurden am 21. November 2022 an die 7-ZIP-Entwickler gemeldet und laut der Zero-Day-Initiative vom 23. August 2023 mit einem Update der Software auf die Version 23.00 (damals noch Beta) geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/09/03/sicherheitslcken-cve-2023-40481-cv… ∗∗∗ IBM MQ Explorer is affected by vulnerabilities in Eclipse Jetty (CVE-2023-26048, CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027923 ∗∗∗ IBM MQ is affected by a denial of service vulnerability in OpenSSL (CVE-2023-2650) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027922 ∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030429 ∗∗∗ IBM Security Verify Information Queue has multiple information exposure vulnerabilities (CVE-2023-33833, CVE-2023-33834, CVE-2023-33835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029584 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface vulnerable to remote code execution due to IBM Java (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030442 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to IBM Java (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030443 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030450 ∗∗∗ The IBM Engineering Lifecycle Engineering product using WebSphere Application Server Liberty is vulnerable to denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030449 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM\u00ae SDK, Java\u2122 Technology Edition is affected by multiple vulnerabilities (CVE-2023-22045, CVE-2023-22049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030448 ∗∗∗ IBM Event Endpoint Management is vulnerable to a denial of service in Netty (CVE-2023-34462) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030456 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030458 ∗∗∗ A vulnerability found in IBM WebSphere Application Server Liberty which is shipped with IBM\u00ae Intelligent Operations Center(CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030460 ∗∗∗ IBM Cloud Pak for Network Automation 2.6 addresses multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030469 ∗∗∗ Multiple CVEs may affect Operating System packages shipped with IBM CICS TX Advanced 10.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030462 ∗∗∗ Multiple CVEs may affect Operating System packages shipped with IBM CICS TX Advanced 10.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030461 ∗∗∗ IBM Cloud Pak for Network Automation 2.6.1 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030470 ∗∗∗ Multiple vulnerabilities may affect IBM SDK, Java\u2122 Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030463 ∗∗∗ CVE-2022-40609 may affect Java Technology Edition used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030466 ∗∗∗ CVE-2023-34149 may affect Apache Struts used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030464 ∗∗∗ CVE-2023-34396 may affect Apache Struts used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030465 ∗∗∗ IBM Java SDK update forJava deserialization filters (JEP 290) ignored during IBM ORB deserialization ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030522 ∗∗∗ The Transformation Advisor Tool in IBM App Connect Enterprise is vulnerable to a denial of service due to Apache Johnzon (CVE-2023-33008) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030531 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2023
by Daily end-of-shift report 01 Sep '23

01 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-08-2023 18:00 − Freitag 01-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Monitoring aus der Cloud: Kundensysteme dank schwacher Standardpasswörter gehackt ∗∗∗ --------------------------------------------- Hacker haben offenbar aufgrund schwacher Standardpasswörter eine Ransomware auf lokalen Systemen von Logicmonitor-Kunden verbreitet. --------------------------------------------- https://www.golem.de/news/monitoring-aus-der-cloud-kundensysteme-dank-schwa… ∗∗∗ WordPress Vulnerability & Patch Roundup August 2023 ∗∗∗ --------------------------------------------- To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/08/wordpress-vulnerability-patch-roundup-augus… ∗∗∗ Potential Weaponizing of Honeypot Logs ∗∗∗ --------------------------------------------- Escape sequences have long been used to create ASCII art on screens and allow for customization of a user’s terminal. Because most terminals support some kind of escape sequences, it could be possible to manipulate the analyst’s terminal, and hypothetically allow for remote code execution on the analysist’s system. --------------------------------------------- https://isc.sans.edu/diary/rss/30178 ∗∗∗ MONDEO: Multistage Botnet Detection ∗∗∗ --------------------------------------------- MONDEO is a multistage mechanism with a flexible design to detect DNS-based botnet malware. MONDEO is lightweight and can be deployed without requiring the deployment of software, agents, or configuration in mobile devices, allowing easy integration in core networks. MONDEO comprises four detection stages: Blacklisting/Whitelisting, Query rate analysis, DGA analysis, and Machine learning evaluation. [..] The implementation is available at github. --------------------------------------------- https://arxiv.org/abs/2308.16570 ∗∗∗ Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd ∗∗∗ --------------------------------------------- Using the vulnerability described in this advisory an attacker may take control of an encrypted Linux computer during the early boot process, manually unlock TPM-based disk encryption and either modify or read sensitive information stored on the computer’s disk. This blog post runs through how this vulnerability was identified and exploited - no tiny soldering required. --------------------------------------------- https://pulsesecurity.co.nz/advisories/tpm-luks-bypass ∗∗∗ BitLocker, TPM and Pluton | What Are They and How Do They Work ∗∗∗ --------------------------------------------- The optimal kind of security measure is imperceptible to the user during deployment and usage. Whenever there is a potential delay or difficulty due to a security feature, there is a high probability that users will attempt to circumvent security. This situation is particularly prevalent for data protection, and that is a scenario that organizations need to prevent. --------------------------------------------- https://github.com/HotCakeX/Harden-Windows-Security/wiki/BitLocker,-TPM-and… ∗∗∗ NetNTLMv1 Downgrade to compromise ∗∗∗ --------------------------------------------- In this blogpost I’m going to blow your mind with some easy to understand NetNTLMv1 downgrade and relaying stuff. I will keep this blogpost simple, so that everyone can follow these steps, but I will link further resources for those who want to get the bigger picture at the end of this post. --------------------------------------------- https://www.r-tec.net/r-tec-blog-netntlmv1-downgrade-to-compromise.html ∗∗∗ Free Decryptor Available for ‘Key Group’ Ransomware ∗∗∗ --------------------------------------------- EclecticIQ has released a free decryption tool to help victims of the Key Group ransomware recover their data without paying a ransom. --------------------------------------------- https://www.securityweek.com/free-decryptor-available-for-key-group-ransomw… ∗∗∗ How companies can get a grip on ‘business email compromise’ ∗∗∗ --------------------------------------------- The delivery methods vary but the most exploited vector is email as a vehicle for a credential harvesting phishing campaign. Phishing, in general, has grown in scale and sophistication in recent years, with the most damaging form of phishing from a financial perspective being “business email compromise” (BEC). According to Check Point Research, credential harvesting makes up about 15% of all email-based attacks but is the most financially damaging category. --------------------------------------------- https://blog.checkpoint.com/security/how-companies-can-get-a-grip-on-busine… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in i-PRO VI Web Client ∗∗∗ --------------------------------------------- VI Web Client provided by i-PRO Co., Ltd. contains multiple vulnerabilities. Update the software to the latest version according to the information provided by the developer. These vulnerabilities have been addressed in VI Web Client 7.9.6. --------------------------------------------- https://jvn.jp/en/jp/JVN60140221/ ∗∗∗ Tinycontrol LAN Controller v3 (LK3) Remote Denial Of Service ∗∗∗ --------------------------------------------- The controller suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php ∗∗∗ Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗ --------------------------------------------- Autodesk AutoCAD and certain AutoCAD-based products have been affected by Out-of-Bounds Write, Heap-based Buffer Overflow, Untrusted Pointer Dereference, and Memory Corruption vulnerabilities. CVE IDs: CVE-2023-29073, CVE-2023-29074, CVE-2023-29075, CVE-2023-29076, CVE-2023-41139, CVE-2023-41140 --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018 ∗∗∗ Acronis: Updates dichten Sicherheitslecks in mehreren Produkten ab ∗∗∗ --------------------------------------------- Acronis hat Sicherheitsmeldungen zu insgesamt zwölf Schwachstellen in mehreren Produkten herausgegeben. Updates stehen länger bereit. --------------------------------------------- https://heise.de/-9291446 ∗∗∗ Kritische Lücke in VPN von Securepoint ∗∗∗ --------------------------------------------- Updates sollen eine kritische Sicherheitslücke in der VPN-Software von Securepoint schließen, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://heise.de/-9291723 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and gst-plugins-ugly1.0), Fedora (firefox, libeconf, libwebsockets, mosquitto, and rust-rustls-webpki), SUSE (amazon-ssm-agent, open-vm-tools, and terraform-provider-helm), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp-5.15, linux-gcp-5.4, linux-oracle-5.4, linux-gkeop, linux-gkeop-5.15, linux-intel-iotg, linux-kvm, linux-oracle, and python-git). --------------------------------------------- https://lwn.net/Articles/943302/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2023
by Daily end-of-shift report 31 Aug '23

31 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-08-2023 18:00 − Donnerstag 31-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature ∗∗∗ --------------------------------------------- A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud."The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques [..] --------------------------------------------- https://thehackernews.com/2023/08/mmrat-android-trojan-executes-remote.html ∗∗∗ North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository ∗∗∗ --------------------------------------------- Three additional malicious Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors.The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. --------------------------------------------- https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html ∗∗∗ CISA and FBI Publish Joint Advisory on QakBot Infrastructure ∗∗∗ --------------------------------------------- CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/30/cisa-and-fbi-publish-joi… ∗∗∗ Converting Tokens to Session Cookies for Outlook Web Application ∗∗∗ --------------------------------------------- More and more organizations are adopting cloud-based solutions and federating with various identity providers. As these deployments increase in complexity, ensuring that Conditional Access Policies (CAPs) always act as expected can become a challenge. Today, we will share a technique weve been using to gain access to Outlook Web Application (OWA) in a browser by utilizing Bearer and Refresh tokens for the outlook.office365.com or outlook.office.com endpoints. --------------------------------------------- https://labs.lares.com/owa-cap-bypass/ ∗∗∗ Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework ∗∗∗ --------------------------------------------- Starting with Windows Server 2016, Microsoft released its own version of this solution, Windows Containers, which offers process and Hyper-V isolation modes. The presentation covered the basics of Windows containers, broke down its file system isolation framework, reverse-engineered its main mini-filter driver, and detailed how it can be utilized and manipulated by a bad actor to bypass EDR products in multiple domains. --------------------------------------------- https://www.deepinstinct.com/blog/contain-yourself-staying-undetected-using… ∗∗∗ NosyMonkey: API hooking and code injection made easy ∗∗∗ --------------------------------------------- As a researcher I often run into situations in which I need to make a compiled binary do things that it wouldn’t normally do or change the way it works in some way. [..] Enter, NosyMonkey: a library to inject code and place hooks that does almost everything for you. No need to write complicated ASM shellcode, or even think about allocating code, hot patching and other dirty business. --------------------------------------------- https://www.anvilsecure.com/blog/nosymonkey.html ∗∗∗ Bypassing Defender’s LSASS dump detection and PPL protection In Go ∗∗∗ --------------------------------------------- This blog reviews the technique that can be used to bypass Protected Process Light protection for any Windows process using theProcess Explorer driver and explores methods to bypass Windows Defender’s signature-based mechanisms for process dump detection. The tool introduced in this blog (PPLBlade), is written entirely in GO and can be used as a POC for the techniques overviewed below. --------------------------------------------- https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-… ∗∗∗ Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows ∗∗∗ --------------------------------------------- In today’s post, we look at action pinning, one of the profound mitigations against supply chain attacks in the GitHub Actions ecosystem. It turns out, though, that action pinning comes with a downside — a pitfall we call "unpinnable actions" that allows attackers to execute code in GitHub Actions workflows. --------------------------------------------- https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-githu… ∗∗∗ Trojanized Signal, Telegram apps found on Google Play, Samsung Galaxy Store ∗∗∗ --------------------------------------------- ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications [..] --------------------------------------------- https://www.helpnetsecurity.com/2023/08/31/fake-signal-telegram-apps/ ∗∗∗ Infamous Chisel Malware Analysis Report ∗∗∗ --------------------------------------------- Infamous Chisel is a collection of components targeting Android devices.This malware is associated with Sandworm activity.It performs periodic scanning of files and network information for exfiltration.System and application configuration files are exfiltrated from an infected device. --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-243a ∗∗∗ A Deep Dive into Brute Ratel C4 payloads ∗∗∗ --------------------------------------------- Summary Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework. --------------------------------------------- https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress migration add-on flaw could lead to data breaches ∗∗∗ --------------------------------------------- All-in-One WP Migration, a popular data migration plugin for WordPress sites that has 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-f… ∗∗∗ Wordpress: Cloud-Extensions für Migrationstool ermöglichen Datenklau ∗∗∗ --------------------------------------------- Die Box-, Google-Drive-, Onedrive- und Dropbox-Erweiterungen für ein weitverbreitetes Wordpress-Migrations-Plug-in sind anfällig für Datenklau. --------------------------------------------- https://www.golem.de/news/wordpress-cloud-extensions-fuer-migrationstool-er… ∗∗∗ Drupal: Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041 ∗∗∗ --------------------------------------------- This module makes PatternLab's custom Twig functions available to Drupal theming. The module's included examples don't sufficiently filter data. This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-041 ∗∗∗ Drupal: Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042 ∗∗∗ --------------------------------------------- This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesnt sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-042 ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-243-01 ARDEREG Sistemas SCADA, CVE-2023-4485 * ICSA-23-243-02 GE Digital CIMPLICITY, CVE-2023-4487 * ICSA-23-243-03 PTC Kepware KepServerEX, CVE-2023-29444, CVE-2023-29445, CVE-2023-29446, CVE-2023-29447 * ICSA-23-243-04 Digi RealPort Protocol, CVE-2023-4299 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/31/cisa-releases-four-indus… ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Aruba-Switches möglich ∗∗∗ --------------------------------------------- Verschiedene Switch-Modelle von Aruba sind verwundbar. Abgesicherte Ausgaben von ArubaOS schaffen Abhilfe. --------------------------------------------- https://heise.de/-9290375 ∗∗∗ Big Data: Splunk dichtet hochriskante Lücken ab ∗∗∗ --------------------------------------------- Die Big-Data-Experten von Splunk haben aktualisierte Software bereitgestellt, die teils hochriskante Schwachstellen in der Analysesoftware ausbessert. --------------------------------------------- https://heise.de/-9290325 ∗∗∗ VMware Tools: Schwachstelle ermöglicht Angreifern unbefugte Aktionen in Gästen ∗∗∗ --------------------------------------------- VMware warnt vor einer Sicherheitslücke in VMware Tools. Sie ermöglicht eine Man-in-the-Middle-Attacke auf Gastsysteme. --------------------------------------------- https://heise.de/-9290783 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023) ∗∗∗ --------------------------------------------- Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, json-c, opendmarc, and otrs2), Red Hat (java-1.8.0-ibm and kpatch-patch), Scientific Linux (kernel), Slackware (mozilla), SUSE (haproxy, php7, vim, and xen), and Ubuntu (elfutils, frr, and linux-gcp, linux-starfive). --------------------------------------------- https://lwn.net/Articles/943192/ ∗∗∗ Mozilla Releases Security Updates for Firefox and Firefox ESR ∗∗∗ --------------------------------------------- Mozilla has released security updates to address vulnerabilities for Firefox 117, Firefox ESR 115.2, and Firefox ESR 102.15. A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/30/mozilla-releases-securit… ∗∗∗ Weitere Windows-Rechteausweitung über Razer Synapse (SYSS-2023-002) ∗∗∗ --------------------------------------------- In Razer Synapse kann über eine Time-of-check Time-of-use Race Condition die Überprüfung fremder Bibliotheken durch den Dienst überlistet werden. --------------------------------------------- https://www.syss.de/pentest-blog/weitere-windows-rechteausweitung-ueber-raz… ∗∗∗ Cisco Unified Communications Products Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple vulnerabilities in IBM Storage Defender Data Protect ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029861 ∗∗∗ Security Vulnerability in the IBM Java Runtime Environment (JRE) affect the 3592 Enterprise Tape Controller ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/691223 ∗∗∗ Vulnerability in SSLv3 affects IBM System Storage Tape Controller 3592 Model C07 (CVE-2014-3566) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690117 ∗∗∗ IBM Java Runtime (JRE) security vulnerabilities CVE-2022-21426 in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983442 ∗∗∗ Security vulnerability in IBM Java Object Request Broker (ORB) in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027874 ∗∗∗ IBM Java Runtime (JRE) security vulnerabilities CVE-2023-21830, CVE-2023-21843 in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983440 ∗∗∗ Multiple Security vulnerabilities in IBM Java in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001699 ∗∗∗ IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029864 ∗∗∗ TADDM affected by vulnerability due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029984 ∗∗∗ Due to use of Mozilla Firefox, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029986 ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are used in IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006475 ∗∗∗ A vulnerability in Microsoft ASP.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2022-29117) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029527 ∗∗∗ A vulnerability in Microsoft Azure SDK for .NET affects IBM Robotic Process Automation and could allow a remote authenticated attacker to obtain sensitive information (CVE-2022-26907). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029524 ∗∗∗ Multiple security vulnerabilities affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026754 ∗∗∗ A vulnerability in MicrosoftAspNetCore.Identity affects IBM Robotic Process Automation and may result in allowing an attacker to bypass secrity restrictions (CVE-2023-33170). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029540 ∗∗∗ Multiple security vulnerabilities in Java affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026758 ∗∗∗ IBM Security Guardium is affected by an Hazardous Input Validation vulnerability (CVE-2022-43903) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030110 ∗∗∗ IBM MQ is affected by OpenSSL vulnerability (CVE-2023-2650) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030100 ∗∗∗ IBM MQ is affected by a sensitive information disclosure vulnerability (CVE-2023-28514) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030101 ∗∗∗ IBM MQ is affected by a denial of service vulnerability (CVE-2023-28513) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030102 ∗∗∗ IBM MQ is vulnerable to a denial of service attack (CVE-2023-26285) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030103 ∗∗∗ IBM Edge Application Manager 4.5.2 addresses the security vulnerabilities listed in the CVEs below. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030159 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2023
by Daily end-of-shift report 30 Aug '23

30 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-08-2023 18:00 − Mittwoch 30-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Border Gateway Protocol: Der Klebstoff des Internets hat eine Schwachstelle ∗∗∗ --------------------------------------------- Durch eine neu entdeckte Schwachstelle im Border Gateway Protocol können Angreifer potenziell Teile des Internets abschotten. --------------------------------------------- https://www.golem.de/news/border-gateway-protocol-der-klebstoff-des-interne… ∗∗∗ Kritische Sicherheitslücke in VMware Aria Operations for Networks ∗∗∗ --------------------------------------------- VMware schließt Sicherheitslücken in Aria Operations for Networks. Eine gilt als kritisch und erlaubt den Zugriff ohne Anmeldung. --------------------------------------------- https://heise.de/-9288934 ∗∗∗ Botnet: Internationale Strafverfolger deinstallieren 700.000 Qakbot-Drohnen ∗∗∗ --------------------------------------------- Zusammen mit internationalen Strafverfolgern hat das FBI das Qakbot-Botnetz vorerst außer Gefecht gesetzt. Von 700.000 Systemen entfernten sie die Malware. --------------------------------------------- https://heise.de/-9289070 ∗∗∗ Cisco warnt vor Ransomware-Angriffen auf VPNs ohne Mehrfaktorauthentifizierung ∗∗∗ --------------------------------------------- Cisco warnt vor Angriffen mit der Akira-Ransomware, die auf VPNs des Herstellers zielt. Bei nicht genutzter Mehrfaktorauthentifizierung gelingen Einbrüche. --------------------------------------------- https://heise.de/-9289242 ∗∗∗ Vorsicht vor Jobs auf zalandoovip.vip und remote-rpo-at.com! ∗∗∗ --------------------------------------------- Auf remote-rpo-at.com wird Ihnen ein lukratives Job-Angebot präsentiert. „Seien Sie Ihr Eigener Chef Und Verdienen Sie Bis zu €1260 Pro Woche!“, heißt es da auf der Startseite. Sie sollen im weiteren Verlauf auf der betrügerischen Website zalandoovip.vip für Zalando Produktbewertungen abgeben und so angeblich Verkäufe steigern. Sobald Sie Ihr verdientes Geld auszahlen lassen wollen, folgt die böse Überraschung: [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobs-auf-zalandoovipvip… ∗∗∗ Tausende Organisationen verwundbar auf Subdomain Hijacking ∗∗∗ --------------------------------------------- Subdomain-Hijacking stellt ein besorgniserregendes Szenario dar, bei dem Angreifer die Kontrolle über Websites übernehmen, die auf Subdomains seriöser Organisationen gehostet werden. Dies ermöglicht Angreifern zum Beispiel die Verbreitung von Schadsoftware und Desinformationen oder die Durchführung Phishing-Angriffen. --------------------------------------------- https://certitude.consulting/blog/de/subdomain-hijacking-2/ ∗∗∗ Trojanized Signal and Telegram apps on Google Play delivered spyware ∗∗∗ --------------------------------------------- Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojanized-signal-and-telegr… ∗∗∗ Getting into AWS cloud security research as a n00bcake ∗∗∗ --------------------------------------------- Today, AWS security research can feel impenetrable, like understanding the latest meme that’s already gone through three ironic revivals. But if I’m being honest, I might suggest AWS security research is far more accessible than the other insane research in our industry. That’s why I attempt it. I’m just too dumb to write shellcode or disassemble a binary. So don’t be scared, let’s do it together! --------------------------------------------- https://dagrz.com/writing/aws-security/getting-into-aws-security-research/ ∗∗∗ CISA Releases IOCs Associated with Malicious Barracuda Activity ∗∗∗ --------------------------------------------- CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/29/cisa-releases-iocs-assoc… ∗∗∗ Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) ∗∗∗ --------------------------------------------- On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we will detail additional tactics, techniques, and procedures (TTPs) employed by UNC4841 that have since been uncovered through Mandiant’s incident response engagements, as well as through collaborative efforts with Barracuda Networks and our International Government partners. Over the course of this --------------------------------------------- https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-rem… ∗∗∗ Pay our ransom instead of a GDPR fine, cybercrime gang tells its targets ∗∗∗ --------------------------------------------- Researchers are tracking a new cybercrime group that uses a never-seen-before extortion tactic. The gang, which operates through a blog called Ransomed, tells victims that if they don’t pay to protect stolen files, they will face fines under data protection laws like the EU’s GDPR, according to a new report by cybersecurity firm Flashpoint. --------------------------------------------- https://therecord.media/ransomed-cybercrime-group-extortion-gdpr ===================== = Vulnerabilities = ===================== ∗∗∗ Netgear: Security Advisory for Post-authentication Command Injection on the Prosafe® Network Management System, PSV-2023-0037 ∗∗∗ --------------------------------------------- NETGEAR is aware of a post-authentication command injection security vulnerability on NMS300 and strongly recommends that you download the latest version of NMS300 as soon as possible. --------------------------------------------- https://kb.netgear.com/000065705/Security-Advisory-for-Post-authentication-… ∗∗∗ Netgear: Security Advisory for Authentication Bypass on the RBR760, PSV-2023-0052 ∗∗∗ --------------------------------------------- NETGEAR is aware of an authentication bypass security vulnerability on the RBR760. This vulnerability requires an attacker to have your WiFi password or an Ethernet connection to a device on your network to be exploited. --------------------------------------------- https://kb.netgear.com/000065734/Security-Advisory-for-Authentication-Bypas… ∗∗∗ Webbrowser: Google-Chrome-Update stopft hochriskante Sicherheitslücke ∗∗∗ --------------------------------------------- Google bessert im Webbrowser Chrome eine als hochriskant eingestufte Schwachstelle aus. --------------------------------------------- https://heise.de/-9288903 ∗∗∗ Entwickler von Notepad++ ignoriert offensichtlich Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden den Texteditor Notepad++. Trotz Informationen zu den Lücken und möglichen Fixes steht ein Sicherheitsupdate noch aus. --------------------------------------------- https://heise.de/-9289124 ∗∗∗ VMSA-2023-0018 ∗∗∗ --------------------------------------------- Synopsis: VMware Aria Operations for Networks updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0018.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qpdf, ring, and tryton-server), Fedora (mingw-qt5-qtbase and moby-engine), Red Hat (cups, kernel, kernel-rt, kpatch-patch, librsvg2, and virt:rhel and virt-devel:rhel), and Ubuntu (amd64-microcode, firefox, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-hwe-6.2, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-bluefield, linux-ibm, linux-oem-6.1, and openjdk-lts, openjdk-17). --------------------------------------------- https://lwn.net/Articles/943087/ ∗∗∗ Remote Code Execution in RTS VLink Virtual Matrix ∗∗∗ --------------------------------------------- BOSCH-SA-893251-BT: A security vulnerability has been uncovered in the admin interface of the RTS VLink Virtual Matrix Software. The vulnerability will allow a Remote Code Execution (RCE) attack. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-893251-bt.html ∗∗∗ 2023-08-29 Out-of-Cycle Security Bulletin: Junos OS and Junos OS Evolved: A crafted BGP UPDATE message allows a remote attacker to de-peer (reset) BGP sessions (CVE-2023-4481) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2023-08-29-Out-of-Cycle-Securit… ∗∗∗ [R1] Nessus Version 10.6.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-29 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2023
by Daily end-of-shift report 29 Aug '23

29 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 28-08-2023 18:00 − Dienstag 29-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year ∗∗∗ --------------------------------------------- Three malware loaders — QBot, SocGholish, and Raspberry Robin — are responsible for 80 percent of observed attacks on computers and networks so far this year. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/08/28/top_malware_… ∗∗∗ Leaking File Contents with a Blind File Oracle in Flarum ∗∗∗ --------------------------------------------- Flarum is a free, open source PHP-based forum software used for everything from gaming hobbyist sites to cryptocurrency discussion. [..] Through our research we were able to leak the contents of arbitrary local files in Flarum through a blind oracle, and conduct blind SSRF attacks with only a basic user account. --------------------------------------------- https://blog.assetnote.io/2023/08/28/leaking-file-contents-with-a-blind-fil… ∗∗∗ Compromised OpenCart Payment Module Steals Credit Card Information ∗∗∗ --------------------------------------------- It seems that the attackers had manually modified one of the key files responsible for the processing of payment information on their OpenCart website; this is very similar to another credit card skimmer that we recently wrote about. --------------------------------------------- https://blog.sucuri.net/2023/08/opencart-payment-module-steals-credit-card-… ∗∗∗ Jetzt patchen! Exploitcode legt Attacken auf Juniper-Firewalls nahe ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Schwachstellen in Juniper Firewalls und Switches dokumentiert. Das können Angreifer nun missbrauchen. --------------------------------------------- https://heise.de/-9287740 ∗∗∗ Zoho ManageEngine: Schwachstelle erlaubt Umgehen von Mehrfaktorauthentifizierung ∗∗∗ --------------------------------------------- Zahlreiche ManageEninge-Produkte von Zoho sind von Schwachstellen betroffen, die die Umgehung der Mehrfaktorauthentifizierung (MFA) ermöglichen. Während aktualisierte Softwarepakete offenbar seit Ende Juni bereitstehen, wurde erst jetzt die CVE-Meldung dazu bekannt. --------------------------------------------- https://heise.de/-9287917 ∗∗∗ MalDoc in PDF: Japanisches CERT warnt vor in PDFs versteckten Malware-Dokumenten ∗∗∗ --------------------------------------------- Cyberkriminelle finden immer neue Wege, Malware vor der Erkennung zu verstecken. Das japanische CERT hat jetzt bösartige Word-Dokumente in PDFs gefunden. --------------------------------------------- https://heise.de/-9288262 ∗∗∗ Gefälschte Beschwerdemails an Hotels führen zu Schadsoftware ∗∗∗ --------------------------------------------- Derzeit kursieren gefälschte E-Mails mit angeblichen Gästebeschwerden. Bisher sind uns zwei Versionen bekannt. In einem E-Mail beklagt sich ein vermeintlicher Gast über die Sauberkeit der Zimmer, in einer anderen Version, wirft man dem Personal vor, Wertgegenstände aus dem Zimmer gestohlen zu haben. Als Beweis finden Sie im E-Mail einen Link zu Fotos. Wir vermuten Schadsoftware, klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-beschwerdemails-an-hotel… ∗∗∗ Ungefixter Skype-Bug ermöglicht Angreifern die IP-Adresse der Opfer abzufragen (August 2023) ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher ist auf eine Möglichkeit gestoßen, die IP-Adresse eines Skype-Benutzers zu ermitteln, ohne dass die Zielperson überhaupt auf einen Link klicken muss. --------------------------------------------- https://www.borncity.com/blog/2023/08/29/ungefixter-skype-bug-ermglicht-ang… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities found in Techview LA-5570 Wireless Gateway Home Automation Controller ∗∗∗ --------------------------------------------- The Security Team at [exploitsecurity.io] uncovered multiple vulnerabilities in the Techview LA-5570 Wireless Home Automation Controller [Firmware Version 1.0.19_T53]. These vulnerabilities can be used to to gain full control of the affected device. CVE IDs: CVE-2023-34723, CVE-2023-34724, CVE-2023-34725 --------------------------------------------- https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-… ∗∗∗ Webbrowser: Firefox 117, ESR 115.2 und ESR 102.15 dichten Sicherheitslecks ab ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler haben die Firefox-Versionen 117, ESR 115.2 und ESR 102.15 herausgegeben, die mehrere teils hochriskante Sicherheitslücken schließen. --------------------------------------------- https://heise.de/-9288483 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flask-security and opendmarc), Fedora (qemu), Oracle (rust and rust-toolset:ol8), Red Hat (cups and libxml2), Scientific Linux (cups), SUSE (ca-certificates-mozilla, chromium, clamav, freetype2, haproxy, nodejs12, procps, and vim), and Ubuntu (faad2, json-c, libqb, linux, linux-aws, linux-lts-xenial, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, and linux-gke, linux-ibm-5.4). --------------------------------------------- https://lwn.net/Articles/943006/ ∗∗∗ Unauthenticated OS Command Injection im Patton SN200 VoIP-Gateway (SYSS-2023-019) ∗∗∗ --------------------------------------------- Durch verschiedene Schwachstellen können unangemeldete Angreifende Sytembefehle auf dem Patton SN200 VoIP-Gateway ausführen. --------------------------------------------- https://www.syss.de/pentest-blog/unauthenticated-os-command-injection-im-pa… ∗∗∗ Festo Didactic: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-040/ ∗∗∗ Reflected Cross-Site Scripting (XSS) Schwachstelle in Codebeamer (ALM Solution) von PTC ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/reflected-cross-site-… ∗∗∗ IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in scikit-learn ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029479 ∗∗∗ A CVE-2023-21967 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029615 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2023 - Includes Oracle April 2023 CPU is vulnerable to (CVE-2023-2597) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029634 ∗∗∗ IBM Event Streams is vulnerable to denial of service attacks due to snappy-java (CVE-2023-34453, CVE-2023-34455, CVE-2023-34454) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029640 ∗∗∗ IBM Event Streams is vulnerable to a denial of service attack due to Golang Go (CVE-2023-29409) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029639 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029646 ∗∗∗ Operations Dashboard is vulnerable to remote code execution, privilege escalation, and denial of service due to multiple Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029648 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029656 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029662 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2023
by Daily end-of-shift report 28 Aug '23

28 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-08-2023 18:00 − Montag 28-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Update korrigiert Verschlüsselung von Qnap-Betriebssystemen ∗∗∗ --------------------------------------------- Qnap hat aktualisierte Versionen der QTS- und QuTS hero-Betriebssysteme veröffentlicht. Sie korrigieren unter anderem zu schwache Verschlüsselung. --------------------------------------------- https://heise.de/-9286394 ∗∗∗ Stalker-Malware: Whiffy Recon schnüffelt Standort alle 60 Sekunden aus ∗∗∗ --------------------------------------------- Eine Malware namens Whiffy Recon überprüft alle 60 Sekunden den Standort des infizierten Geräts. Es bleibt unklar, wozu. --------------------------------------------- https://heise.de/-9286754 ∗∗∗ Auch Antivirensoftware: Winrar-Schwachstelle betrifft womöglich weitere Programme ∗∗∗ --------------------------------------------- Nachtrag vom 28. August 2023, 17:28 Uhr: Herr Marx wies die Redaktion im Nachhinein darauf hin, dass eine mögliche Ausnutzung von CVE-2023-40477 für die einzelnen Anwendungen individuell beurteilt werden muss. Nicht jedes Programm, das die gefährdete DLL verwendet, macht automatisch Gebrauch von dem problematischen Code. --------------------------------------------- https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betri… ∗∗∗ Duolingo: Leck mit 2,6 Millionen Nutzerdatensätze, Prüfung auf Have I been Pwned möglich ∗∗∗ --------------------------------------------- Bei der Sprachlern-App Duolingo bzw. bei deren Anbieter ermöglichten Schwachstellen Benutzerdaten abzuziehen. Jetzt hat Troy Hunt einen Datensatz mit den Informationen zu 2,6 Millionen Duolingo Nutzern in seine Plattform Have I been Pwned integriert. --------------------------------------------- https://www.borncity.com/blog/2023/08/24/duolingo-leck-mit-26-millionen-nut… ∗∗∗ Antworten von Microsoft zum Hack der Microsoft Azure-Cloud durch Storm-0588 – Teil 1 ∗∗∗ --------------------------------------------- Ich hatte nach dem Hack der Microsoft Azure Cloud-Infrastruktur durch die mutmaßlich chinesische Gruppe Storm-0588 bei Microsoft Irland konkret nachgefragt, ob persönliche Daten eines meiner Microsoft Konten betroffen seien. Und ich hatte an den Bundesdatenschutzbeauftragten (BfDI), Ulrich Kelber, [...] --------------------------------------------- https://www.borncity.com/blog/2023/08/26/antworten-von-microsoft-zum-hack-d… ∗∗∗ Antworten des Bundesdatenschutzbeauftragten, Ulrich Kelber, zum Hack der Microsoft Azure-Cloud durch Storm-0588 – Teil 2 ∗∗∗ --------------------------------------------- In Teil 1 dieser Artikelreihe hatte die die Antworten Microsofts auf meine konkreten Fragen zum Hack der Microsoft Azure Cloud-Infrastruktur durch die mutmaßlich chinesische Gruppe Storm-0588 wiedergegeben. Ich hatte aber auch einige Fragen an die Presseabteilung des Bundesdatenschutzbeauftragten (BfDI) [...] --------------------------------------------- https://www.borncity.com/blog/2023/08/26/antworten-des-bundesdatenschutzbea… ∗∗∗ PoC for no-auth RCE on Juniper firewalls released ∗∗∗ --------------------------------------------- Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks’ SRX firewalls and EX switches that could allow remote code execution (RCE), as well as a proof-of-concept (PoC) exploit. --------------------------------------------- https://www.helpnetsecurity.com/2023/08/28/poc-rce-juniper-firewalls/ ∗∗∗ Beware the Azure Guest User: How to Detect When a Guest User Account Is Being Exploited ∗∗∗ --------------------------------------------- In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. Often, little effort is invested in keeping guest users safe. However, this could prove to be a costly mistake. It’s actually very important to monitor the third-party applications and identities that have access to your environment, [...] --------------------------------------------- https://orca.security/resources/blog/detect-guest-user-account-exploited/ ∗∗∗ Reply URL Flaw Allowed Unauthorized MS Power Platform API Access ∗∗∗ --------------------------------------------- Cybersecurity experts from Secureworks have revealed a critical vulnerability within Microsoft’s Power Platform, now known as Entra ID. The vulnerability, discovered early this year, involved an abandoned reply URL within the Azure Active Directory (AD) environment, granting unauthorized access to elevated permissions and control within an organization. --------------------------------------------- https://www.hackread.com/reply-url-flaw-ms-power-platform-api-access/ ∗∗∗ KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities ∗∗∗ --------------------------------------------- An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. "The binary now includes support for Telnet scanning and support for more CPU architectures," Akamai security researcher Larry W. Cashdollar said in an analysis published this month. --------------------------------------------- https://thehackernews.com/2023/08/kmsdbot-malware-gets-upgrade-now.html ===================== = Vulnerabilities = ===================== ∗∗∗ D-Link DAP-2622: Various Security Vulnerabilities Reported ∗∗∗ --------------------------------------------- Affected Models: DAP-2622 Hardware Revision: All A Series Hardware Revisions Region: Non-US/CA Affected FW: v1.00 & Below Fixed FW: v1.10B03R022 Beta-Hotfix --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Busybox cpio directory traversal vulnerability (CVE-2023-39810) ∗∗∗ --------------------------------------------- When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this. --------------------------------------------- https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerabi… ∗∗∗ Sicherheitsupdates: Drupal-Plug-ins mit Schadcode-Lücken ∗∗∗ --------------------------------------------- Wenn bestimmte Plug-ins zum Einsatz kommen, sind mit dem CMS Drupal erstellte Websites attackierbar. --------------------------------------------- https://heise.de/-9286388 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, clamav, librsvg, rar, and unrar-nonfree), Fedora (caddy, chromium, and xen), and SUSE (ca-certificates-mozilla, gawk, ghostscript, java-1_8_0-ibm, java-1_8_0-openjdk, php7, qemu, and xen). --------------------------------------------- https://lwn.net/Articles/942922/ ∗∗∗ Sicherheitsschwachstellen im tef-Händlerportal (SYSS-2023-020/-021) ∗∗∗ --------------------------------------------- Im tef-Händlerportal kann über eine Persistent Cross-Site Scripting-Schwachstelle beliebiger Code im Kontext des Benutzers ausgeführt werden. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstellen-im-tef-haendlerp… ∗∗∗ VU#757109: Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/757109 ∗∗∗ Vulnerabilities in IBM Java Runtime affect z/Transaction Processing Facility ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028975 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to arbitrary code execution due to an unsafe deserialization flaw (CVE-2022-40609). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029160 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from systemd, libcap, openssl-libs, libxml2, go-toolset, and prometheus-operator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029356 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029359 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029364 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-32342] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029362 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029361 ∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI - July 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029360 ∗∗∗ GNU C library (glibc) vulnerability affects (CVE-2015-7547) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650093 ∗∗∗ ISC DHCP vulnerability affects TS4500 Tape Library (CVE-2018-5732) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650877 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2023
by Daily end-of-shift report 25 Aug '23

25 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-08-2023 18:00 − Freitag 25-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Auch Antivirensoftware: Winrar-Schwachstelle betrifft Hunderte weitere Programme ∗∗∗ --------------------------------------------- Nicht nur alte Winrar-Versionen sind für eine jüngst gepatchte Sicherheitslücke anfällig, sondern auch zahlreiche weitere Anwendungen. --------------------------------------------- https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betri… ∗∗∗ FBI-Warnung: Barracuda ESG-Appliances noch immer bedroht, umgehend entfernen ∗∗∗ --------------------------------------------- Das FBI warnt vor den Barracuda-ESG-Schwachstellen, die Ende Mai bekannt wurden. Es geht davon aus, dass alle Geräte kompromittiert seien. --------------------------------------------- https://heise.de/-9284695 ∗∗∗ „Mammutjagd“ auf Online-Marktplätze ∗∗∗ --------------------------------------------- Mit dem Toolset "Telekopye" können auch technisch wenig versierte Hacker auf Online-Marktplätzen Jagd auf ahnungslose Käufer – im Gauner-Slang "Mammut" - machen. --------------------------------------------- https://www.zdnet.de/88411400/mammutjagd-auf-online-marktplaetze/ ∗∗∗ Jupiter X Core WordPress plugin could let hackers hijack sites ∗∗∗ --------------------------------------------- Two vulnerabilities affecting some version of Jupiter X Core, a premium plugin for setting up WordPress and WooCommerce websites, allow hijacking accounts and uploading files without authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jupiter-x-core-wordpress-plu… ∗∗∗ Python Malware Using Postgresql for C2 Communications, (Fri, Aug 25th) ∗∗∗ --------------------------------------------- For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks... --------------------------------------------- https://isc.sans.edu/diary/rss/30158 ∗∗∗ Playing Dominos with Moodles Security (1/2) ∗∗∗ --------------------------------------------- This is the first blog in a two-part series where we will present our findings on a Moodle security audit we conducted. We were drawn to researching the security aspect of the framework due to its popularity, with the goal of contributing to a safer internet. In this first article, we demonstrate how an unauthenticated attacker can leverage a vulnerability with a supposedly low impact to gain full control over the Moodle instance. --------------------------------------------- https://www.sonarsource.com/blog/playing-dominos-with-moodles-security-1/ ∗∗∗ A broken marriage. Abusing mixed vendor Kerberos stacks ∗∗∗ --------------------------------------------- *nix based servers and services can be joined to Active Directory networks in the same way as their Windows counterparts. This is usually facilitated through the MIT or Heimdal Kerberos stacks. Kerberos is designed as an authentication-based protocol therefore authorisation decisions are implemented independently to the Kerberos protocol itself. Due to this, different vendor stacks behave differently on how authorisation decisions are made. --------------------------------------------- https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mix… ∗∗∗ A Beginner’s Guide to Adversary Emulation with Caldera ∗∗∗ --------------------------------------------- The target audience for this blog post is individuals who have a basic understanding of cybersecurity concepts and terminology and looking to expand their knowledge on adversary emulation. This post delves into the details of adversary emulation with the Caldera framework exploring the benefits it offers. --------------------------------------------- https://blog.nviso.eu/2023/08/25/a-beginners-guide-to-adversary-emulation-w… ∗∗∗ Analysis of MS-SQL Server Proxyjacking Cases ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks. If successful, they install malware on the infected system. --------------------------------------------- https://asec.ahnlab.com/en/56350/ ∗∗∗ Stories from the SOC - Unveiling the stealthy tactics of Aukill malware ∗∗∗ --------------------------------------------- On April 21st, 2023, AT&T Managed Extended Detection and Response (Managed XDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the clients print server to disable the servers installed endpoint detection and response (EDR) solution by brute-forcing an administrator account and downgrading a driver to a vulnerable version. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ Maxon Cinema 4D SKP File Parsing vulnerabilities ∗∗∗ --------------------------------------------- CVSS Score: 7.8 CVE-2023-40482, CVE-2023-40483, CVE-2023-40486, CVE-2023-40485, CVE-2023-40484, CVE-2023-40488, CVE-2023-4049[0], CVE-2023-40491, CVE-2023-40487, CVE-2023-40489 Mitigation: Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) LG Simple Editor vulnerabilities ∗∗∗ --------------------------------------------- CVSS Scores: 6.5-9.8 CVE-2023-40502, CVE-2023-40513, CVE-2023-40514, CVE-2023-40515, CVE-2023-40492, CVE-2023-40493, CVE-2023-40494, CVE-2023-40495, CVE-2023-40496, CVE-2023-40497, CVE-2023-40498, CVE-2023-40499, CVE-2023-40500, CVE-2023-40503, CVE-2023-40503, CVE-2023-40504, CVE-2023-40505, CVE-2023-40506, CVE-2023-40507, CVE-2023-40508, CVE-2023-40509, CVE-2023-40510, CVE-2023-40511, CVE-2023-40512, CVE-2023-40501, CVE-2023-40516 [...] they do not have plans to fix the [vulnerabilities] --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) LG SuperSign Media Editor vulnerabilities ∗∗∗ --------------------------------------------- CVSS Scores: 5.3-7.5 CVE-2023-40517, CVE-2023-41181 The vendor states that they do not have plans to fix the [vulnerabilities] now or in the future. [...] Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ QNap: [Vulnerabilities] in QTS and QuTS hero ∗∗∗ --------------------------------------------- CVE-2023-34971, CVE-2023-34973, CVE-2023-34972 Affected products: QTS 5.1.0, 5.0.1, 4.5.4; QuTS hero h5.1.0, h4.5.4 We have already fixed the [vulnerabilities] in the following operating system versions: * QTS 5.1.0.2444 build 20230629 and later * QTS 5.0.1.2425 build 20230609 and later * QTS 4.5.4.2467 build 20230718 and later * QuTS hero h5.1.0.2424 build 20230609 and later * QuTS hero h4.5.4.2476 build 20230728 and later --------------------------------------------- https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tryton-server), Fedora (youtube-dl), SUSE (clamav and krb5), and Ubuntu (cjose and fastdds). --------------------------------------------- https://lwn.net/Articles/942766/ ∗∗∗ ZDI-23-1224: LG LED Assistant updateFile Directory Traversal Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1224/ ∗∗∗ ZDI-23-1223: LG LED Assistant thumbnail Directory Traversal Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1223/ ∗∗∗ ZDI-23-1222: LG LED Assistant setThumbnailRc Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1222/ ∗∗∗ ZDI-23-1221: LG LED Assistant upload Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1221/ ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028506 ∗∗∗ ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017974 ∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21541, CVE-2022-21540) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028934 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2023-26115] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028936 ∗∗∗ IBM Spectrum Copy Data Management uses weaker than expected cryptographic algorithms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028841 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2023
by Daily end-of-shift report 24 Aug '23

24 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-08-2023 18:00 − Donnerstag 24-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute ∗∗∗ --------------------------------------------- The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines. "The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems positions by scanning nearby Wi-Fi access points as a data point for Googles geolocation API," [...] --------------------------------------------- https://thehackernews.com/2023/08/new-whiffy-recon-malware-triangulates.html ∗∗∗ Using LLMs to reverse JavaScript variable name minification ∗∗∗ --------------------------------------------- This blog introduces a novel way to reverse minified Javascript using large language models (LLMs) like ChatGPT and llama2 while keeping the code semantically intact. The code is open source and available at Github --------------------------------------------- https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification ∗∗∗ Microsoft: Windows-Update-Vorschauen schützen vor Downfall-CPU-Lücke ∗∗∗ --------------------------------------------- Microsoft hat die Vorschauen auf die Windows-Updates im September veröffentlicht. Sie bringen Gegenmaßnahmen für die Downfall-Intel-CPU-Lücke mit. --------------------------------------------- https://heise.de/-9283485 ∗∗∗ FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation says that the patches released for a recent Barracuda Email Security Gateway (ESG) vulnerability were not effective, advising organizations to “remove all ESG appliances immediately”. --------------------------------------------- https://www.securityweek.com/fbi-patches-for-recent-barracuda-esg-zero-day-… ∗∗∗ Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT ∗∗∗ --------------------------------------------- This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations. --------------------------------------------- https://blog.talosintelligence.com/lazarus-quiterat/ ∗∗∗ Tunnel Warfare: Exposing DNS Tunneling Campaigns using Generative Models – CoinLoader Case Study ∗∗∗ --------------------------------------------- In this blog post, we provide a deep dive into Check Point’s ongoing use of such a model to sweep across this haystack, and routinely thwart malicious campaigns abusing the DNS protocol to communicate with C&C servers. We focus on one such campaign, of CoinLoader, and lay out its infrastructure as well as an in-depth technical analysis of its DNS tunnelling functionality. --------------------------------------------- https://research.checkpoint.com/2023/tunnel-warfare-exposing-dns-tunneling-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: DoS-Attacken auf Firewalls und Switches von Cisco möglich ∗∗∗ --------------------------------------------- Angreifer können Geräte von Cisco via DoS-Attacken lahmlegen. Der Netzwerkausrüster hat Sicherheitspatches veröffentlicht. --------------------------------------------- https://heise.de/-9283445 ∗∗∗ Security Advisories for Drupal contributed projects ∗∗∗ --------------------------------------------- * Config Pages - Moderately critical - Information Disclosure * Shorthand - Critical - Access bypass * SafeDelete - Moderately critical - Access bypass * Data field - Moderately critical - Access bypass * ACL - Critical - Arbitrary PHP code execution * Forum Access - Critical - Arbitrary PHP code execution * Flexi Access - Critical - Arbitrary PHP code execution --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ CVE-2023-35150: Arbitrary Code Injection in XWiki.org XWiki ∗∗∗ --------------------------------------------- [..] detail a recently patched remote code execution vulnerability in the XWiki free wiki software platform. This bug was originally discovered by Michael Hamann with public Proof-of-Concept (PoC) code provided by Manuel Leduc. Successful exploitation of this vulnerability would allow an authenticated attacker to perform an arbitrary code injection on affected systems. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/8/22/cve-2023-35150-arbitrary-c… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (w3m), Fedora (libqb), Mageia (docker-containerd, kernel, kernel-linus, microcode, php, redis, and samba), Oracle (kernel, kernel-container, and openssh), Scientific Linux (subscription-manager), SUSE (ca-certificates-mozilla, erlang, gawk, gstreamer-plugins-base, indent, java-1_8_0-ibm, kernel, kernel-firmware, krb5, libcares2, nodejs14, nodejs16, openssl-1_1, openssl-3, poppler, postfix, redis, webkit2gtk3, and xen), and Ubuntu (php8.1). --------------------------------------------- https://lwn.net/Articles/942654/ ∗∗∗ Synology-SA-23:12 Synology SSL VPN Client ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_12 ∗∗∗ MISP 2.4.175 released with various bugs fixed, improvements and security fixes. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2023/08/24/MISP.2.4.175.released.html/ ∗∗∗ OPTO 22 SNAP PAC S1 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-02 ∗∗∗ CODESYS Development System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-03 ∗∗∗ CODESYS Development System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-04 ∗∗∗ CODESYS Development System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-05 ∗∗∗ Rockwell Automation Input/Output Modules ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-06 ∗∗∗ KNX Protocol ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01 ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028350 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028511 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028506 ∗∗∗ IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2022-43904) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028509 ∗∗∗ IBM Security Guardium is affected by an SQL Injection vulnerability (CVE-2023-33852) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028514 ∗∗∗ IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028513 ∗∗∗ AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028095 ∗∗∗ IBM Elastic Storage System is affected by a vulnerability in OpenSSL (CVE-2022-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028709 ∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028713 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality due to [CVE-2023-26268] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028728 ∗∗∗ IBM App Connect Enterprise Certified Container operands that use the Box or Snowflake connectors are vulnerable to arbitrary code execution due to [CVE-2023-37466], [CVE-2023-37903] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028727 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2023
by Daily end-of-shift report 23 Aug '23

23 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-08-2023 18:00 − Mittwoch 23-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schwachstellen im Web-Interface machen Aruba Orchestrator angreifbar ∗∗∗ --------------------------------------------- Angreifer können Arubas SD-WAN-Managementlösung EdgeConnect SD-WAN Orchestrator attackieren. --------------------------------------------- https://heise.de/-9282524 ∗∗∗ CISA warnt vor Angriffen auf Veeam-Backup-Sicherheitslücke ∗∗∗ --------------------------------------------- Die Cybersicherheitsbehörde CISA warnt vor aktuell laufenden Angriffen auf eine Veeam-Backup-Schwachstelle. Updates stehen bereit. --------------------------------------------- https://heise.de/-9282365 ∗∗∗ Die beliebteste WLAN-Glühbirne auf Amazon lässt Hacker in euer Netzwerk ∗∗∗ --------------------------------------------- Die TP-Link Tapo L530E hat Sicherheitslücken, mit denen sich Fremde Zugriff auf euer WLAN und damit auch auf die Geräte darin verschaffen können. --------------------------------------------- https://futurezone.at/produkte/wlan-lampe-gluehbrine-amazon-hacker-tp-link-… ∗∗∗ Vorsicht: Gefälschte Versionen von Google Bard verbreiten Malware ∗∗∗ --------------------------------------------- Achtung vor Fake-Werbung mit Google Bard: Hinter den Links befindet sich Malware. --------------------------------------------- https://futurezone.at/digital-life/google-bard-malware-faelschungen-fake-so… ∗∗∗ More Exotic Excel Files Dropping AgentTesla, (Wed, Aug 23rd) ∗∗∗ --------------------------------------------- Excel is an excellent target for attackers. The Microsoft Office suite is installed on millions of computers, and people trust these files. If we have the classic xls, xls, xlsm file extensions, Excel supports many others! Just check your local registry: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/30150 ∗∗∗ Lateral movement: A conceptual overview ∗∗∗ --------------------------------------------- I think it would help a lot of those people to look at lateral movement from a conceptual point of view, instead of trying to understand all the techniques and ways in which lateral movement is achieved. [...] The goal is to hopefully enable more people to learn about how they can restructure or design their environments to be more resilient against lateral movement. --------------------------------------------- https://diablohorn.com/2023/08/22/lateral-movement-a-conceptual-overview/ ∗∗∗ Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders. ∗∗∗ --------------------------------------------- In large metropolitan areas, tourists are often easy to spot because theyre far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior. --------------------------------------------- https://krebsonsecurity.com/2023/08/tourists-give-themselves-away-by-lookin… ∗∗∗ Hackergruppe CosmicBeetle verbreitet Ransomware in Europa ∗∗∗ --------------------------------------------- Gruppe verwendet das Toolset Spacecolon, um Ransomware unter ihren Opfern zu verbreiten und Lösegeld zu erpressen. --------------------------------------------- https://www.zdnet.de/88411341/hackergruppe-cosmicbeetle-verbreitet-ransomwa… ∗∗∗ NVMe: New Vulnerabilities Made Easy ∗∗∗ --------------------------------------------- As vulnerability researchers, our primary mission is to find as many vulnerabilities as possible with the highest severity as possible. Finding vulnerabilities is usually challenging. But could there be a way, in some cases, to reach the same results with less effort? --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/nvme-new-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and qt4-x11), Fedora (java-17-openjdk, linux-firmware, and python-yfinance), Red Hat (kernel, kpatch-patch, and subscription-manager), SUSE (evolution, janino, kernel, nodejs16, nodejs18, postgresql15, qt6-base, and ucode-intel), and Ubuntu (inetutils). --------------------------------------------- https://lwn.net/Articles/942514/ ∗∗∗ Google Chrome 116.0.5845.110/.111 Sicherheitsupdates ∗∗∗ --------------------------------------------- Google hat zum 22. August 2023 Updates des Google Chrome Browsers 116 im Stable Channel für Mac, Linux und Windows freigegeben. Es sind Sicherheitsupdates, die in den kommenden Wochen ausgerollt werden und 5 Schwachstellen (Einstufung als "hoch") beseitigen soll. --------------------------------------------- https://www.borncity.com/blog/2023/08/23/google-chrome-116-0-5845-110-111-s… ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028405 ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028403 ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028404 ∗∗∗ Multiple vulnerabilities may affect IBM Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028407 ∗∗∗ AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH (CVE-2023-40371 and CVE-2023-38408) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028420 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2023
by Daily end-of-shift report 22 Aug '23

22 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 21-08-2023 18:00 − Dienstag 22-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sneaky Amazon Google ad leads to Microsoft support scam ∗∗∗ --------------------------------------------- A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sneaky-amazon-google-ad-lead… ∗∗∗ Akira ransomware targets Cisco VPNs to breach organizations ∗∗∗ --------------------------------------------- Theres mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cis… ∗∗∗ Security review for Microsoft Edge version 116 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 116! We have reviewed the new settings in Microsoft Edge version 116 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 114 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ New Variant of XLoader macOS Malware Disguised as OfficeNote Productivity App ∗∗∗ --------------------------------------------- A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote.""The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. --------------------------------------------- https://thehackernews.com/2023/08/new-variant-of-xloader-macos-malware.html ∗∗∗ CISA, NSA, and NIST Publish Factsheet on Quantum Readiness ∗∗∗ --------------------------------------------- Today, [CISA, NSA, NIST] released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/21/cisa-nsa-and-nist-publis… ∗∗∗ Exploitation of Openfire CVE-2023-32315 ∗∗∗ --------------------------------------------- This vulnerability has flown under the radar on the defensive side of the industry. CVE-2023-32315 has been exploited in the wild, but you won’t find it in the CISA KEV catalog. There has also been minimal discussion about indicators of compromise and very few detections (although to their credit, Ignite Realtime put out patches and a great mitigation guide back in May). --------------------------------------------- https://vulncheck.com/blog/openfire-cve-2023-32315 ∗∗∗ Kritische Sicherheitslücke in Ivanti Sentry wird bereits missbraucht ∗∗∗ --------------------------------------------- Ivanti schließt in Sentry, vormals MobileIron Sentry, eine kritische Sicherheitslücke. Sie wird bereits angegriffen. --------------------------------------------- https://heise.de/-9278280 ∗∗∗ Facebook: Vorsicht vor Fake-Gewinnspielen von Kronehit und Radio Arabella ∗∗∗ --------------------------------------------- Kriminelle erstellen auf Facebook Fake-Profile von österreichischen Radiomoderator:innen. Betroffen sind aktuell Melanie See von Radio Arabella und Christian Mederitsch von Kronehit. Auf den Fake-Profilen werden betrügerische Gewinnspiele verbreitet. „Gewinner:innen“ werden per Kommentar benachrichtigt und müssen dann einen Link aufrufen oder dem Fake-Profil eine Privatnachricht schreiben. Melden Sie das Fake-Gewinnspiel und antworten Sie nicht! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-vorsicht-vor-fake-gewinnspi… ∗∗∗ This AI-generated crypto invoice scam almost got me, and Im a security pro ∗∗∗ --------------------------------------------- Even a tech pro can fall for a well-laid phishing trap. Heres what happened to me - and how you can avoid a similar fate, too. --------------------------------------------- https://www.zdnet.com/article/this-ai-generated-crypto-invoice-scam-almost-… ∗∗∗ Verbraucherzentrale warnt vor Fake-Paypal-Betrugsanrufen ∗∗∗ --------------------------------------------- Ich nehme mal die Warnung vor einer Betrugsmasche hier mit im Blog auf, vor der die Verbraucherzentrale Baden-Württemberg aktuell warnt. Betrüger versuchen wohl über Call Center Opfer in Deutschland mit Schockanrufen über den Tisch zu ziehen. --------------------------------------------- https://www.borncity.com/blog/2023/08/22/verbraucherzentrale-warnt-vor-fake… ===================== = Vulnerabilities = ===================== ∗∗∗ TP-Link smart bulbs can let hackers steal your WiFi password ∗∗∗ --------------------------------------------- Researchers from Italy and the UK have discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and TP-Links Tapo app, which could allow attackers to steal their targets WiFi password. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tp-link-smart-bulbs-can-let-… ∗∗∗ McAfee Security Bulletin – McAfee Safe Connect update fixes Privilege Escalation vulnerability (CVE-2023-40352) ∗∗∗ --------------------------------------------- This Security Bulletin describes a vulnerability in a McAfee program, and provides ways to remediate (fix) the issue or mitigate (minimize) its impact. --------------------------------------------- https://www.mcafee.com/support/?articleId=TS103462&page=shell&shell=article… ∗∗∗ Hitachi Energy AFF66x ∗∗∗ --------------------------------------------- CVSS v3 9.6 Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices. CVE-2021-43523, CVE-2020-13817, CVE-2020-11868, CVE-2019-11477, CVE-2022-3204, CVE-2018-18066 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01 ∗∗∗ Rockwell Automation ThinManager ThinServer ∗∗∗ --------------------------------------------- CVSS v3 9.8 Rockwell Automation reports this vulnerability affects the following versions of ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software CVE-2023-2914, CVE-2023-2915, CVE-2023-2917 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-03 ∗∗∗ Trane Thermostats ∗∗∗ --------------------------------------------- CVSS v3 6.8 Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as root using a specially crafted filename. CVE-2023-4212 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02 ∗∗∗ Jetzt patchen! Angreifer schieben Schadcode durch Lücke in Adobe ColdFusion ∗∗∗ --------------------------------------------- Angreifer attackieren Adobes Middleware ColdFusion. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9278446 ∗∗∗ K000135921 : Python urllib.parse vulnerability CVE-2023-24329 ∗∗∗ --------------------------------------------- An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. --------------------------------------------- https://my.f5.com/manage/s/article/K000135921?utm_source=f5support&utm_medi… ∗∗∗ Critical Privilege Escalation Vulnerability in Charitable WordPress Plugin Affects Over 10,000 sites ∗∗∗ --------------------------------------------- After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend the WP Charitable Team for their prompt response and timely patch, which was released in just one day. We urge users to update their sites with the latest patched version of Charitable, which is version 1.7.0.13 at the time of this writing, as soon as possible. --------------------------------------------- https://www.wordfence.com/blog/2023/08/critical-privilege-escalation-vulner… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, lxc, and zabbix), Fedora (clamav), SUSE (python-configobj), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/942405/ ∗∗∗ IBM Robotic Process Automation is vulnerable to exposure of sensitive information in application logs (CVE-2023-38732) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028221 ∗∗∗ IBM Robotic Process Automation is vulnerable to information disclosure of script content (CVE-2023-40370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028218 ∗∗∗ Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028226 ∗∗∗ IBM Robotic Process Automation is vulnerable to sensitive information disclosure in installation logs (CVE-2023-38733) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028223 ∗∗∗ A vulnerability in urlib3 affects IBM Robotic Process Automation for Cloud Pak which may result in CRLF injection (CVE-2020-26137). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028229 ∗∗∗ Multiple security vulnerabilities in .NET may affect IBM Robotic Process Automation for Cloud Pak (CVE-2023-24936, CVE-2023-29337, CVE-2023-33128) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028228 ∗∗∗ IBM Robotic Process Automation is vulnerable to incorrect privilege assignment when importing user from an LDAP directory (CVE-2023-38734). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028227 ∗∗∗ AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027598 ∗∗∗ IBM Decision Optimization for Cloud Pak for Data is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551376 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551326 ∗∗∗ IBM Informix JDBC Driver Is Vulnerable to Remote Code Execution (CVE-2023-27866) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007615 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6565069 ∗∗∗ A Unspecified Java Vulnerability is affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6594121 ∗∗∗ Vulnerabilities in Linux kernel, libssh, and Java can affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028316 ∗∗∗ Vulnerabilities in Oracle Java and the IBM Java SDK (CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968 and CVE-2023-21937 ) affect Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028209 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028350 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2023
by Daily end-of-shift report 21 Aug '23

21 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-08-2023 18:00 − Montag 21-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Week in Ransomware - August 18th 2023 - LockBit on Thin Ice ∗∗∗ --------------------------------------------- While there was quite a bit of ransomware news this week, the highlighted story was the release of Jon DiMaggios third article in the Ransomware Diaries series, with the focus of this article on the LockBit ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-augus… ∗∗∗ WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker thats engineered to conduct tech support scams.The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks [..] --------------------------------------------- https://thehackernews.com/2023/08/wooflocker-toolkit-hides-malicious.html ∗∗∗ How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes ∗∗∗ --------------------------------------------- >From a user’s perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you’re seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments. --------------------------------------------- https://thehackernews.com/2023/08/how-to-investigate-oauth-grant-for.html ∗∗∗ Journey into Windows Kernel Exploitation: The Basics ∗∗∗ --------------------------------------------- This blogpost embarks on the initial stages of kernel exploitation. The content serves as an introduction, leading to an imminent and comprehensive whitepaper centered around this subject matter. Through this, a foundation is laid for understanding how kernel drivers are developed, as well as basic understanding around key concepts that will be instrumental to comprehending the paper itself. --------------------------------------------- https://blog.neuvik.com/journey-into-windows-kernel-exploitation-the-basics… ∗∗∗ mTLS: When certificate authentication is done wrong ∗∗∗ --------------------------------------------- In this post, well deep dive into some interesting attacks on mTLS authentication. Well have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation, and information leakages. --------------------------------------------- https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done… ∗∗∗ ScienceLogic Dumpster Fire ∗∗∗ --------------------------------------------- In the last email correspondence with the vendor, nearly 9 months ago, the security director asserted that the vulnerabilities were addressed. However, they remained reluctant to proceed with CVE issuance. Considering the extensive duration that’s transpired, we opted to independently proceed with CVE issuance and disclosure. As a result, the vulnerabilities we identified are logged as CVE-2022-48580 through CVE-2022-48604. --------------------------------------------- https://www.securifera.com/blog/2023/08/16/sciencelogic-dumpster-fire/ ∗∗∗ Volatility Workbench: Empowering memory forensics investigations ∗∗∗ --------------------------------------------- Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computers volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/volatility-workbenc… ∗∗∗ Vorsicht vor Investment-Tipps aus Telegram-Gruppen ∗∗∗ --------------------------------------------- Zahlreiche Telegram-Gruppen wie „Didi Random“, „Glück liebt Geld“ oder „Geld-Leuchtturm“ versprechen schnellen Reichtum. In diesen Gruppen erhalten Sie angebliche Investmenttipps, Erfolgsgeschichten von Anleger:innen und Kontakte zu „Finanz-Gurus“, die Ihnen bei der Geldanlage helfen. Wenn Sie bei den empfohlenen Plattformen investieren, verlieren Sie viel Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-investment-tipps-aus-te… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting (CVE-2023-40068) ∗∗∗ --------------------------------------------- Description: WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79). Impact: An arbitrary script may be executed on the web browser of the user who is logging in to the product with the editor or higher privilege. --------------------------------------------- https://jvn.jp/en/jp/JVN98946408/ ∗∗∗ Multiple vulnerabilities in LuxCal Web Calendar ∗∗∗ --------------------------------------------- Impact: - An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-39543 - A remote attacker may execute arbitrary queries against the database and obtain or alter the information in it - CVE-2023-39939 --------------------------------------------- https://jvn.jp/en/jp/JVN04876736/ ∗∗∗ CD_SVA_2023_3: Wibu Systems - CodeMeter Runtime - security vulnerability addressed ∗∗∗ --------------------------------------------- A report has been received for the following security vulnerability in the zenon software platform: CVE-2023-3935 Further details regarding the vulnerability, mitigation options and product fixes that may be available, can be found in [...] --------------------------------------------- https://selfservice.copadata.com/portal/en/kb/articles/cd-sva-2023-3-wibu-s… ∗∗∗ CVE-2023-38035 - Vulnerability affecting Ivanti Sentry ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Ivanti Sentry, formerly MobileIron Sentry. We have reported this as CVE-2023-38035. This vulnerability impacts all supported versions – Versions 9.18. 9.17 and 9.16. Older versions/releases are also at risk. This vulnerability does not affect other Ivanti products or solutions [..] While the issue has a high CVSS score, there is low risk of exploitation for customers who do not expose 8443 to the internet. --------------------------------------------- https://www.ivanti.com/blog/cve-2023-38035-vulnerability-affecting-ivanti-s… ∗∗∗ Update bereits ausgespielt: Kritische Lücke in WinRAR erlaubte Code-Ausführung ∗∗∗ --------------------------------------------- Das verbreitete Kompressionstool WinRAR besaß in älteren Versionen eine schwere Lücke, die beliebige Codeausführung erlaubte. Die aktuelle Version schließt sie. --------------------------------------------- https://heise.de/-9268105 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fastdds, flask, and kernel), Fedora (chromium, dotnet6.0, dotnet7.0, gerbv, java-1.8.0-openjdk, libreswan, procps-ng, and spectre-meltdown-checker), SUSE (chromium, kernel-firmware, krb5, opensuse-welcome, and python-mitmproxy), and Ubuntu (clamav, firefox, and vim). --------------------------------------------- https://lwn.net/Articles/942311/ ∗∗∗ GraphQL Java component is vulnerable to CVE-2023-28867 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028108 ∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028091 ∗∗∗ Mutiple Vulnerabilties Affecting IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028166 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to denial of service, availability, integrity, and confidentiality impacts due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028168 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-2454) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028185 ∗∗∗ A security vulnerability in Microsoft.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2023-29331). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026762 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2023
by Daily end-of-shift report 18 Aug '23

18 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-08-2023 18:00 − Freitag 18-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ „Ihre Rückerstattung ist online verfügbar“: Phishing-Mail im Namen von oesterreich.gv.at ∗∗∗ --------------------------------------------- Aktuell melden uns zahlreiche Leser:innen eine betrügerische E-Mail, die im Namen von oesterreich.gv.at verschickt wird. In der E-Mail wird behauptet, dass eine Rückerstattung von 176,88 Euro aussteht. Achtung: Dahinter stecken Kriminelle! --------------------------------------------- https://www.watchlist-internet.at/news/ihre-rueckerstattung-ist-online-verf… ∗∗∗ Microsoft: BlackCats Sphynx ransomware embeds Impacket, RemCom ∗∗∗ --------------------------------------------- Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-… ∗∗∗ From a Zalando Phishing to a RAT, (Fri, Aug 18th) ∗∗∗ --------------------------------------------- Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German retailer of shoes, fashion across Europe. It was the first time that I saw them used in a phishing campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/30136 ∗∗∗ Critical Security Update for Magento Open Source & Adobe Commerce ∗∗∗ --------------------------------------------- Last week on August 8th, 2023, Adobe released a critical security patch for Adobe Commerce and the Magento Open Source CMS. The patch provides fixes for three vulnerabilities which affect the popular ecommerce platforms. Successful exploitation could lead to arbitrary code execution, privilege escalation and arbitrary file system read. --------------------------------------------- https://blog.sucuri.net/2023/08/critical-security-update-for-magento-adobe-… ∗∗∗ New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools ∗∗∗ --------------------------------------------- Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the companys [...] --------------------------------------------- https://thehackernews.com/2023/08/new-blackcat-ransomware-variant-adopts.ht… ∗∗∗ Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams ∗∗∗ --------------------------------------------- [...] another 3 years have gone by and this campaign is still going as if nothing has happened. The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts. [...] This blog post summarizes our latest findings and provides indicators of compromise that may be helpful to the security community. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2 ∗∗∗ Recapping the top stories from Black Hat and DEF CON ∗∗∗ --------------------------------------------- If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-aug-17-2023/ ∗∗∗ NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security ∗∗∗ --------------------------------------------- A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform (WFP) to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News. "Running as "NT AUTHORITY\SYSTEM" is required. --------------------------------------------- https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html ∗∗∗ Kommentar zum Azure-Master-Key-Diebstahl: Microsofts Reaktion lässt tief blicken ∗∗∗ --------------------------------------------- Microsoft lässt sich einen Signing Key für Azure klauen. Bis jetzt ist die Tragweite des Angriffs unklar. Das ist unverantwortlich, kommentiert Oliver Diedrich. --------------------------------------------- https://heise.de/-9258697 ∗∗∗ Gefälschte Buchungsseite vom Hotel Regina ∗∗∗ --------------------------------------------- Planen Sie gerade einen Urlaub in Wien? Vorsicht, wenn Sie das Hotel Regina buchen wollen. Kriminelle haben eine gefälschte Buchungsseite ins Netz gestellt. Die Internetadresse der betrügerischen Buchungsseite lautet regina-hotel-vienna.h-rez.com. Wenn Sie dort buchen, stehlen Kriminelle Ihnen persönliche Daten und Kreditkartendaten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-buchungsseite-vom-hotel-… ===================== = Vulnerabilities = ===================== ∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability. By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices. CVE IDs: CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 --------------------------------------------- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-B… ∗∗∗ K30444545 : libxslt vulnerability CVE-2019-11068 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K30444545 ∗∗∗ IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027948 ∗∗∗ IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027944 ∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote information transfer due to CouchDB CVE-2023-26268 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028066 ∗∗∗ Multiple vulnerabilities affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028074 ∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028087 ∗∗∗ A security vulnerability has been identified in the Apache POI, which is vulnerable to Denial of Service. (CVE-2017-5644) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/711741 ∗∗∗ AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028095 ∗∗∗ RESTEasy component is vulnerable to CVE-2023-0482 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028099 ∗∗∗ netplex json-smart-v2 component is vulnerable to CVE-2023-1370 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028097 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2023
by Daily end-of-shift report 17 Aug '23

17 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-08-2023 18:00 − Donnerstag 17-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Triple Extortion Ransomware and the Cybercrime Supply Chain ∗∗∗ --------------------------------------------- Ransomware attacks continue to grow both in sophistication and quantity. 2023 has already seen more ransomware attacks involving data exfiltration and extortion than all of 2022, an increasing trend we expect to continue. This article will explore the business model of ransomware groups and the complex cybercrime ecosystem that has sprung up around them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/triple-extortion-ransomware-… ∗∗∗ New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode ∗∗∗ --------------------------------------------- The method "tricks the victim into thinking their devices Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," [..] --------------------------------------------- https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html ∗∗∗ CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan ∗∗∗ --------------------------------------------- This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-releases-jcdc-remot… ∗∗∗ Angreifer attackieren Citrix ShareFile ∗∗∗ --------------------------------------------- Die US-Behörde [CISA] hat die "kritische" Sicherheitslücke (CVE-2023-24489) in ihren Katalog bekannter ausgenutzter Sicherheitslücken eingetragen. In welchem Umfang die Attacken ablaufen, ist derzeit nicht bekannt. [..] Die Lücke ist seit Juni 2023 bekannt. Seitdem gibt es auch die gepatchte Version 5.11.24. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Citrix-ShareF… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023) ∗∗∗ --------------------------------------------- Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Patch Status : - Unpatched 25 - Patched 61 --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Phishing-Kampagne zielt auf Zimbra-Nutzer ab ∗∗∗ --------------------------------------------- Die Kampagne ist seit mindestens April 2023 aktiv und dauert laut Security-Forschern von ESET an. --------------------------------------------- https://www.zdnet.de/88411237/phishing-kampagne-zielt-auf-zimbra-nutzer-ab/ ===================== = Vulnerabilities = ===================== ∗∗∗ PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673) ∗∗∗ --------------------------------------------- LocalNet attack is only applicable to GlobalProtect Agent configurations that allow direct access to the local network setting in the Split Tunnel tab on the firewall configuration. ServerIP attack is relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in Network > GlobalProtect > Gateways from the web interface. --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2023-0004 ∗∗∗ ClamAV 1.1.1, 1.0.2, 0.103.9 patch versions published ∗∗∗ --------------------------------------------- - CVE-2023-20197 Fixed a possible denial of service vulnerability in the HFS+ file parser. - CVE-2023-20212 Fixed a possible denial of service vulnerability in the AutoIt file parser. This issue affects versions 1.0.1 and 1.0.0. This issue does not affect version 1.1.0. ClamAV 0.105 and 0.104 have reached end-of-life according to the ClamAV’s End of Life (EOL) policy and will not be patched. --------------------------------------------- https://blog.clamav.net/2023/07/2023-08-16-releases.html ∗∗∗ Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process ∗∗∗ --------------------------------------------- By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250. The vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available. --------------------------------------------- https://kb.cert.org/vuls/id/287122 ∗∗∗ TYPO3-EXT-SA-2023-007: Broken Access Control in extension "hCaptcha for EXT:form" (hcaptcha) ∗∗∗ --------------------------------------------- The extension fails to check the requirement of the captcha field in submitted form data allowing a remote user to bypass the captcha check. [..] An updated version 2.1.2 is available --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-007 ∗∗∗ Varnish Enterprise/Cache: Base64 decoding vulnerability in vmod-digest ∗∗∗ --------------------------------------------- The potential outcome of the vulnerability can be both authentication bypass and information disclosure, however the exact attack surface will depend on the particular VCL configuration in use. [..] Affected software versions: - vmod-digest shipped with Varnish Enterprise 6.0 series up to and including 6.0.11r4. - vmod-digest for Varnish Cache 6.0 LTS built on upstream source code prior to 2023-08-17. - vmod-digest for Varnish Cache trunk built on upstream source code prior to 2023-08-17. --------------------------------------------- https://docs.varnish-software.com/security/VSV00012/ ∗∗∗ IP-Telefonie: Schwachstellen in der Provisionierung von Zoom und Audiocodes ∗∗∗ --------------------------------------------- Der Security-Experte Moritz Abrell von SySS hat Schwachstellen bei der IP-Telefonie mithilfe des Zoom Zero Touch Provisioning-Prozesses in Kombination mit Audiocodes 400HD Telefonen entdeckt. [..] Angreifer könnten gemäß den Darstellungen Gesprächsinhalte mithören, ein Botnetz aus infizierten Geräten bilden oder auf Basis der Kompromittierung der Endgeräte die Netzwerke attackieren, in denen diese betrieben werden. --------------------------------------------- https://www.heise.de/news/IP-Telefonie-Schwachstellen-in-der-Provisionierun… ∗∗∗ Synology-SA-23:11 Synology Camera ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware. Solution: Upgrade to 1.0.5-0185 or above. Workaround: Setting up firewall rules to allow only trusted clients to connect can be used as a temporary mitigation. --------------------------------------------- https://www.synology.com/en-global/security/advisory/Synology_SA_23_11 ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-229-01 ICONICS and Mitsubishi Electric Products: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401 - ICSA-23-229-03 Schnieder Electric PowerLogic ION7400 PM8000 ION9000 Power Meters: CVE-2022-46680 - ICSA-23-229-04 Walchem Intuition 9: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/17/cisa-releases-three-indu… ∗∗∗ Privilege Escalation in IBM Spectrum Virtualize ∗∗∗ --------------------------------------------- Im Rahmen einer oberflächlichen Sicherheitsprüfung stellte Certitude zwei Schwachstellen in der Firmware der IBM Spectrum Virtualize Storage-Lösung fest. Eine der Schwachstellen erlaubt es einem Benutzer der Administrationsschnittstelle, der nur über eingeschränkte Berechtigungen verfügt, beliebigen Code auszuführen. --------------------------------------------- https://certitude.consulting/blog/de/privilege-escalation-in-ibm-spectrum-v… ∗∗∗ Atlassian Releases Security Update for Confluence Server and Data Center ∗∗∗ --------------------------------------------- Atlassian has released its security bulletin for August 2023 to address a vulnerability in Confluence Server and Data Center, CVE-2023-28709. A remote attacker can exploit this vulnerability to cause a denial-of-service condition.CISA encourages users and administrators to review Atlassian’s August 2003 Security Bulletin and apply the necessary update. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/17/atlassian-releases-secur… ∗∗∗ Cisco Integrated Management Controller Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Umbrella Virtual Appliance Undocumented Support Tunnel Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Intersight Private Virtual Appliance Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Device Credential Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Intersight Virtual Appliance Unauthenticated Port Forwarding Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Duo Device Health Application for Windows Arbitrary File Write Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Products Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV AutoIt Module Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005499 ∗∗∗ IBM Security Guardium is affected by Using Components with Known Vulnerabilities [CVE-2018-8909, CVE-2021-41100 and CVE-2021-41119] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027854 ∗∗∗ IBM Security Guardium is affected by a Command injection in CLI vulnerability [CVE-2023-35893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027853 ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027855 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ IBM Security Guardium is affected by multiple Oracle\u00ae MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981105 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981101 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380954 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380968 ∗∗∗ Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data - GNU glibc (CVE-2020-1751) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6381220 ∗∗∗ Vulnerability in IBM JDK (CVE-2022-40609 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027898 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027921 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027919 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2023
by Daily end-of-shift report 16 Aug '23

16 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 14-08-2023 18:00 − Mittwoch 16-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt 2FA aktivieren: Hackerangriffe auf Linkedin-Konten nehmen massiv zu ∗∗∗ --------------------------------------------- Cyberkriminelle haben es zuletzt vermehrt auf Linkedin-Konten abgesehen. Bei Google getätigte Suchanfragen bestätigen diesen Trend. --------------------------------------------- https://www.golem.de/news/jetzt-2fa-aktivieren-hackerangriffe-auf-linkedin-… ∗∗∗ Vielfältige Attacken auf Ivanti Enterprise Mobility Management möglich (CVE-2023-32560) ∗∗∗ --------------------------------------------- Die Forscher geben an, die Schwachstelle im April 2023 gemeldet zu haben. Die gegen die Attacke abgesicherte EMM-Version 6.4.1 ist Anfang August erschienen. Mitte August haben die Sicherheitsforscher ihren Bericht veröffentlicht. --------------------------------------------- https://www.heise.de/news/Vielfaeltige-Attacken-auf-Ivanti-Enterprise-Mobil… ∗∗∗ IT-Schutz für Kommunen: 18 Checklisten für den Schnelleinstieg ∗∗∗ --------------------------------------------- Kommunen sind zunehmend Ziele von Cyber-Angriffen. Für angemessenen Schutz mangelt es oft an Wissen und Personal. 18 WiBA-Checklisten des BSI sollen das ändern. --------------------------------------------- https://heise.de/-9246027 ∗∗∗ TR-75 - Unauthenticated remote code execution vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) - CVE-2023-3519 ∗∗∗ --------------------------------------------- Use this Checklist to identify if your infrastructure already shows indications of a successful compromise --------------------------------------------- https://www.circl.lu/pub/tr-75/ ∗∗∗ Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) ∗∗∗ --------------------------------------------- Today we are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances. --------------------------------------------- https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner ∗∗∗ l+f: Trojaner unterscheiden nicht zwischen Gut und Böse ∗∗∗ --------------------------------------------- D’oh! Sicherheitsforscher sind auf rund 120.000 mit Malware infizierte PCs gestoßen – von Cybergangstern. --------------------------------------------- https://heise.de/-9244810 ∗∗∗ Instagram-Nachricht: Gefälschte Beschwerde über Produktqualität führt zu Schadsoftware ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht auf Instagram. Darin beschwert sich eine Kundin, dass Ihre Produktqualität schlecht ist und das Produkt bereits nach 2 Tagen kaputt war. Ein Bild wird mitgeschickt. Laden Sie das Dokument mit der Endung .rar nicht herunter, es handelt sich um Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-gefaelschte-besc… ∗∗∗ An Apple malware-flagging tool is “trivially” easy to bypass ∗∗∗ --------------------------------------------- Background Task Manager can potentially miss malicious software on your machine. --------------------------------------------- https://arstechnica.com/?p=1960742 ∗∗∗ Ongoing scam tricks kids playing Roblox and Fortnite ∗∗∗ --------------------------------------------- The scams are often disguised as promotions, and they can all be linked to one network. --------------------------------------------- https://arstechnica.com/?p=1961085 ∗∗∗ Raccoon Stealer malware returns with new stealthier version ∗∗∗ --------------------------------------------- The developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-retu… ∗∗∗ Massive 400,000 proxy botnet built with stealthy malware infections ∗∗∗ --------------------------------------------- A new campaign involving the delivery of proxy server apps to Windows systems has been uncovered, where users are reportedly involuntarily acting as residential exit nodes controlled by a private company. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet… ∗∗∗ QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord ∗∗∗ --------------------------------------------- A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms. "Once installed on the victims Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attackers Telegram bot, providing them with unauthorized access to the victims sensitive information," [...] --------------------------------------------- https://thehackernews.com/2023/08/qwixxrat-new-remote-access-trojan.html ∗∗∗ Cookie Crumbles: Breaking and Fixing Web Session Integrity ∗∗∗ --------------------------------------------- In this paper, we question the effectiveness of existing protections and study the real-world security implications of cookie integrity issues. In particular, we focus on network and same-site attackers, a class of attackers increasingly becoming a significant threat to Web application security. --------------------------------------------- https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf ∗∗∗ Chrome 116 Patches 26 Vulnerabilities ∗∗∗ --------------------------------------------- Google has released Chrome 116 with patches for 26 vulnerabilities and plans to ship weekly security updates for the popular web browser. --------------------------------------------- https://www.securityweek.com/chrome-116-patches-26-vulnerabilities/ ∗∗∗ Monti ransomware targets legal and gov’t entities with new Linux-based variant ∗∗∗ --------------------------------------------- The Monti hacker gang appears to have resumed its operations after a two-month break, this time claiming to target legal and government entities with a fresh Linux-based ransomware variant, according to new research. Monti was first discovered in June 2022, shortly after the infamous Conti ransomware group went out of business. --------------------------------------------- https://therecord.media/monti-ransomware-targets-govt-entities ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-adds-one-known-expl… ∗∗∗ PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks ∗∗∗ --------------------------------------------- Recent findings by Aqua Nautilus have exposed significant flaws that are still active in the PowerShell Gallerys policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. Consequently, these flaws pave the way for potential supply chain attacks on the registrys vast user base. --------------------------------------------- https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expos… ∗∗∗ Verwundbare Webserver: Status in Österreich ∗∗∗ --------------------------------------------- Nachdem wir in den letzten Wochen von Schwachstellen in Systemen von Citrix, Ivanti und Fortinet berichtet haben, wollte ich wissen, wie weit Österreich beim Patchen ist. Wir bekommen von ShadowServer täglich Reports mit den Ergebnissen ihrer Scans über das ganze Internet. Im „Vulnerable HTTP Report“ geht es unter anderem um Schwachstellen, die in Web-Applikationen gefunden wurden. Auf Hersteller bezogen kann man aus den Daten für Österreich folgende folgende Entwicklung ablesen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/8/verwundbare-webserver-status-in-osterre… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory | NetModule Router Software Race Condition Leads to Remote Code Execution ∗∗∗ --------------------------------------------- CVSSv3.1 Score: 8.4 Affected Vendor & Products: NetModule NB1601, NB1800, NB1810, NB2800, NB2810, NB3701, NB3800, NB800, NG800 Vulnerable version: < 4.6.0.105, < 4.7.0.103 --------------------------------------------- https://pentest.blog/advisory-netmodule-router-software-race-condition-lead… ∗∗∗ Sicherheitslücken: Angreifer können Hintertüren in Datenzentren platzieren ∗∗∗ --------------------------------------------- Schwachstellen in Software von CyberPower und Dataprobe zur Energieüberwachung und -Verteilung gefährden Datenzentren. --------------------------------------------- https://heise.de/-9245788 ∗∗∗ Lücken in Kennzeichenerkennungssoftware gefährden Axis-Überwachungskamera ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in Software für Überwachungskameras von Axis gefährden Geräte. --------------------------------------------- https://heise.de/-9245978 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba), Red Hat (.NET 6.0, .NET 7.0, rh-dotnet60-dotnet, rust, rust-toolset-1.66-rust, and rust-toolset:rhel8), and SUSE (kernel and opensuse-welcome). --------------------------------------------- https://lwn.net/Articles/941658/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/941722/ ∗∗∗ Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon M340, M580 and M580 CPU ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to execute unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-01 ∗∗∗ Rockwell Automation Armor PowerFlex ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to send an influx of network commands, causing the product to generate an influx of event log traffic at a high rate, resulting in the stop of normal operation. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-02 ∗∗∗ K000135852 : FasterXML jackson-databind vulnerability CVE-2022-42003 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135852 ∗∗∗ CPE2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format) – 15 August 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ [R1] Sensor Proxy Version 1.0.8 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-28 ∗∗∗ Vulnerabilities in Node.js modules affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026694 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380956 ∗∗∗ Multiple Eclipse Jetty Vulnerabilities Affect IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027483 ∗∗∗ AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027598 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027509 ∗∗∗ IBM Cognos Analytics has addressed multiple security vulnerabilities (CVE-2022-48285, CVE-2023-35009, CVE-2023-35011) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026692 ∗∗∗ Zyxel security advisory for post-authentication command injection in NTP feature of NBG6604 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for DoS vulnerability of XGS2220, XMG1930, and XS1930 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2023
by Daily end-of-shift report 14 Aug '23

14 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-08-2023 18:00 − Montag 14-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MaginotDNS attacks exploit weak checks for DNS cache poisoning ∗∗∗ --------------------------------------------- A team of researchers from UC Irvine and Tsinghua University has developed a new powerful cache poisoning attack named MaginotDNS, that targets Conditional DNS (CDNS) resolvers and can compromise entire TLDs top-level domains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maginotdns-attacks-exploit-w… ∗∗∗ Phishing with hacked sites ∗∗∗ --------------------------------------------- Scammers are hacking websites powered by WordPress and placing phishing pages inside hidden directories. We share some statistics and tips on recognizing a hacked site. --------------------------------------------- https://securelist.com/phishing-with-hacked-sites/110334/ ∗∗∗ Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in AudioCodes desk phones and Zooms Zero Touch Provisioning (ZTP) that could be potentially exploited by a malicious attacker to conduct remote attacks. "An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.'s desk phones and Zoom's Zero Touch Provisioning feature can gain full remote control of the devices," SySS security researcher Moritz Abrell said in an analysis published Friday. --------------------------------------------- https://thehackernews.com/2023/08/zoom-ztp-audiocodes-phones-flaws.html ∗∗∗ Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability ∗∗∗ --------------------------------------------- E-commerce sites using Adobes Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. --------------------------------------------- https://thehackernews.com/2023/08/ongoing-xurum-attacks-on-e-commerce.html ∗∗∗ HAK5 BashBunny USB Gadget IoC Removal ∗∗∗ --------------------------------------------- StealthBunny is a tool designed to modify HAK5s BashBunny USB gadget kernel driver to remove possible indicators of compromise. --------------------------------------------- https://github.com/emptynebuli/StealthBunny ∗∗∗ Microsofts Cloud-Hack: Überprüfung durch US Cyber Safety Review Board ∗∗∗ --------------------------------------------- Die Cybervorfälle der letzten Monate haben die US-Sicherheitsbehörden aufgeschreckt. Nun will sich das US Cyber Safety Review Board (CSRB) den Hack der Microsoft Cloud durch die mutmaßlich chinesische Hackergruppe Storm-0558 genauer ansehen. Der Fall war im Juli 2023 bekannt geworden und hatte wegen der Umstände Wellen geschlagen. --------------------------------------------- https://www.borncity.com/blog/2023/08/12/microsofts-cloud-hack-berprfung-du… ∗∗∗ Whats New in CVSS v4 ∗∗∗ --------------------------------------------- The standard has been improved over time with the release of v1 in Feb. 2005, v2 in June 2007, and v3 in June 2015. The current version (v3.1) debuted in June 2019. Version 4 is slated for release on October 1, 2023. --------------------------------------------- https://www.rapid7.com/blog/post/2023/08/14/whats-new-in-cvss-v4/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#127587: Python Parsing Error Enabling Bypass CVE-2023-24329 ∗∗∗ --------------------------------------------- An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. --------------------------------------------- https://kb.cert.org/vuls/id/127587 ∗∗∗ Schwachstelle in Sync 3: Infotainmentsystem von Ford ermöglicht Angriff via Wi-Fi ∗∗∗ --------------------------------------------- Das in vielen Ford-Modellen genutzte Infotainmentsystem Sync 3 hat eine Schwachstelle, durch die Angreifer böswilligen Code ausführen können. --------------------------------------------- https://www.golem.de/news/schwachstelle-in-sync-3-infotainmentsystem-von-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-ugly1.0, libreoffice, linux-5.10, netatalk, poppler, and sox), Fedora (chromium, ghostscript, java-1.8.0-openjdk-portable, java-11-openjdk, java-11-openjdk-portable, java-17-openjdk-portable, java-latest-openjdk-portable, kernel, linux-firmware, mingw-python-certifi, ntpsec, and php), Oracle (.NET 6.0, .NET 7.0, 15, 18, bind, bind9.16, buildah, cjose, curl, dbus, emacs, firefox, go-toolset and golang, go-toolset:ol8, grafana, iperf3, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libcap, libeconf, libssh, libtiff, libxml2, linux-firmware, mod_auth_openidc:2.3, nodejs, nodejs:16, nodejs:18, open-vm-tools, openssh, postgresql:12, postgresql:13, python-requests, python27:2.7, python3, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, ruby:2.7, samba, sqlite, systemd, thunderbird, virt:ol and virt-devel:rhel, and webkit2gtk3), SUSE (docker, java-1_8_0-openj9, kernel, kernel-firmware, libyajl, nodejs14, openssl-1_0_0, poppler, and webkit2gtk3), and Ubuntu (golang-yaml.v2, intel-microcode, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-6.1, pygments, and pypdf2). --------------------------------------------- https://lwn.net/Articles/941587/ ∗∗∗ F5: K000135795 : Downfall Attacks CVE-2022-40982 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135795 ∗∗∗ F5: K000135831 : Node.js vulnerability CVE-2023-32067 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135831 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage System (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025515 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025507 ∗∗∗ IBM Elastic Storage System is affected by a vulnerability in OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025510 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009741 ∗∗∗ Apache Log4j Vulnerability affects Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6529302 ∗∗∗ IBM PowerVM Novalink is vulnerable because flaw was found in IBM SDK, Java Technology Edition, which could allow a remote attacker to execute arbitrary code on the system caused by an unsafe deserialization flaw. (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026380 ∗∗∗ Kafka nodes in IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to snappy-java (CVE-2023-34453, CVE-2023-34455, CVE-2023-34454). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026403 ∗∗∗ IBM ELM affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026536 ∗∗∗ Vulnerability in IBM Java SDK affects WebSphere Service Registry and Repository (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026489 ∗∗∗ Security Vulnerabilities in JRE and Java packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026553 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2023
by Daily end-of-shift report 11 Aug '23

11 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-08-2023 18:00 − Freitag 11-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gafgyt malware exploits five-years-old flaw in EoL Zyxel router ∗∗∗ --------------------------------------------- Fortinet has issued an alert warning that the Gafgyt botnet malware is actively trying to exploit a vulnerability in the end-of-life Zyxel P660HN-T1A router in thousands of daily attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gafgyt-malware-exploits-five… ∗∗∗ Nutzerdaten in Gefahr: Microsoft Onedrive als Werkzeug für Ransomware-Angriffe ∗∗∗ --------------------------------------------- Onedrive soll die Daten von Windows-Nutzern eigentlich vor Ransomware-Angriffen schützen. Effektiv ist das aber offenbar nicht immer. --------------------------------------------- https://www.golem.de/news/nutzerdaten-in-gefahr-microsoft-onedrive-als-werk… ∗∗∗ 16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks ∗∗∗ --------------------------------------------- A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. --------------------------------------------- https://thehackernews.com/2023/08/15-new-codesys-sdk-flaws-expose-ot.html ∗∗∗ When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability ∗∗∗ --------------------------------------------- While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. [..] This article maps out various attacks against AWS environments following the MITRE ATT&CK Matrix framework, wrapping up with multiple prevention mechanisms an organization can put in place to protect themselves. Some of these protections include taking advantage of controls and services provided by AWS, cloud best practices, and ensuring sufficient data retention to catch the full attack. --------------------------------------------- https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ ∗∗∗ Lexmark Command Injection Vulnerability ZDI-CAN-19470 Pwn2Own Toronto 2022 ∗∗∗ --------------------------------------------- In December 2022, we competed at our first pwn2own. We were able to successfully exploit the Lexmark MC3224i using a command injection 0-day. This post will detail the process we used to discover, weaponize, and have some fun with this vulnerability. --------------------------------------------- https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-194… ∗∗∗ Theres a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack ∗∗∗ --------------------------------------------- A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims network traffic to go outside their encrypted VPNs, it was demonstrated this week. [..] Their co-authored Usenix-accepted paper [PDF] has all the details. The researchers said they tested more than 60 VPN clients, and found that "all VPN apps" on iOS are vulnerable. Android appears to be most secure of the bunch. --------------------------------------------- https://www.theregister.com/2023/08/10/tunnelcrack_vpn/ ∗∗∗ Site Takeover via SCCM’s AdminService API ∗∗∗ --------------------------------------------- tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover. --------------------------------------------- https://posts.specterops.io/site-takeover-via-sccms-adminservice-api-d932e2… ∗∗∗ A-Z: OPNsense - Penetration Test ∗∗∗ --------------------------------------------- We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest release - OPNsense 23.7 “Restless Roadrunner”. Also, they provided us with reasoning behind decision to not patch some of them right now. --------------------------------------------- https://logicaltrust.net/blog/2023/08/opnsense.html ∗∗∗ Lesetipp: Wenn der Microsoft Defender zum Angreifer wird ∗∗∗ --------------------------------------------- Forscher haben spannende Details zu einer im April gefixten Lücke im Defender-Signaturupdateprozess veröffentlicht. Sie sehen Potenzial für künftige Angriffe. --------------------------------------------- https://heise.de/-9241230 ∗∗∗ Samsonite-Gewinnspiel auf Facebook führt in teure Abo-Falle! ∗∗∗ --------------------------------------------- Die betrügerische Facebook-Seite „Koffer-Paradies“ verbreitet derzeit ein Gewinnspiel, das in eine teure Abo-Falle führt. Versprochen wird ein Koffer der Marke Samsonite. Achtung! Wer mitspielt, erhält keinen Gewinn, sondern soll monatlich 70 Euro an Kriminelle bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/samsonite-gewinnspiel-auf-facebook-f… ∗∗∗ Phishing über Amazon Web Services ∗∗∗ --------------------------------------------- Sicherheitsforscher von Check Point haben vor einiger Zeit einen weiteren Dienst entdeckt, der für fortschrittliche Phishing-Kampagnen von Hackern missbraucht wird. Diesmal erfolgt der Missbrauch für Phishing-Kampagnen über die Amazon Web Services (AWS). . Das Programm wird zum Versenden von Phishing-E-Mails genutzt, um diesen einen täuschend echten Anstrich zu geben. --------------------------------------------- https://www.borncity.com/blog/2023/08/11/phishing-ber-amazon-web-services/ ===================== = Vulnerabilities = ===================== ∗∗∗ AMD and Intel CPU security bugs bring Linux patches ∗∗∗ --------------------------------------------- Its not really a Linux problem, but as is so often the case, Linux kernel developers have to clean up after AMD and Intel. It happened again with the chipmakers latest CPU vulnerabilities: AMD Inception and Intel Downfall. To fix these, Linux creator Linus Torvalds has released a new set of patches. Oddly, both are speculative side-channel attacks, which can lead to privileged data leakage to unprivileged processes. --------------------------------------------- https://www.zdnet.com/article/amd-and-intel-cpu-security-bugs-bring-linux-p… ∗∗∗ Statischer Schlüssel in Dell Compellent leakt Zugangsdaten für VMware vCenter ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle in Dells Compellent Integration Tools for VMware (CITV) können Angreifer Log-in-Daten entschlüsseln. --------------------------------------------- https://heise.de/-9241495 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, kernel, and php-dompdf), Fedora (linux-firmware, OpenImageIO, and php), Oracle (aardvark-dns, kernel, linux-firmware, python-flask, and python-werkzeug), SUSE (container-suseconnect, go1.19, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, java-11-openjdk, kernel-firmware, kubernetes1.24, openssl-1_1, poppler, python-scipy, qatengine, ucode-intel, util-linux, and vim), and Ubuntu (dotnet6, dotnet7, php-dompdf, and velocity-tools). --------------------------------------------- https://lwn.net/Articles/941271/ ∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014699 ∗∗∗ IBM InfoSphere Global Name Management Vulnerable to CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025193 ∗∗∗ App Connect Professional is affected by Bouncy Castle vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025330 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025344 ∗∗∗ Vulnerability in the Flask repo may affect affect IBM Elastic Storage System (CVE-2023-30861) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025351 ∗∗∗ Multiple vulnerabilities in the werkzeug repo affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025349 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage Server (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025354 ∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025446 ∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025170 ∗∗∗ IBM TXSeries for Multiplatforms Web Services is vulnerable to Slowloris attack which is a type of denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025476 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024675 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2023
by Daily end-of-shift report 10 Aug '23

10 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-08-2023 18:00 − Donnerstag 10-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Common TTPs of attacks against industrial organizations ∗∗∗ --------------------------------------------- In 2022 we investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. --------------------------------------------- https://securelist.com/common-ttps-of-attacks-against-industrial-organizati… ∗∗∗ Cryptographic Flaw in Libbitcoin Explorer Cryptocurrency Wallet ∗∗∗ --------------------------------------------- Cryptographic flaws still matter. Here’s a flaw in the random-number generator used to create private keys. The seed has only 32 bits of entropy.Seems like this flaw is being exploited in the wild. --------------------------------------------- https://www.schneier.com/blog/archives/2023/08/cryptographic-flaw-in-libbit… ∗∗∗ Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives ∗∗∗ --------------------------------------------- Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations --------------------------------------------- https://thehackernews.com/2023/08/cybercriminals-increasingly-using.html ∗∗∗ New Statc Stealer Malware Emerges: Your Sensitive Data at Risk ∗∗∗ --------------------------------------------- A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information."Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week. --------------------------------------------- https://thehackernews.com/2023/08/new-statc-stealer-malware-emerges-your.ht… ∗∗∗ CISA Analysis Report: MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors ∗∗∗ --------------------------------------------- CISA obtained four malware samples - including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-221a ∗∗∗ Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. An attacker must first obtain the ability to execute high-privileged code on the target environment in order to exploit this vulnerability. The specific flaw exists within the handling of certificates. The issue results from the exposure of a resource to the wrong control sphere. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1056/ ∗∗∗ Some things never change ? such as SQL Authentication ?encryption? ∗∗∗ --------------------------------------------- Fat client applications running on (usually) Windows are still extremely common in enterprises. [..] “traditional” fat client applications will most of the time connect directly to a database (again, since we’re looking at Windows environment primarily here, this will be most of the time a Microsoft SQL Server database). [..] Finally, how do we prevent this? Well, one solution is easy – do not use SQL Server authentication but instead have users use their Windows credentials --------------------------------------------- https://isc.sans.edu/diary/rss/30112 ∗∗∗ Honeypot: Forscher lockten Hacker in über 20.000 RDP-Sitzungen ∗∗∗ --------------------------------------------- Die Sicherheitsforscher planen für die kommenden Monate die Veröffentlichung einer Blog-Post-Serie, in der sie die Strategien und Tools der beobachteten Hacker näher erläutern wollen. Die Erkenntnisse sollen vor allem Strafverfolgern sowie anderen Sicherheitsexperten dienen, um effektive Abwehrstrategien gegen Cyberangriffe zu entwickeln und Ermittlungen gegen kriminelle Akteure in Zukunft schneller voranzutreiben --------------------------------------------- https://www.golem.de/news/honeypot-forscher-lockten-hacker-in-ueber-20-000-… ∗∗∗ Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization ∗∗∗ --------------------------------------------- Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. [..] This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement --------------------------------------------- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html ∗∗∗ A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: WD PR4100 Edition ∗∗∗ --------------------------------------------- Team82 today shares some details about a unique attack technique that could allow an attacker to impersonate Western Digital (WD) network-attached storage (NAS) devices. [..] Western Digital has provided firmware updates for all affected devices and also released advisories (here, here, here). Connected devices have been updated automatically. Any device yet to be updated has been banned by WD from connecting to the MyCloud service until it’s running the current firmware version. --------------------------------------------- https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-conn… ∗∗∗ A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition ∗∗∗ --------------------------------------------- Team82 has developed a unique technique that allowed us to impersonate Synology’s DS920+ network-attached storage device and force its QuickConnect cloud service to redirect users to an attacker-controlled device. Synology, a top-tier NAS vendor, has addressed the vulnerabilities we uncovered, and has updated its cloud service to protect its users. [..] We uncovered not only credential theft flaws, but also remote code execution vulnerabilities [..] --------------------------------------------- https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-conn… ∗∗∗ Smashing the state machine: the true potential of web race conditions ∗∗∗ --------------------------------------------- For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this paper, Ill introduce new classes of race condition that go far beyond the limit-overrun exploits youre probably already familiar with. --------------------------------------------- https://portswigger.net/research/smashing-the-state-machine? ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 31, 2023 to August 6, 2023) ∗∗∗ --------------------------------------------- Last week, there were 29 vulnerabilities disclosed in 24 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 18 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“, "Ihre Bawag Security App" oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-ban… ∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗ --------------------------------------------- Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde. --------------------------------------------- https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kamp… ∗∗∗ Mac systems turned into proxy exit nodes by AdLoad ∗∗∗ --------------------------------------------- AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Nextcloud/Nextcloud Enterprise/Nextcloud Talk Android app ∗∗∗ --------------------------------------------- High severity: - Missing password confirmation when creating app passwords, CVSS 8.1 - Path traversal allows tricking the Talk Android app into writing files into its root directory, CVSS 7.2 - Users can delete external storage mount points, CVSS 7.7 3x Moderate Severity, 4x Low Severity --------------------------------------------- https://github.com/nextcloud/security-advisories/security ∗∗∗ Multiple Vulnerabilities in Softing edgeAggregator/Secure Integration Server/edgeConnector Siemens ∗∗∗ --------------------------------------------- CVE-2023-27335/CVSS 8.8, CVE-2023-38126/CVSS 7.2, CVE-2023-38125/CVSS 7.5, CVE-2023-39478/CSS 6.6, CVE-2023-39479/CVSS 6.6, CVE-2023-39480/CVSS 4.4, CVE-2023-39481/CVSS 6.6, CVE-2023-39482/CVSS 4.9, CVE-2023-27336/CVSS 7.5, CVE-2023-27334/CVSS 7.5, CVE-2023-29377/CVSS 6.6 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Videomeeting-Anwendungen: Zoom rüstet Produkte gegen mögliche Attacken ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates, für unter anderem den Windows-Client von Zoom, schließen mehrere Lücken. --------------------------------------------- https://heise.de/-9240044 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (chromium, kernel, krb5, and rust), and Ubuntu (graphite-web and velocity). --------------------------------------------- https://lwn.net/Articles/941082/ ∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM Liberty for Java for IBM Cloud due to CVE-2022-40609 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024969 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2023
by Daily end-of-shift report 09 Aug '23

09 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-08-2023 18:00 − Mittwoch 09-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious extensions can abuse VS Code flaw to steal auth tokens ∗∗∗ --------------------------------------------- Microsofts Visual Studio Code (VS Code) code editor and development environment contains a flaw that allows malicious extensions to retrieve authentication tokens stored in Windows, Linux, and macOS credential managers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-extensions-can-abu… ∗∗∗ EvilProxy phishing campaign targets 120,000 Microsoft 365 users ∗∗∗ --------------------------------------------- EvilProxy is becoming one of the more popular phishing platforms to target MFA-protected accounts, with researchers seeing 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-… ∗∗∗ Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining ∗∗∗ --------------------------------------------- Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a report shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors. --------------------------------------------- https://thehackernews.com/2023/08/malicious-campaigns-exploit-weak.html ∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“ oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-ban… ∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗ --------------------------------------------- Es war ein schöner Tag dieser Freitag der 03. Februar 2023, aber wie es Freitage im Cybersicherheits-Umfeld leider so an sich haben, sollte sich das schnell ändern. Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde. --------------------------------------------- https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kamp… ∗∗∗ Fantastic Rootkits: And Where To Find Them (Part 3) – ARM Edition ∗∗∗ --------------------------------------------- In this blog, we will discuss innovative rootkit techniques on a non-traditional architecture, Windows 11 on ARM64. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS - Buffer overflow in execute extender command (CVE-2023-29182) ∗∗∗ --------------------------------------------- A stack-based buffer overflow vulnerability [CWE-121] in FortiOS may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-149 ∗∗∗ Lenovo: Multi-vendor BIOS Security Vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. CVE Identifier: CVE-2022-24351, CVE-2022-27879, CVE-2022-37343, CVE-2022-38083, CVE-2022-40982, CVE-2022-41804, CVE-2022-43505, CVE-2022-44611, CVE-2022-46897, CVE-2023-2004, CVE-2023-20555, CVE-2023-20569, CVE-2023-23908, CVE-2023-26090, CVE-2023-27471, CVE-2023-28468, CVE-2023-31041, CVE-2023-34419, CVE-2023-4028, CVE-2023-4029, CVE-2023-4030 --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500572-multi-vendor-bio… ∗∗∗ Lenovo: AMD Graphics OpenSSL Vulnerabilities ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-3602, CVE-2022-3786 Summary Description: AMD reported two high severity OpenSSL vulnerabilities affecting certain versions of their product. Mitigation Strategy for Customers (what you should do to protect yourself): Update AMD Graphics Driver to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500575-amd-graphics-ope… ∗∗∗ Lenovo: Intel PROSet Wireless WiFi and Killer WiFi Advisory ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-27635, CVE-2022-46329, CVE-2022-40964, CVE-2022-36351, CVE-2022-38076 Summary Description: Intel reported potential security vulnerabilities in some Intel PROSet/Wireless WiFi and Killer WiFi products that may allow escalation of privilege or denial of service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500574-intel-proset-wir… ∗∗∗ Lenovo: Intel Chipset Firmware Advisory ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-36392, CVE-2022-38102, CVE-2022-29871 Summary Description: Intel reported potential security vulnerabilities in the Intel Converged Security Management Engine (CSME) that may allow escalation of privilege and Denial of Service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500573-intel-chipset-fi… ∗∗∗ Xen XSA-432: Linux: buffer overrun in netback due to unusual packet (CVE-2023-34319) ∗∗∗ --------------------------------------------- The fix for XSA-423 added logic to Linuxes netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didnt account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area thats specially dealt with to keep all (possible) headers together. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-432.html ∗∗∗ Xen XSA-434 x86/AMD: Speculative Return Stack Overflow (CVE-2023-20569) ∗∗∗ --------------------------------------------- It is possible to poison the branch type and target predictions such that, at a point of the attackers choosing, the branch predictor predicts enough CALLs back-to-back to wrap around the entire RAS and overwrite a correct return prediction with one of the attackers choosing. This allows the attacker to control RET speculation in a victim context, and leak arbitrary data as a result. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-434.html ∗∗∗ Xen XSA-435 x86/Intel: Gather Data Sampling ∗∗∗ --------------------------------------------- A researcher has discovered Gather Data Sampling, a transient execution side-channel whereby the AVX GATHER instructions can forward the content of stale vector registers to dependent instructions. The physical register file is a structure competitively shared between sibling threads. Therefore an attacker can infer data from the sibling thread, or from a more privileged context. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-435.html ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-20569, CVE-2023-34319 and CVE-2022-40982 ∗∗∗ --------------------------------------------- - An issue has been discovered in Citrix Hypervisor 8.2 CU1 LTSR that may allow malicious, privileged code in a guest VM to cause the host to crash. (CVE-2023-34319) - In addition, Intel has disclosed a security issue affecting certain Intel CPUs [..] (CVE-2022-40982) - In addition, AMD has disclosed a security issue affecting AMD CPUs [..] (CVE-2023-20569) --------------------------------------------- https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bul… ∗∗∗ LibreSwan: CVE-2023-38710: Invalid IKEv2 REKEY proposal causes restart ∗∗∗ --------------------------------------------- When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payloads protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. --------------------------------------------- https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt ∗∗∗ LibreSwan: CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart ∗∗∗ --------------------------------------------- When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer dereference causes a crash and restart of the pluto daemon. --------------------------------------------- https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt ∗∗∗ LibreSwan: CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart ∗∗∗ --------------------------------------------- When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a null pointer dereference on the deleted state causes the pluto daemon to crash and restart. --------------------------------------------- https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt ∗∗∗ LWN: Stable kernels with security fixes ∗∗∗ --------------------------------------------- The 6.4.9, 6.1.44, 5.15.125, 5.10.189, 5.4.252, 4.19.290, and 4.14.321 stable kernel updates have all been released; they are dominated by fixes for the latest round of speculative-execution vulnerabilities. Do note the warning attached to each of these releases --------------------------------------------- https://lwn.net/Articles/940798/ ∗∗∗ Neue Sicherheitslücken in AMD- und Intel-Prozessoren entdeckt ∗∗∗ --------------------------------------------- Die Security-Konferenz Black Hat ist für AMD und Intel kein Spaß. Beide Hersteller müssen sich mit zahlreichen Sicherheitslücken befassen – BIOS-Updates kommen. --------------------------------------------- https://heise.de/-9239339 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cjose, hdf5, and orthanc), Fedora (java-17-openjdk and seamonkey), Red Hat (curl, dbus, iperf3, kernel, kpatch-patch, libcap, libxml2, nodejs:16, nodejs:18, postgresql:10, postgresql:12, postgresql:13, and python-requests), SUSE (bluez, cjose, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, keylime, openssl-1_1, openssl-3, pipewire, poppler, qemu, rubygem-actionpack-4_2, rubygem-actionpack-5_1, rust1.71, tomcat, webkit2gtk3, and wireshark), and Ubuntu (binutils, dotnet6, dotnet7, openssh, php-dompdf, and unixodbc). --------------------------------------------- https://lwn.net/Articles/940912/ ∗∗∗ SAP Patches Critical Vulnerability in PowerDesigner Product ∗∗∗ --------------------------------------------- SAP has fixed over a dozen new vulnerabilities with its Patch Tuesday updates, including a critical flaw in its PowerDesigner product. --------------------------------------------- https://www.securityweek.com/sap-patches-critical-vulnerability-in-powerdes… ∗∗∗ Microsoft Releases August 2023 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/08/microsoft-releases-augus… ∗∗∗ Released: August 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update. If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/08/adobe-releases-security-… ∗∗∗ Certifi component is vulnerable to CVE-2022-23491 used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023647 ∗∗∗ protobuf-java component is vulnerable to CVE-2022-3510 and CVE-2022-3509 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023656 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024675 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server shipped with IBM Business Automation Workflow containers - April 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024729 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-38721) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023423 ∗∗∗ IBM App Connect Enterprise toolkit and IBM Integration Bus toolkit are vulnerable to a local authenticated attacker and a denial of service due to Guava and JDOM (CVE-2023-2976, CVE-2021-33813). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024862 ∗∗∗ IBM MQ is affected by multiple Angular JS vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023212 ∗∗∗ IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013499 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2023
by Daily end-of-shift report 08 Aug '23

08 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 07-08-2023 18:00 − Dienstag 08-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft GitHub. Authentication is required to exploit this vulnerability. [..] The vendor states this is by-design, and they do not consider it to be a security risk. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1044/ ∗∗∗ Understanding Active Directory Attack Paths to Improve Security ∗∗∗ --------------------------------------------- Active Directory, Actively Problematic. But as central as it is, Active Directory security posture is often woefully lacking. Lets take a quick peek at how Active Directory assigns users, which will shed some light on why this tool has some shall we say, issues, associated with it. --------------------------------------------- https://thehackernews.com/2023/08/understanding-active-directory-attack.html ∗∗∗ Fake-Shop presssi.shop kopiert österreichisches Unternehmen ∗∗∗ --------------------------------------------- Der Online-Shop presssi.shop ist besonders schwer als Fake-Shop zu erkennen, da er ein echtes Unternehmen kopiert. Die Kriminellen stehlen Firmendaten und das Logo der „niceshops GmbH“, einer E-Commerce-Dienstleistung aus Österreich. Außerdem sind herkömmliche Tipps zum Erkennen von Fake-Shops in diesem Fall nicht anwendbar. Wir zeigen Ihnen, wie wir den Shop als Fake entlarvt haben. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-presssishop-kopiert-oester… ∗∗∗ Abmahnung im Namen von Dr. Matthias Losert ist betrügerisch ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen vom Berliner Anwalt Dr. Matthias Losert Abmahnungen wegen einer Urheberrechtsverletzung. Sie werden beschuldigt, illegal einen Film heruntergeladen zu haben. Für diesen Verstoß fordert man von Ihnen nun 450 Euro. Ignorieren Sie dieses E-Mail und antworten Sie nicht, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/abmahnung-im-namen-von-dr-matthias-l… ===================== = Vulnerabilities = ===================== ∗∗∗ Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables Affecting Cisco AnyConnect Secure Mobility Client and Cisco Secure Client ∗∗∗ --------------------------------------------- On August 8, 2023, the paper Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables was made public. The paper discusses two attacks that can cause VPN clients to leak traffic outside the protected VPN tunnel. In both instances, an attacker can manipulate routing exceptions that are maintained by the client to redirect traffic to a device that they control without the benefit of the VPN tunnel encryption. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Siemens: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- JT Open, JT Utilities, Parasolid, Parasolid Installer, Solid Edge, JT2Go, Teamcenter Visualization, APOGEE/TALON Field Panels, Siemens Software Center, SIMATIC Products, RUGGEDCOM CROSSBOW, RUGGEDCOM ROS Devices, SICAM TOOLBOX II --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Multiple Vulnerabilities in Inductive Automation Ignition ∗∗∗ --------------------------------------------- * Deserialization of Untrusted Data Remote Code Execution (CVE-2023-39473, CVE-2023-39476, CVE-2023-39475) * XML External Entity Processing Information Disclosure (CVE-2023-39472) * Remote Code Execution (CVE-2023-39477) --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability (CVE-2023-38157) ∗∗∗ --------------------------------------------- CVSS:3.1 6.5 / 5.7 This vulnerability requires a user to open a Web Archive file with spoofed origin of the web content in the affected version of Microsoft Edge (Chromium-based). --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38157 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libhtmlcleaner-java and thunderbird), Red Hat (dbus, kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), SUSE (chromium, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, kernel-firmware, libqt5-qtbase, libqt5-qtsvg, librsvg, pcre2, perl-Net-Netmask, qt6-base, and thunderbird), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/940755/ ∗∗∗ Android: August-Patchday bringt Fixes für 53 Schwachstellen ∗∗∗ --------------------------------------------- Vier Lücken stuft Google als kritisch ein. Sie erlauben unter anderem das Ausführen von Schadcode ohne Interaktion mit einem Nutzer. --------------------------------------------- https://www.zdnet.de/88411017/android-august-patchday-bringt-fixes-fuer-53-… ∗∗∗ PHOENIX CONTACT: PLCnext Engineer Vulnerabilities in LibGit2Sharp/LibGit2 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-016/ ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-017/ ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in WP 6xxx Web panels ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-018/ ∗∗∗ Vulnerability in IBM Java SDK affects IBM WebSphere Application Server due to CVE-2022-40609 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022475 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999317 ∗∗∗ A remote code execution vulnerability in IBM Java SDK affects IBM InfoSphere Information Server (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022836 ∗∗∗ IBM Jazz Team Server is vulnerable to server-side request forgery. (CVE-2022-43879) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023193 ∗∗∗ OpenSSL publicly disclosed vulnerabilities affect IBM MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023206 ∗∗∗ Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023204 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attack due to IBM SDK Java (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023275 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-220-01 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-220-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2023
by Daily end-of-shift report 07 Aug '23

07 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-08-2023 18:00 − Montag 07-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers ∗∗∗ --------------------------------------------- Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap thats engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2023/08/new-skidmap-redis-malware-variant.html ∗∗∗ New 'Deep Learning Attack' Deciphers Laptop Keystrokes with 95% Accuracy ∗∗∗ --------------------------------------------- A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. "When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad said in a new study published last week. --------------------------------------------- https://thehackernews.com/2023/08/new-deep-learning-attack-deciphers.html ∗∗∗ Technical Summary of Observed Citrix CVE-2023-3519 Incidents ∗∗∗ --------------------------------------------- The Shadowserver Foundation and trusted partners have observed three different malicious campaigns that have exploited CVE-2023-3519, a code injection vulnerability rated CVSS 9.8 critical in Citrix NetScaler ADC and NetScaler Gateway. [...] Please ensure you follow the detection and hunting steps provided for signs of possible compromise and webshell presence. --------------------------------------------- https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-… ∗∗∗ Security-Bausteine, Teil 5: Vier Stufen – Risiko und Security Levels ∗∗∗ --------------------------------------------- Das Einrichten des IT-Schutzes bedeutet häufig langwierige Prozesse. Abhilfe schaffen die Security Levels zum Absichern gegen potenzielle Angreiferklassen. --------------------------------------------- https://heise.de/-9220500 ∗∗∗ Vernetzte Geräte: EU gewährt Aufschub für höhere Cybersicherheit ∗∗∗ --------------------------------------------- Die EU wollte Hersteller von Smartphones, Wearables & Co. ab 2024 zu deutlich mehr IT-Sicherheit und Datenschutz verpflichten. Doch jetzt gibt es Aufschub. --------------------------------------------- https://heise.de/-9235663 ∗∗∗ Zutatenliste: BSI stellt Regeln zum Absichern der Software-Lieferkette auf ∗∗∗ --------------------------------------------- Das BSI hat eine Richtlinie für Software Bills of Materials (SBOM) herausgegeben. Solche Übersichtslisten sollen Sicherheitsdebakeln wie Log4J entgegenwirken. --------------------------------------------- https://heise.de/-9235853 ∗∗∗ Visualizing Qakbot Infrastructure Part II: Uncharted Territory ∗∗∗ --------------------------------------------- A Data-Driven Approach Based on Analysis of Network Telemetry - In this blog post, we will provide an update on our high-level analysis of... --------------------------------------------- https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische RCE-Schwachstelle CVE-2023-39143 in PaperCut vor Version 22.1.3 ∗∗∗ --------------------------------------------- Wer die Druck-Management-Lösung Papercut MF/NG im Einsatz hat, sollte das Produkt dringend patchen. Eine gerade bekannt gewordene kritische RCE-Schwachstelle CVE-2023-39143 ermöglicht die Übernahme der PaperCut-Server. Der Anbieter hat bereits einen entsprechenden Sicherheitspatch zum Beseitigen der Schwachstelle veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2023/08/05/kritische-rce-schwachstelle-cve-20… ∗∗∗ Sicherheitsupdates: Angreifer können Drucker von HP und Samsung attackieren ∗∗∗ --------------------------------------------- Einige Drucker-Modelle von HP und Samsung sind verwundbar. Sicherheitsupdates lösen das Problem. --------------------------------------------- https://heise.de/-9236703 ∗∗∗ VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution ∗∗∗ --------------------------------------------- Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host. [...] The CERT/CC is currently unaware of a practical solution to this problem. [...] We have not received a statement from the vendor. --------------------------------------------- https://kb.cert.org/vuls/id/947701 ∗∗∗ ZDI-23-1017: Extreme Networks AP410C Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Extreme Networks AP410C routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1017/ ∗∗∗ Triangle MicroWorks SCADA Data Gateway: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- CVE: CVE-2023-39458, CVE-2023-39459, CVE-2023-39460, CVE-2023-39461, CVE-2023-39462, CVE-2023-39463, CVE-2023-39464, CVE-2023-39465, CVE-2023-39466, CVE-2023-39467, CVE-2023-39468, CVE-2023-39457 CVSS Scores: <= 9.8 See also https://www.zerodayinitiative.com/advisories/published/ --------------------------------------------- https://www.trianglemicroworks.com/products/scada-data-gateway/whats-new ∗∗∗ CVE-2023-35082 - Vulnerability affecting EPMM and MobileIron Core ∗∗∗ --------------------------------------------- On 2 August 2023 at 10:00 MDT, Ivanti reported CVE-2023-35082. This vulnerability, which was originally discovered in MobileIron Core had not been previously identified as a vulnerability [...] Ivanti has continued its investigation and has found additional paths to exploiting CVE-2023-35082 depending on configuration of the Ivanti Endpoint Manager Mobile (EPMM) appliance. This impacts all versions of EPMM 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below. --------------------------------------------- https://www.ivanti.com/blog/vulnerability-affecting-mobileiron-core-11-2-an… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (burp, chromium, ghostscript, openimageio, pdfcrack, python-werkzeug, thunderbird, and webkit2gtk), Fedora (amanda, libopenmpt, llhttp, samba, seamonkey, and xen), Red Hat (thunderbird), Slackware (mozilla and samba), and SUSE (perl-Net-Netmask, python-Django1, trytond, and virtualbox). --------------------------------------------- https://lwn.net/Articles/940682/ ∗∗∗ AUMA: SIMA Master Station affected by WRECK vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-028/ ∗∗∗ AUMA: Reflected Cross-Site Scripting Vulnerability in SIMA Master Stations ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-027/ ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020515 ∗∗∗ An unauthorized attacker who has obtained an IBM Watson IoT Platform security authentication token can use it to impersonate an authorized platform user (CVE-2023-38372) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020635 ∗∗∗ ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017974 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to FasterXML jackson-databind [CVE-2022-42003, CVE-2022-42004] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020695 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JetBrains Kotlin weak security [CVE-2022-24329] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020659 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JCommander [X-Force ID: 221124] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020636 ∗∗∗ Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022413 ∗∗∗ Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022414 ∗∗∗ A vulnerability has been identified in the IBM Storage Scale GUI where a remote authenticated user can execute commands (CVE-2023-33201) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2023
by Daily end-of-shift report 04 Aug '23

04 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-08-2023 18:00 − Freitag 04-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Call to Action: Bolster UEFI Cybersecurity Now ∗∗∗ --------------------------------------------- Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode. [...] Adversaries have demonstrated that they already know how to exploit UEFI components for persistence, and they will only get better with practice. CISA encourages the UEFI community to pursue all the options discussed in this blog with vigor. And the work must start today. --------------------------------------------- https://www.cisa.gov/news-events/news/call-action-bolster-uefi-cybersecurit… ∗∗∗ Fake VMware vConnector package on PyPI targets IT pros ∗∗∗ --------------------------------------------- A malicious package that mimics the VMware vSphere connector module vConnector was uploaded on the Python Package Index (PyPI) under the name VMConnect, targeting IT professionals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-vmware-vconnector-packa… ∗∗∗ Midnight Blizzard conducts targeted social engineering over Microsoft Teams ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-… ∗∗∗ From small LNK to large malicious BAT file with zero VT score, (Thu, Aug 3rd) ∗∗∗ --------------------------------------------- Last week, my spam trap caught an e-mail with LNK attachment, which turned out to be quite interesting. --------------------------------------------- https://isc.sans.edu/diary/rss/30094 ∗∗∗ Malicious npm Packages Found Exfiltrating Sensitive Data from Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," [...] --------------------------------------------- https://thehackernews.com/2023/08/malicious-npm-packages-found.html ∗∗∗ Are Leaked Credentials Dumps Used by Attackers? ∗∗∗ --------------------------------------------- I’ve been watching dumps of leaked credentials for a long time. [...] But are these leaks used to try to get access to mailboxes (or other services)? [...] Conclusion: Even if the quality of these dumps is very poor, they are used a lot in the wild! This is a perfect example of why you must safely manage your credentials! --------------------------------------------- https://isc.sans.edu/diary/rss/30098 ∗∗∗ Handwerker:innen aufgepasst: Hier sollten Sie keine Werkzeuge kaufen! ∗∗∗ --------------------------------------------- Aktuell stoßen wir auf zahlreiche Fake-Shops, die Werkzeuge aller Art verkaufen. Allein in den letzten zwei Wochen haben wir mehr als 70 Online-Shops gefunden, die Werkzeuge anbieten – diese aber trotz Bezahlung nicht liefern. --------------------------------------------- https://www.watchlist-internet.at/news/handwerkerinnen-aufgepasst-hier-soll… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware VMSA-2023-0017 - VMware Horizon Server updates address multiple security vulnerabilities ∗∗∗ --------------------------------------------- - Request smuggling vulnerability (CVE-2023-34037), CVSSv3 base score of 5.3 - Information disclosure vulnerability (CVE-2023-34038), CVSSv3 base score of 5.3 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0017.html ∗∗∗ Mozilla VPN: CVE-2023-4104: Privileged vpndaemon on Linux wrongly and incompletely implements Polkit authentication ∗∗∗ --------------------------------------------- [...] it contains a privileged D-Bus service running as root and a Polkit policy. In the course of this review we noticed a broken and otherwise lacking Polkit authorization logic in the privileged `mozillavpn linuxdaemon` process. We publish this report today, because the maximum embargo period of 90 days we offer has been exceeded. Most of the issues mentioned in this report are currently not addressed by upstream, as is outlined in more detail below. --------------------------------------------- https://www.openwall.com/lists/oss-security/2023/08/03/1 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind and kernel), Debian (cjose, firefox-esr, ntpsec, and python-django), Fedora (chromium, firefox, librsvg2, and webkitgtk), Red Hat (firefox), Scientific Linux (firefox and openssh), SUSE (go1.20, ImageMagick, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, kernel, openssl-1_1, pipewire, python-pip, and xtrans), and Ubuntu (cargo, rust-cargo, cpio, poppler, and xmltooling). --------------------------------------------- https://lwn.net/Articles/940481/ ∗∗∗ Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38847224/ ∗∗∗ Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020316 ∗∗∗ Timing Oracle in RSA Decryption vulnerability might affect GSKit supplied with IBM TXSeries for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010369 ∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Tensorflow vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020364 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2023
by Daily end-of-shift report 03 Aug '23

03 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-08-2023 18:00 − Donnerstag 03-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake FlipperZero sites promise free devices after completing offer ∗∗∗ --------------------------------------------- A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-flipperzero-sites-promi… ∗∗∗ Hackers can abuse Microsoft Office executables to download malware ∗∗∗ --------------------------------------------- The list of LOLBAS files - legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will include the main executables for Microsofts Outlook email client and Access database management system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-… ∗∗∗ "Grob fahrlässig": Sicherheitsproblem gefährdet Microsoft-Kunden seit Monaten ∗∗∗ --------------------------------------------- Eine Microsoft seit März bekannte kritische Schwachstelle in Azure AD macht weitere zahllose Organisationen noch heute anfällig für Cyberangriffe. --------------------------------------------- https://www.golem.de/news/grob-fahrlaessig-sicherheitsproblem-gefaehrdet-mi… ∗∗∗ What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot ∗∗∗ --------------------------------------------- In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote. --------------------------------------------- https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/ ∗∗∗ New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 ∗∗∗ --------------------------------------------- Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-… ∗∗∗ Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers ∗∗∗ --------------------------------------------- In this guest blog from researcher Marcin Wiązowski, he details CVE-2023-21822 – a Use-After-Free (UAF) in win32kfull that could lead to a privilege escalation. The bug was reported through the ZDI program and later patched by Microsoft. Marcin has graciously provided this detailed write-up of the vulnerability, examines how it could be exploited, and a look at the patch Microsoft released to address the bug. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/8/1/exploiting-a-flaw-in-bitmap… ∗∗∗ Hook, Line, and Phishlet: Conquering AD FS with Evilginx ∗∗∗ --------------------------------------------- Recently, I was assigned to a red team engagement, and the client specifically requested a phishing simulation targeting their employees. The organisation utilises AD FS for federated single sign-on and has implemented Multi-Factor Authentication (MFA) as a company-wide policy. [..] Despite my efforts to find a detailed write-up on how to successfully phish a target where AD FS is being used, I couldn’t find a technical post covering this topic. So I saw this as an opportunity to learn --------------------------------------------- https://research.aurainfosec.io/pentest/hook-line-and-phishlet/ ∗∗∗ New Report: Medical Health Care Organizations Highly Vulnerable Due to Improper De-acquisition Processes ∗∗∗ --------------------------------------------- In Security Implications from Improper De-acquisition of Medical Infusion Pumps Heiland performs a physical and technical teardown of more than a dozen medical infusion pumps — devices used to deliver and control fluids directly into a patient’s body. Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organization’s networks. --------------------------------------------- https://www.rapid7.com/blog/post/2023/08/02/security-implications-improper-… ∗∗∗ MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis ∗∗∗ --------------------------------------------- The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. --------------------------------------------- https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-t… ∗∗∗ Google Project Zero - Summary: MTE As Implemented ∗∗∗ --------------------------------------------- In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities. Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/08/summary-mte-as-implemented.h… ∗∗∗ Microsoft veröffentlicht TokenTheft-Playbook ∗∗∗ --------------------------------------------- Der Diebstahl von Tokens kann Angreifern den Zugriff auf entsprechende Dienste ermöglichen. Als Folge eines entsprechenden Vorfalls hat Microsoft daher das sogenannte TokenTheft-Playbook veröffentlicht. Es handelt sich um ein Online-Dokument mit zahlreichen Hinweisen für "Cloud-Verantwortliche", die sich um die Sicherheit und den Schutz vor dem Diebstahl von Zugangstokens kümmern müssen. --------------------------------------------- https://www.borncity.com/blog/2023/08/03/microsoft-verffentlicht-tokentheft… ∗∗∗ BSI Newsletter SICHER INFORMIERT vom 03.08.2023 ∗∗∗ --------------------------------------------- DSGVO – ein Segen für die IT-Sicherheit, Hersteller beklagen Patch-Müdigkeit, kritische Sicherheitslücke gefährdet Router & das BSI auf der Gamescom --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Newsletter/DE/BuergerCERT-Newsletter/16_… ∗∗∗ How Malicious Android Apps Slip Into Disguise ∗∗∗ --------------------------------------------- Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research. --------------------------------------------- https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-di… ∗∗∗ Watchlist Internet: Bestellen Sie unsere neue Broschüre „Betrug im Internet: So schützen Sie sich“ ∗∗∗ --------------------------------------------- Mit unserer neuen Broschüre „Betrug im Internet“ informieren wir Interessierte zu den Themen Einkaufen im Internet, betrügerische Nachrichten, Schadsoftware, Phishing, Vorschussbetrug und Finanzbetrug. Die kostenlose Broschüre können Sie herunterladen oder bei uns bestellen. --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-unsere-neue-broschuere… ∗∗∗ Reptile Malware Targeting Linux Systems ∗∗∗ --------------------------------------------- Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic. --------------------------------------------- https://asec.ahnlab.com/en/55785/ ∗∗∗ 2022 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a ===================== = Vulnerabilities = ===================== ∗∗∗ Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033 ∗∗∗ --------------------------------------------- Security risk: Less critical Description: This module enables you to add the Matomo web statistics tracking system to your website.The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-033 ∗∗∗ CVE-2023-35082 – Remote Unauthenticated API Access Vulnerability in MobileIron Core 11.2 and older ∗∗∗ --------------------------------------------- A vulnerability has been discovered in MobileIron Core which affects version 11.2 and prior. [..] MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-A… ∗∗∗ CVE-2023-28130 – Command Injection in Check Point Gaia Portal ∗∗∗ --------------------------------------------- The parameter hostname in the web request /cgi-bin/hosts_dns.tcl is vulnerable for command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user ‘Admin’. --------------------------------------------- https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-… ∗∗∗ CVE-2023-31928 - XSS vulnerability in Brocade Webtools ∗∗∗ --------------------------------------------- A reflected cross-site scripting (XSS) vulnerability exists in Brocade Webtools PortSetting.html of Brocade Fabric OS version before Brocade Fabric OS v9.2.0 that could allow a remote unauthenticated attacker to execute arbitrary JavaScript code in a target user’s session with the Brocade Webtools application. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31927 - An information disclosure in the web interface of Brocade Fabric OS ∗∗∗ --------------------------------------------- An information disclosure in the web interface of Brocade Fabric OS versions before Brocade Fabric OS v9.2.0 and v9.1.1c, could allow a remote unauthenticated attacker to get technical details about the web interface. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31926 - Arbitrary File Overwrite using less command ∗∗∗ --------------------------------------------- System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31432 - Privilege issues in multiple commands ∗∗∗ --------------------------------------------- Through manipulation of passwords or other variables, using commands such as portcfgupload, configupload, license, myid, a non-privileged user could obtain root privileges in Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c and v9.2.0. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31431 - A buffer overflow vulnerability in “diagstatus” command ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in “diagstatus” command in Brocade Fabric OS before Brocade Fabric v9.2.0 and v9.1.1c could allow an authenticated user to crash the Brocade Fabric OS switch leading to a denial of service. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31430 - buffer overflow vulnerability in “secpolicydelete” command ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in “secpolicydelete” command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0 could allow an authenticated privileged user to crash the Brocade Fabric OS switch leading to a denial of service. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ VE-2023-31425 - Privilege escalation via the fosexec command ∗∗∗ --------------------------------------------- A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking the rbash shell. Starting with Fabric OS v9.1.0, “root” account access is disabled. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31429 - Vulnerability in multiple commands ∗∗∗ --------------------------------------------- Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability when using various commands such as “chassisdistribute”, “reboot”, “rasman”, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31427 - Knowledge of full path name ∗∗∗ --------------------------------------------- Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 Could allow an authenticated, local user with knowledge of full path names inside Brocade Fabric OS to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, “root” account access is disabled. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31428 - CLI allows upload or transfer files of dangerous types ∗∗∗ --------------------------------------------- Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under users home directory using grep. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ Sicherheitsupdates: Angreifer können Aruba-Switches kompromittieren (CVE-2023-3718) ∗∗∗ --------------------------------------------- Bestimmte Switch-Modelle von Aruba sind verwundbar. Die Entwickler haben eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-9233677 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023) ∗∗∗ --------------------------------------------- Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10), Red Hat (.NET 6.0 and iperf3), Slackware (openssl), SUSE (kernel, mariadb, poppler, and python-Django), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, maradns, openjdk-20, and vim). --------------------------------------------- https://lwn.net/Articles/940335/ ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-215-01 Mitsubishi Electric GOT2000 and GOT SIMPLE - ICSA-23-215-02 Mitsubishi Electric GT and GOT Series Products - ICSA-23-215-03 TEL-STER TelWin SCADA WebInterface - ICSA-23-215-04 Sensormatic Electronics VideoEdge - ICSA-23-208-03 Mitsubishi Electric CNC Series --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-releases-five-indus… ∗∗∗ Sicherheitsschwachstelle in verschiedenen Canon Inkjet-Druckermodellen (SYSS-2023-011) ∗∗∗ --------------------------------------------- Bei dem Canon Inkjet-Drucker PIXMA TR4550 besteht eine Sicherheitsschwachstelle aufgrund eines unzureichenden Schutzes sensibler Daten. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-verschiedenen-… ∗∗∗ [R1] Nessus Version 10.5.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider. Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.5.4 updates OpenSSL to version 3.0.10 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-27 ∗∗∗ Mozilla Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/02/mozilla-releases-securit… ∗∗∗ Cisco BroadWorks CommPilot Application Software Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Products Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ CODESYS: Missing Brute-Force protection in CODESYS Development System ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-023/ ∗∗∗ CODESYS: Control runtime system memory and integrity check vulnerabilities (CVE-2022-4046, CVE-2023-28355)) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-025/ ∗∗∗ CODESYS: Vulnerability in CODESYS Development System allows execution of binaries ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-021/ ∗∗∗ CODESYS: Missing integrity check in CODESYS Development System ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-022/ ∗∗∗ Shelly 4PM Pro four-channel smart switch: Authentication Bypass via an out-of-bounds read vulnerability (CVE-2023-033383) ∗∗∗ --------------------------------------------- https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-vi… ∗∗∗ CODESYS: Multiple Vulnerabilities in CmpApp CmpAppBP and CmpAppForce ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-019/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2023
by Daily end-of-shift report 02 Aug '23

02 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-08-2023 18:00 − Mittwoch 02-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat actors abuse Google AMP for evasive phishing attacks ∗∗∗ --------------------------------------------- Security researchers are warning of increased phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to inboxes of enterprise employees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ Amazons AWS SSM agent can be used as post-exploitation RAT malware ∗∗∗ --------------------------------------------- Researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows hackers to use the platforms System Manager (SSM) agent as an undetectable Remote Access Trojan (RAT). --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be… ∗∗∗ New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer thats equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. Palo Alto Network Unit 42 said it detected the previously undocumented strain as part of a campaign that commenced in December 2022. There is no evidence to suggest that the cyber offensive is currently active. --------------------------------------------- https://thehackernews.com/2023/08/new-nodestealer-targeting-facebook.html ∗∗∗ Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack ∗∗∗ --------------------------------------------- A new side-channel attack method that can lead to data leakage works against nearly any modern CPU, but we’re unlikely to see it being used in the wild any time soon. [..] Collide+Power is a generic software-based attack that works against devices powered by Intel, AMD or Arm processors and it’s applicable to any application and any type of data. The chipmakers are publishing their own advisories for the attack and the CVE-2023-20583 has been assigned. --------------------------------------------- https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collid… ∗∗∗ New hVNC macOS Malware Advertised on Hacker Forum ∗∗∗ --------------------------------------------- A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum. --------------------------------------------- https://www.securityweek.com/new-hvnc-macos-malware-advertised-on-hacker-fo… ∗∗∗ SSH Remains Most Targeted Service in Cado’s Cloud Threat Report ∗∗∗ --------------------------------------------- Cado Security Labs 2023 Cloud Threat Findings Report dives deep into the world of cybercrime, cyberattacks, and vulnerabilities. --------------------------------------------- https://www.hackread.com/ssh-targeted-service-cado-cloud-threat-report/ ∗∗∗ The Most Important Part of the Internet You’ve Probably Never Heard Of ∗∗∗ --------------------------------------------- Few people realize how much they depend on the Border Gateway Protocol (BGP) every day—a set of technical rules responsible for routing data efficiently. --------------------------------------------- https://www.cisa.gov/news-events/news/most-important-part-internet-youve-pr… ∗∗∗ CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/01/cisa-and-international-p… ===================== = Vulnerabilities = ===================== ∗∗∗ K000135479: Overview of F5 vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- On August 2, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000135479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle), Fedora (firefox), Red Hat (cjose, curl, iperf3, kernel, kernel-rt, kpatch-patch, libeconf, libxml2, mod_auth_openidc:2.3, openssh, and python-requests), SUSE (firefox, jtidy, libredwg, openssl, salt, SUSE Manager Client Tools, and SUSE Manager Salt Bundle), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/940103/ ∗∗∗ IBM TRIRIGA Application Platform discloses use of Apache Xerces (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017724 ∗∗∗ IBM TRIRIGA Application Platform suseptable to clickjacking (CBE-2017-4015) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017716 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2023
by Daily end-of-shift report 01 Aug '23

01 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 31-07-2023 18:00 − Dienstag 01-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers steal Signal, WhatsApp user data with fake Android chat app ∗∗∗ --------------------------------------------- Hackers are using a fake Android app named SafeChat to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-signal-whatsap… ∗∗∗ European Bank Customers Targeted in SpyNote Android Trojan Campaign ∗∗∗ --------------------------------------------- Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023."The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," [..] --------------------------------------------- https://thehackernews.com/2023/08/european-bank-customers-targeted-in.html ∗∗∗ BSI-Magazin: Neue Ausgabe erschienen ∗∗∗ --------------------------------------------- In der neuen Ausgabe seines Magazins „Mit Sicherheit“ beleuchtet das Bundesamt für Sicherheit in der Informationstechnik (BSI) aktuelle Themen der Cybersicherheit. Im Fokus steht der digitale Verbraucherschutz. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Kaufen Sie nicht in diesen betrügerischen Online-Apotheken ein! ∗∗∗ --------------------------------------------- Ob Schlaftabletten, Schmerz- oder Potzenmittel: Betrügerische Online-Apotheken setzen auf eine breite Produktpalette und bieten verschreibungspflichtige Medikamente ohne Rezept an. Aktuell stoßen wir auf zahlreiche solcher betrügerischen Versandapotheken. Die bestellten Waren werden oftmals gar nicht geliefert und wenn doch, müssen Konsument:innen mit wirkungslosen oder sogar mit gesundheitsschädigenden Fälschungen rechnen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-diesen-betrueger… ∗∗∗ Tuesday August 8th 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address: * 3 high severity issues. * 2 medium severity issues. * 2 low severity issues. --------------------------------------------- https://nodejs-9c1r4fxv8-openjs.vercel.app/en/blog/vulnerability/august-202… ===================== = Vulnerabilities = ===================== ∗∗∗ TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-029 ∗∗∗ Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables you to render a field in an expandable/collapsible region. The module doesn't sufficiently sanitize the field content when displaying it to an end user. This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-028 ∗∗∗ Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables a UI to display all libraries provided by modules and themes on the Drupal site. The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-027 ∗∗∗ OpenSSL version 3.1.2 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.1-notes.html ∗∗∗ OpenSSL version 3.0.10 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html ∗∗∗ OpenSSL version 1.1.1v released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] - Fix excessive time spent checking DH q parameter value (CVE-2023-3817) - Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html ∗∗∗ Xen Security Advisory 436 v1 (CVE-2023-34320) - arm: Guests can trigger a deadlock on Cortex-A77 ∗∗∗ --------------------------------------------- Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity. [..] A (malicious) guest that doesnt include the workaround for erratum 1508412 could deadlock the core. This will ultimately result to a deadlock of the system. --------------------------------------------- https://lists.xenproject.org/archives/html/xen-announce/2023-08/msg00000.ht… ∗∗∗ SVD-2023-0702: Unauthenticated Log Injection In Splunk SOAR ∗∗∗ --------------------------------------------- Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-0702 ∗∗∗ WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin ∗∗∗ --------------------------------------------- Description: Stripe Payment Plugin for WooCommerce <= 3.7.7 – Authentication Bypass Affected Plugin: Stripe Payment Plugin for WooCommerce Plugin Slug: payment-gateway-stripe-and-woocommerce-integration Affected Versions: <= 3.7.7 Fully Patched Version: 3.7.8 CVE ID: CVE-2023-3162 CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/08/webtoffee-addresses-authentication-b… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (curl), Red Hat (bind, ghostscript, iperf3, java-1.8.0-ibm, nodejs, nodejs:18, openssh, postgresql:15, and samba), Scientific Linux (iperf3), Slackware (mozilla and seamonkey), SUSE (compat-openssl098, gnuplot, guava, openssl-1_0_0, pipewire, python-requests, qemu, samba, and xmltooling), and Ubuntu (librsvg, openjdk-8, openjdk-lts, openjdk-17, openssh, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/939917/ ∗∗∗ Security Vulnerabilities fixed in Firefox 116 ∗∗∗ --------------------------------------------- Impact high: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/ ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015865 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution due to [CVE-2023-29402] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015871 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Google PubSub nodes are vulnerable to arbitrary code execution due to [CVE-2023-36665] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015873 ∗∗∗ IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-protocol attacks due to sendmail (CVE-2021-3618) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013521 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ IBM Virtualization Engine TS7700 is susceptible to multiple vulnerabilities due to use of IBM SDK Java Technology Edition, Version 8 (CVE-2023-21967, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015879 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016688 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM PowerVM Novalink is vulnerable because RESTEasy could allow a local authenticated attacker to gain elevated privileges on the system, caused by the creation of insecure temp files in the File. (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016690 ∗∗∗ IBM PowerVM Novalink is vulnerable because An unspecified vulnerability in Oracle Java SE. (CVE-2023-21930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016696 ∗∗∗ IBM PowerVM Novalink is vulnerable because GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016698 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014913 ∗∗∗ Vulnerability in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014915 ∗∗∗ Multiple Vulnerabilities in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014917 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014919 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010669 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server traditional is vulnerable to an XML External Entity (XXE) Injection vulnerability - CVE-2023-27554 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016810 ∗∗∗ CVE-2022-40609 affects IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017032 ∗∗∗ The IBM Engineering Lifecycle Engineering products using IBM Java versions 8.0.7.0 - 8.0.7.11 are vulnerable to crypto attacks. (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015777 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2023-24998 , CVE-2022-31129) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015061 ∗∗∗ IBM Robotic Process Automation is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes (CVE-2023-23476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017490 ∗∗∗ Decision Optimization for Cloud Pak for Data is vulnerable to a server-side request forgery (CVE-2023-28155). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017586 ∗∗∗ IBM Event Streams is affected by a vulnerability in Node.js Request package (CVE-2023-28155) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017628 ∗∗∗ IBM Event Streams is affected by a vulnerability in Golang Go (CVE-2023-29406) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017634 ∗∗∗ APSystems Altenergy Power Control ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-213-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2023
by Daily end-of-shift report 31 Jul '23

31 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-07-2023 18:00 − Montag 31-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Linux version of Abyss Locker ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The Abyss Locker operation is the latest to develop a Linux encryptor to target VMwares ESXi virtual machines platform in attacks on the enterprise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locke… ∗∗∗ Hackers exploit BleedingPipe RCE to target Minecraft servers, players ∗∗∗ --------------------------------------------- Hackers are actively exploiting a BleedingPipe remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-bleedingpipe… ∗∗∗ P2PInfect server botnet spreads using Redis replication feature ∗∗∗ --------------------------------------------- Threat actors are actively targeting exposed instances of the Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spre… ∗∗∗ Automatically Finding Prompt Injection Attacks ∗∗∗ --------------------------------------------- Researchers have just published a paper showing how to automate the discovery of prompt injection attacks. --------------------------------------------- https://www.schneier.com/blog/archives/2023/07/automatically-finding-prompt… ∗∗∗ WordPress Vulnerability & Patch Roundup July 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service ∗∗∗ --------------------------------------------- More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021. --------------------------------------------- https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html ∗∗∗ Apple iOS, Google Android Patch Zero-Days in July Security Updates ∗∗∗ --------------------------------------------- Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities. --------------------------------------------- https://www.wired.com/story/apple-google-microsoft-zero-day-fix-july-2023/ ∗∗∗ Exploiting the StackRot vulnerability ∗∗∗ --------------------------------------------- For those who are interested in the gory details of how the StackRot vulnerability works, Ruihan Li hasposted a detailedwriteup of the bug and how it can be exploited. As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. --------------------------------------------- https://lwn.net/Articles/939542/ ∗∗∗ Sie verkaufen Ihr Auto? Vorsicht bei Abwicklung über Kurierdiensten oder Speditionen ∗∗∗ --------------------------------------------- Auf allen gängigen Verkaufsplattformen gibt es sie: betrügerische Anfragen. Die Person will Ihr Auto ohne Besichtigung und Preisverhandlung kaufen, schickt ungefragt eine Ausweiskopie und wirkt unkompliziert. Da die Person aber im Ausland ist und das Auto nicht abholen kann, beauftragt sie einen Kurierdienst. Spätestens jetzt sollten die Alarmglocken schrillen, denn es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/sie-verkaufen-ihr-auto-vorsicht-bei-… ∗∗∗ Windows UAC aushebeln ∗∗∗ --------------------------------------------- Gerade auf Twitter auf ein Projekt mit dem Namen Defeating Windows User Account Control gestoßen, wo jemand über Wege nachdenkt, die Benutzerkontensteuerung von Windows auszuhebeln. Er hat ein kleines Tool entwickelt, mit dem sich die Windows-Benutzerkontensteuerung durch Missbrauch der integrierten [...] --------------------------------------------- https://www.borncity.com/blog/2023/07/29/windows-uac-aushebeln/ ∗∗∗ CISA Releases Malware Analysis Reports on Barracuda Backdoors ∗∗∗ --------------------------------------------- CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day as early as October 2022 to gain access to ESG appliances. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-an… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-35081 - New Ivanti EPMM Vulnerability ∗∗∗ --------------------------------------------- During our thorough investigation of Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2023-35078 announced 23 July 2023, we have discovered additional vulnerabilities. We are reporting these vulnerabilities as CVE-2023-35081. As was the case with CVE-2023-35078, CVE-2023-35081 impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. --------------------------------------------- https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability ∗∗∗ WAGO: Bluetooth LE vulnerability in WLAN-ETHERNET-Gateway ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-014/ ∗∗∗ WAGO: Multiple products prone to multiple vulnerabilities in e!Runtime / CODESYS V3 Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-026/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2023
by Daily end-of-shift report 28 Jul '23

28 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-07-2023 18:00 − Freitag 28-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Android malware uses OCR to steal credentials from images ∗∗∗ --------------------------------------------- Two new Android malware families named CherryBlos and FakeTrade were discovered on Google Play, aiming to steal cryptocurrency credentials and funds or conduct scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ocr… ∗∗∗ Nutzerdaten in Gefahr: Hunderttausende von Wordpress-Seiten anfällig für Datenklau ∗∗∗ --------------------------------------------- Drei Schwachstellen im Wordpress-Plugin Ninja Forms können mitunter massive Datenlecks zur Folge haben. Admins sollten zeitnah updaten. --------------------------------------------- https://www.golem.de/news/nutzerdaten-in-gefahr-hunderttausende-von-wordpre… ∗∗∗ ShellCode Hidden with Steganography, (Fri, Jul 28th) ∗∗∗ --------------------------------------------- When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs. --------------------------------------------- https://isc.sans.edu/diary/rss/30074 ∗∗∗ Hackers Abusing Windows Search Feature to Install Remote Access Trojans ∗∗∗ --------------------------------------------- A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "search:" application protocol, a mechanism for calling the desktop search application on Windows. --------------------------------------------- https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.ht… ∗∗∗ IcedID Malware Adapts and Expands Threat with Updated BackConnect Module ∗∗∗ --------------------------------------------- The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module thats used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. --------------------------------------------- https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html ∗∗∗ Hackers are infecting Call of Duty (Modern Warfare 2 (2009)) players with a self-spreading malware ∗∗∗ --------------------------------------------- Hackers are infecting players of an old Call of Duty game with a worm that spreads automatically in online lobbies, according to two analyses of the malware. [..] Activision spokesperson Neil Wood referred to a tweet posted by the company on an official Call of Duty updates Twitter account, which vaguely acknowledges the malware. “Multiplayer for Call of Duty: Modern Warfare 2 (2009) on Steam was brought offline while we investigate reports of an issue,” the tweet read. --------------------------------------------- https://techcrunch.com/2023/07/27/hackers-are-infecting-call-of-duty-player… ∗∗∗ Angreifer können NAS- und IP-Videoüberwachungssysteme von Qnap lahmlegen ∗∗∗ --------------------------------------------- Mehrere Netzwerkprodukte von Qnap sind für eine DoS-Attacken anfällig. Dagegen abgesicherte Software schafft Abhilfe. --------------------------------------------- https://heise.de/-9229575 ∗∗∗ The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022 ∗∗∗ --------------------------------------------- This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a whole, looking for trends, gaps, lessons learned, and successes. --------------------------------------------- https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in… ∗∗∗ Zimbra Patches Exploited Zero-Day Vulnerability ∗∗∗ --------------------------------------------- Zimbra has released patches for a cross-site scripting (XSS) vulnerability that has been exploited in malicious attacks. --------------------------------------------- https://www.securityweek.com/zimbra-patches-exploited-zero-day-vulnerabilit… ∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Preventing Web Application Access Control Abuse ∗∗∗ --------------------------------------------- The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required ∗∗∗ --------------------------------------------- Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2023/07/major-security-flaw-discovered-in.html ∗∗∗ ZDI-23-1010: Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1010/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software ACLs Not Installed upon Reload ∗∗∗ --------------------------------------------- An issue with the boot-time programming of access control lists (ACLs) for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow a device to boot without all of its ACLs being correctly installed. This issue is due to a logic error that occurs when ACLs are programmed at boot time. If object groups are not in sequential order in the startup configuration, some access control entries (ACEs) may not be installed. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl), Fedora (kitty, mingw-qt5-qtbase, and mingw-qt6-qtbase), Mageia (cri-o, kernel, kernel-linus, mediawiki, and microcode), SUSE (chromium, conmon, go1.20-openssl, iperf, java-11-openjdk, kernel-firmware, and mariadb), and Ubuntu (libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19, linux-intel-iotg-5.15, linux-iot, llvm-toolchain-13, llvm-toolchain-14, llvm-toolchain-15, open-iscsi, open-vm-tools, and xorg-server-hwe-16.04). --------------------------------------------- https://lwn.net/Articles/939445/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and libmail-dkim-perl), Fedora (openssh), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/939519/ ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- An insecure library loading vulnerability has been reported to affect devices running QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-04 ∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) ∗∗∗ --------------------------------------------- An uncontrolled resource consumption vulnerability has been reported to affect multiple QNAP operating systems. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-09 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2023
by Daily end-of-shift report 27 Jul '23

27 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-07-2023 18:00 − Donnerstag 27-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 KB5028244 update released with 19 fixes, improved security ∗∗∗ --------------------------------------------- Microsoft has released the optional KB5028244 Preview cumulative update for Windows 10 22H2 with 19 fixes or changes, including an update to the Vulnerable Driver Blocklist to block BYOVD attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5028244-update… ∗∗∗ APT trends report Q2 2023 ∗∗∗ --------------------------------------------- This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2023/110231/ ∗∗∗ Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining ∗∗∗ --------------------------------------------- Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners.The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. --------------------------------------------- https://thehackernews.com/2023/07/hackers-target-apache-tomcat-servers.html ∗∗∗ Android Güncelleme – dissecting a malicious update installer ∗∗∗ --------------------------------------------- Recently, during one of F-Secure Android’s routine tests, we came across one such fake Android update sample – Android Güncelleme, that proved to be evasive and exhibited interesting exfiltration characteristics. Although the sample is not novel (some features have already been covered in other articles on the Internet), it nevertheless combines several malicious actions together, such as anti-analysis and anti-uninstallation, making it a more potent threat. --------------------------------------------- https://blog.f-secure.com/android-guncelleme-dissecting-a-malicious-update-… ∗∗∗ Fruity trojan downloader performs multi-stage infection of Windows computers ∗∗∗ --------------------------------------------- For about a year, Doctor Web has been registering support requests from users complaining about Windows-based computers getting infected with the Remcos RAT (Trojan.Inject4.57973) spyware trojan. While investigating these incidents, our specialists uncovered an attack in which Trojan.Fruity.1, a multi-component trojan downloader, played a major role. To distribute it, threat actors create malicious websites and specifically crafted software installers. --------------------------------------------- https://news.drweb.com/show/?i=14728&lng=en&c=9 ∗∗∗ SySS Proof of Concept-Video: "Reversing the Irreversible, again: Unlocking locked Omnis Studio classes" (CVE-2023-38334) ∗∗∗ --------------------------------------------- Das Softwareentwicklungstool unterstützt eine nach eigenen Angaben irreversible Funktion, mit der sich Programmklassen in Omnis-Bibliotheken sperren lassen (locked classes).[..] Aufgrund von Implementierungsfehlern, die während eines Sicherheitstests entdeckt wurden, ist es jedoch möglich, gesperrte Omnis-Klassen zu entsperren, um diese im Omnis Studio-Browser weiter analysieren oder auch modifizieren zu können. Dieser Sachverhalt erfüllt nicht die Erwartungen an eine irreversible Funktion. --------------------------------------------- https://www.syss.de/pentest-blog/syss-proof-of-concept-video-reversing-the-… ∗∗∗ Vorsicht bei "fehlgeschlagenen Zahlungen" auf Booking ∗∗∗ --------------------------------------------- Sie haben eine Nachricht des Hotels bekommen, das Sie über Booking.com gebucht haben und werden zur Bestätigung Ihrer Kreditkarte aufgefordert? Achtung – hierbei handelt es sich um eine ausgeklügelte Phishing-Masche! Die Kriminellen stehlen Ihre Daten und Sie bezahlen Ihr Hotel doppelt! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-fehlgeschlagenen-zahlun… ∗∗∗ Online-Banking: Vorsicht vor Suchmaschinen-Phishing ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben ihre betrügerischen Bank-Webseiten auch bei populären Suchmaschinen wie Google, Yahoo oder Bing. --------------------------------------------- https://www.zdnet.de/88410826/online-banking-vorsicht-vor-suchmaschinen-phi… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation ∗∗∗ --------------------------------------------- The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation. --------------------------------------------- https://kb.cert.org/vuls/id/813349 ∗∗∗ Schwachstellen entdeckt: 40 Prozent aller Ubuntu-Systeme erlauben Rechteausweitung ∗∗∗ --------------------------------------------- Zwei Schwachstellen im OverlayFS-Modul von Ubuntu gefährden zahllose Server-Systeme. Admins sollten die Kernel-Module zeitnah aktualisieren. (Sicherheitslücke, Ubuntu) --------------------------------------------- https://www.golem.de/news/schwachstellen-entdeckt-40-prozent-aller-ubuntu-s… ∗∗∗ ZDI-23-1002: SolarWinds Network Configuration Manager VulnDownloader Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Configuration Manager. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1002/ ∗∗∗ Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032 ∗∗∗ --------------------------------------------- Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-032 ∗∗∗ Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031 ∗∗∗ --------------------------------------------- The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations. Solution: Originally the solution was listed as just updating the module, however, a cache rebuild will be necessary for the solution to take effect. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-031 ∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability, July 2023 ∗∗∗ --------------------------------------------- The Progress Sitefinity team recently discovered a potential security vulnerability in the Progress Sitefinity .NET Core Renderer Application. It has since been addressed. [..] For optimal security, we recommend an upgrade to the latest Sitefinity .NET Core Renderer version, which currently is 14.4.8127. A product update is also available for older supported Sitefinity versions --------------------------------------------- https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-A… ∗∗∗ SolarWinds Platform Security Advisories ∗∗∗ --------------------------------------------- - Access Control Bypass Vulnerability CVE-2023-3622 - Incorrect Behavior Order Vulnerability CVE-2023-33224 - Incorrect Input Neutralization Vulnerability CVE-2023-33229 - Deserialization of Untrusted Data Vulnerability CVE-2023-33225 - Incomplete List of Disallowed Inputs Vulnerability CVE-2023-23844 - Incorrect Comparison Vulnerability CVE-2023-23843 --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ SECURITY BULLETIN: July 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- CVE Identifier(s): CVE-2023-38624, CVE-2023-38625, CVE-2023-38626, CVE-2023-38627 CVSS 3.0 Score(s): 4.2 Post-authenticated server-side request forgery (SSRF) vulnerabilities in Trend Micro Apex Central 2019 could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000294176?language=en_US ∗∗∗ Security updates available in Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1 ∗∗∗ --------------------------------------------- Platform: macOS Summary: Foxit has released Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1, which address potential security and stability issues. CVE-2023-28744, CVE-2023-38111, CVE-2023-38107, CVE-2023-38109, CVE-2023-38113, CVE-2023-38112, CVE-2023-38110, CVE-2023-38117 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ Sicherheitsupdates: Angreifer können Access Points von Aruba übernehmen ∗∗∗ --------------------------------------------- Wenn die Netzwerkbetriebssysteme ArubaOS 10 oder InstantOS zum Einsatz kommen, sind Access Points von Aruba verwundbar. --------------------------------------------- https://heise.de/-9227914 ∗∗∗ Jetzt patchen! Root-Sicherheitslücke gefährdet Mikrotik-Router ∗∗∗ --------------------------------------------- Stimmten die Voraussetzungen, können sich Angreifer in Routern von Mikrotik zum Super-Admin hochstufen. --------------------------------------------- https://heise.de/-9226696 ∗∗∗ Sicherheitsupdate: Angreifer können Sicherheitslösung Sophos UTM attackieren ∗∗∗ --------------------------------------------- Sophos Unified Threat Management ist verwundbar. Aktuelle Software schafft Abhilfe. --------------------------------------------- https://heise.de/-9228570 ∗∗∗ Synology-SA-23:10 SRM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to read specific files, obtain sensitive information, and inject arbitrary web script or HTML, man-in-the-middle attackers to bypass security constraint, and remote authenticated users to execute arbitrary commands and conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_10 ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-208-01 ETIC Telecom RAS Authentication - ICSA-23-208-02 PTC KEPServerEX - ICSA-23-208-03 Mitsubishi Electric CNC Series - ICSA-22-307-01 ETIC RAS (Update A) - ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-releases-five-indus… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012005 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Angular ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012009 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012001 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012033 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by multiple vulnerabilities in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014267 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Bouncy Castle ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012003 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012037 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014905 ∗∗∗ IBM B2B Advanced Communication is vulnerable to cross-site scripting (CVE-2023-22595) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014929 ∗∗∗ IBM B2B Advanced Communications is vulnerable to denial of service (CVE-2023-24971) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014933 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOps ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014939 ∗∗∗ IBM\u00ae Db2\u00ae has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go denial of service vulnerability ( CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014981 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and security restriction bypass due to [CVE-2023-2283], [CVE-2023-1667] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014991 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2020-24736] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014993 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to security restriction bypass due to [CVE-2023-24329] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014995 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to privilege elevation due to [CVE-2023-26604] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014997 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities in libtiff ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014999 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to server-side request forgery due to [CVE-2023-28155] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015003 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to privilege escalation due to [CVE-2023-29403] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015007 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Kafka nodes are vulnerable to denial of service due to [CVE-2023-34453], [CVE-2023-34454], [CVE-2023-34455] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015009 ∗∗∗ IBM Event Streams is affected by multiple vulnerabilities in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014405 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2023
by Daily end-of-shift report 26 Jul '23

26 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-07-2023 18:00 − Mittwoch 26-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mysterious Decoy Dog malware toolkit still lurks in DNS shadows ∗∗∗ --------------------------------------------- New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber intelligence operations, relying on the domain name system (DNS) for command and control activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mysterious-decoy-dog-malware… ∗∗∗ New Nitrogen malware pushed via Google Ads for ransomware attacks ∗∗∗ --------------------------------------------- A new Nitrogen initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-… ∗∗∗ How to Scan A Website for Vulnerabilities ∗∗∗ --------------------------------------------- Even the most diligent site owners should consider when they had their last website security check. As our own research indicates, infections resulting from known website vulnerabilities continue to plague website owners. According to our 2022 Hacked Website Report, last year alone WordPress accounted for 96.2% of infected websites due to its market share and popularity. Statistics like these highlight why it’s so important that you regularly scan your website for vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html ∗∗∗ Sneaky Python package security fixes help no one – except miscreants ∗∗∗ --------------------------------------------- Good thing these eggheads have created a database of patches - Python security fixes often happen through "silent" code commits, without an associated Common Vulnerabilities and Exposures (CVE) identifier, according to a group of computer security researchers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/07/26/python_silen… ∗∗∗ Tool Release: Cartographer ∗∗∗ --------------------------------------------- Cartographer is a Ghidra plugin that creates a visual "map" of code coverage data, enabling researchers to easily see what parts of a program are executed. It has a wide range of uses, such as better understanding a program, honing in on target functionality, or even discovering unused content in video games. --------------------------------------------- https://research.nccgroup.com/2023/07/20/tool-release-cartographer/ ∗∗∗ New Realst Mac malware, disguised as blockchain games, steals cryptocurrency wallets ∗∗∗ --------------------------------------------- Fake blockchain games, that are being actively promoted by cybercriminals on social media, are actually designed to infect the computers of unsuspecting Mac users with cryptocurrency-stealing malware. --------------------------------------------- https://grahamcluley.com/new-realst-mac-malware-disguised-as-blockchain-gam… ∗∗∗ Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability ∗∗∗ --------------------------------------------- GreyNoise researchers have identified active exploitation for a remote code execution (RCE) vulnerability in Citrix ShareFile (CVE-2023-24489) --------------------------------------------- https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-… ===================== = Vulnerabilities = ===================== ∗∗∗ ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285) ∗∗∗ --------------------------------------------- ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ B&R Automation Runtime SYN Flooding Vulnerability in Portmapper ∗∗∗ --------------------------------------------- CVE-2023-3242, CVSS v3.1 Base Score: 8.6 The Portmapper service used in Automation Runtime versions <G4.93 is vulnerable to SYN flooding attacks. An unauthenticated network-based attacker may use this vulnerability to cause several services running on B&R Automation Runtime to become permanently inaccessible. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16897876… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, iperf3, openjdk-17, and pandoc), Fedora (389-ds-base, kitty, and thunderbird), SUSE (libqt5-qtbase, libqt5-qtsvg, mysql-connector-java, netty, netty-tcnative, openssl, openssl-1_1, openssl1, php7, python-scipy, and xmltooling), and Ubuntu (amd64-microcode, avahi, libxpm, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, openstack-trove, and python-django). --------------------------------------------- https://lwn.net/Articles/939305/ ∗∗∗ Mattermost security updates 8.0.1 / 7.10.5 / 7.8.9 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 8.0.1, 7.10.5, and 7.8.9 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-8-0-1-7-10-5-7-8-9-… ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- BOSCH-SA-247054-BT: Multiple vulnerabilities were found in the PRA-ES8P2S Ethernet-Switch. Customers are advised to upgrade to version 1.01.10 since it solves all vulnerabilities listed. Customers are advised to isolate the switch from the Internet if upgrading is not possible. The PRA-ES8P2S switch contains technology from the Advantech EKI-7710G series switches. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247054-bt.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-37580 Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/26/cisa-adds-one-known-expl… ∗∗∗ Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95727578/ ∗∗∗ AIX is vulnerable to denial of service due to zlib (CVE-2022-37434) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014483 ∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2023-29469 and CVE-2023-28484) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014485 ∗∗∗ IBM Security Directory Suite has multiple vulnerabilities [CVE-2022-33163 and CVE-2022-33168] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001885 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014649 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014651 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014659 ∗∗∗ CVE-2023-0465 may affect IBM CICS TX Advanced 10.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014675 ∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014699 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014693 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to TensorFlow denial of service vulnerabilitiy [CVE-2023-25661] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014695 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to YAML denial of service vulnerabilitiy [CVE-2023-2251] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0